Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium Fortinet FCP_FAZ_AN-7.6 Dumps Questions Answers

Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst Questions and Answers

Question 1

As part of your analysis, you discover that an incident is a false positive.

You change the incident status to Closed: False Positive.

Which statement about your update is true?

Options:

A.

The audit history log will be updated.

B.

The corresponding event will be marked as mitigated.

C.

The incident will be deleted.

D.

The incident number will be changed

Buy Now
Question 2

(How does FortiAnalyzer block indicators? (Choose one answer)

Options:

A.

It uses an automation script to update FortiGate with the block list.

B.

It uses a FortiManager connector to send the block list.

C.

It uses a FortiClient EMS connector to send the block list.

D.

It uses a webhook to allow FortiGate to send the block list.

Question 3

You must find a specific security event log in the FortiAnalyzer logs displayed in FortiView, but, so far, you have been unsuccessful.

Which two tasks should you perform to investigate why you are having this issue? (Choose two.)

Options:

A.

Open .gz log files in FortiView.

B.

Rebuild the SQL database and check FortiView.

C.

Review the ADOM data policy

D.

Check logs in the Log Browse

Question 4

You discover that a few reports are taking a long time to generate. Which two steps can you take to troubleshoot? (Choose two.)

Options:

A.

Remove old reports from the hcache

B.

Enable auto-cache and run the reports again

C.

Increase the ADOM reports quota

D.

Review report diagnostics

Question 5

What happens when the indicator of compromise (IOC) engine on FortiAnalyzer finds web logs that match blacklisted IP addresses?

Options:

A.

FortiAnalyzer flags the associated host for further analysis.

B.

A new infected entry is added for the corresponding endpoint under Compromised Hosts.

C.

The detection engine classifies those logs as Suspicious.

D.

The endpoint is marked as Compromised and, optionally, can be put in quarantine.

Question 6

After generating a report, you notice the information you were expecting to see is not included in it. However, you confirm that the logs are there:

Which two actions should you perform? (Choose two.)

Options:

A.

Check the time frame covered by the report.

B.

Disable auto-cache.

C.

Increase the report utilization quota.

D.

Test the dataset.

Question 7

You need to move reports between two ADOMs.

Which two statements are true? (Choose two.)

Options:

A.

The ADOMs must be compatible types.

B.

The date and time will be appended to the original report name to avoid conflicts.

C.

All charts and datasets associated with the report will be imported together.

D.

You need to convert the reports into templates first.

Question 8

Exhibit.

Based on the partial outputs displayed, which devices can be members of a FortiAnalyzer Fabric?

Options:

A.

FortiAnalyzer1 and FortiAnalyzer3

B.

FortiAnalyzer1 and FortiAnalyzer2

C.

FortiAnalyzer2 and FortiAnalyzer3

D.

All devices listed can be members.

Question 9

(Refer to the exhibit.

Which two observations can you make after reviewing this log entry? (Choose two answers)

Options:

A.

This is a normalized log.

B.

This is a formatted view of the log.

C.

This is the original log that FortiAnalyzer received from FortiGate.

D.

This log is in a raw log format.

Question 10

Exhibit.

What does the data point at 12:20 indicate?

Options:

A.

The log insert log time is increasing.

B.

FortiAnalyzer is using its cache to avoid dropping logs.

C.

The performance of FortiAnalyzer is below the baseline.

D.

The sqiplugind service is caught up with the logs

Question 11

Which statement about sending notifications with incident updates is true?

Options:

A.

Each connector used can have different notification settings

B.

Each incident can send notification to a single external platform.

C.

You must configure an output profile to send notifications by email.

D.

Notifications can be sent only when an incident is created oi deleted.

Question 12

What is the purpose of using data selectors when configuring event handlers?

Options:

A.

They filter the types of logs that FortiAnalyzer can accept from registered devices.

B.

They download new filters can be used in event handlers.

C.

They apply their filter criteria to the entire event handler so that you don’t have to configure the same criteria in the individual rules.

D.

They are common filters that can be applied simultaneously to all event handlers.

Question 13

(Which two parameters does FortiAnalyzer use to identify an indicator of compromise (IOC)? (Choose two answers)

Options:

A.

IP address

B.

URL

C.

Policy ID

D.

Application category

Question 14

Which statement about SQL SELECT queries is true?

Options:

A.

They can be used to purge log entries from the database.

B.

They must be followed immediately by a WHERE clause.

C.

They can be used to display the database schema.

D.

They are not used in macros.

Question 15

You are trying to configure a task in the playbook editor to run a report.

However, when you try to select the desired playbook, you do to see it listed.

What is the reason?

Options:

A.

The report does not have auto-cache and extended log filtering enabled.

B.

The playbook is currently running and will be available after it is finished.

C.

You must create a trigger to run the report first.

D.

The report has no result and must be reconfigured.

Question 16

Which two statements regarding FortiAnalyzer operating modes are true? (Choose two.)

Options:

A.

When running in collector mode, FortiAnalyzer can forward logs to a syslog server.

B.

FortiAnalyzer runs in collector mode by default unless it is configured for HA.

C.

You can create and edit reports when FortiAnalyzer is running in collector mode.

D.

A topology with FortiAnalyzer devices running in both modes can improve their performance.

Question 17

(You created a playbook on FortiAnalyzer that uses a FortiOS connector. When you configure FortiGate, which type of trigger must you use so that the actions in an automation stitch are available in the FortiOS connector? (Choose one answer)

Options:

A.

FortiAnalyzer Event Handler

B.

Incoming webhook

C.

Fabric Connector event

D.

IP ban

Question 18

Exhibit.

Assume these are all the events that exist on the FortiAnalyzer device.

How many events will be added to the incident created after running this playbook?

Options:

A.

Eleven events will be added.

B.

Seven events will be added

C.

No events will be added.

D.

Four events will be added.

Question 19

Which two statements about local logs on FortiAnalyzer are true? (Choose two.)

Options:

A.

Local logs are not displayed in FortiView.

B.

Event logs are available in the root ADOM.

C.

Playbook logs for all ADOMs are in the root ADOM.

D.

Application control logs are ADOM-specific

Question 20

Exhibit.

What can you conclude about the output?

Options:

A.

The message rate being lower that the log rate is normal.

B.

Both messages and logs are almost finished indexing.

C.

There are more traffic logs than event logs.

D.

The output is ADOM-specific

Question 21

Refer to the exhibit.

What can you conclude from this output? (Choose one answer)

Options:

A.

ADOM1 has 300 MB of disk space remaining.

B.

The allocated disk quota to ADOM1 is 3 GB.

C.

Archive logs are using more space than analytic logs.

D.

There is no disk quota allocated to quarantining files.

Question 22

Refer to the exhibit.

What can you conclude about the output?

Options:

A.

Both messages and logs are almost finished indexing.

B.

There are more traffic logs than event logs.

C.

The message rate being higher than the log rate is not normal.

D.

The output is ADOM-specific.

Question 23

Which statement about the FortiSOAR management extension is correct?

Options:

A.

It requires a FortiManager configured to manage FortiGate.

B.

It runs as a docker container on FortiAnalyzer.

C.

It requires a dedicated FortiSOAR device or VM.

D.

It does not include a limited trial by default.