Fortinet FCP_FAZ_AN-7.6 Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst Exam Practice Test

Exact Extract: The FortiAnalyzer 7.6 Analyst Study Guide explains that FortiView provides dashboards for summarized network information, and that the Threats dashboard shows “top threats.” It also states that from a FortiView widget, “you can find more details about a specific entry,” and that the Top Threats widget displays the top threats, including IPS events and related CVE information when available.

Technical Deep Dive: The correct answer is A because the FortiView Top Threats table includes an entry named Apache.Expect.Header.XSS . That threat name directly indicates a cross-site scripting/XSS-related signature associated with Apache. The same row shows the threat type as IPS , meaning FortiAnalyzer is displaying it as an IPS-detected threat event. Therefore, the analyst can reasonably conclude that FortiAnalyzer recorded XSS attack activity against an Apache web server or Apache-related service.

Option B is not supported. The presence of a CVE ID provides vulnerability context, but it does not automatically mean that attack must be prioritized over every other entry. In FortiAnalyzer/FortiView, prioritization depends on threat level, threat score, incident count, affected assets, and SOC impact. In the exhibit, some entries without CVE IDs have higher threat scores and more incidents than the Apache XSS entry.

Option C is wrong because the exhibit itself includes non-IPS threat types, such as Malicious Website and P2P . FortiAnalyzer does not treat only IPS threats as genuine threats. FortiView aggregates multiple security-relevant categories so analysts can review threats across different log and detection types.

Option D is not a safe conclusion. The displayed table does not show a Critical threat level in the visible rows, but that does not prove that no critical threats exist. The view may be filtered, scoped by time, or limited to the currently displayed Top Threats entries. A SOC analyst should not infer total absence of critical threats from a filtered widget alone.

Exact Extract: Study Guide p.19-p.20: the Security Fabric root/upstream FortiGate relationship affects how traffic and UTM logs are correlated.

Technical Deep Dive: The correct answer is B. The output indicates FGT_B is acting as the Security Fabric root. In Security Fabric logging, FortiAnalyzer uses Fabric relationships to correlate logs and avoid duplicate traffic logging. The other options draw conclusions the output does not support: disk quota allocation to quarantine files, exact ADOM disk quota size, or archive-versus-analytics usage require explicit storage lines. The Fabric root conclusion is the one directly supported by the displayed Fabric relationship information.

Exact Extract: Study Guide p.211: output variables use the output from a preceding task as input to the current task.

Technical Deep Dive: The correct answer is B. The exhibit shows the analyst referencing output from an earlier task, such as a generated report identifier, so a later task can attach that result to an incident. That is an output variable. A trigger variable would pull values from the event or incident that started the playbook. The analyst is not creating the report object itself, nor creating a SOC report definition; the report task has already produced data, and the current task is consuming that output dynamically.

Exact Extract: Study Guide p.94 and p.130-p.131: indicators include IP addresses, URLs, and domains; IOC checks use IP/domain/URL values.

Technical Deep Dive: The correct answers are A and B. FortiAnalyzer identifies IOC matches by checking log artifacts such as IP addresses, domains, and URLs against FortiGuard threat intelligence. IP address and URL are explicitly listed as indicator types and IOC comparison parameters. Policy ID identifies which FortiGate policy matched traffic, but it is not an IOC artifact. Application category describes application classification, not a compromise indicator used for FortiGuard IOC matching.

Exact Extract: Study Guide p.40-p.45: FortiAnalyzer normalizes supported device logs, including FortiGate traffic, event, and security logs.

Technical Deep Dive: The correct answers are A, B, and C. FortiGate devices generate traffic logs, event logs, and security logs, and FortiAnalyzer collects and normalizes these supported log types for analysis. Security logs include UTM-related subtypes such as web filter, antivirus, IPS, and application control. Firewall and system in the answer list are not the three FortiGate log-type categories used by the guide for this question; system is a subtype under event logs, not a top-level selection here.

Exact Extract: Study Guide p.83: generic text filters support field operators, including equality and inequality, for precise event-handler matching.

Technical Deep Dive: The correct answer is A. The required filter must match login operations to the GUI from Laptop1 and exclude the admin user. Option A includes the login operation, the correct GUI/IP value for Laptop1, and user!=admin. Option B uses the wrong IP address. Option C incorrectly matches user==admin, which is the opposite of the requirement. Option D lacks the correct performed_on GUI condition and has malformed inequality syntax. For event-handler filters, small syntax or field mistakes change the result completely.

Exact Extract: Study Guide p.189: for missing report data, check the report time frame and test the dataset.

Technical Deep Dive: The correct answers are A and D. If the logs exist but the generated report lacks expected information, the first checks are whether the report time frame includes those logs and whether the dataset query returns the expected rows. Reports are only as accurate as their time filter and SQL dataset. Disabling auto-cache is not the normal fix; cache improves performance and scheduled reports use it. Increasing a quota does not correct a wrong time range or broken SQL query unless the report fails for resource reasons, which is not the scenario described.

Exact Extract: Study Guide p.139: one log message can consist of multiple logs in LZ4 format, explaining the log-rate/message-rate difference.

Technical Deep Dive: The correct answer is A. In the diagnostic output, the message rate being lower than the log rate is normal because FortiAnalyzer can receive a compressed log message that contains multiple individual logs. The log rate counts logs, while the message rate counts received log messages. Option B is not supported because the output does not prove indexing is almost finished. Option C cannot be inferred unless the command output breaks down traffic versus event log counts. Option D is wrong because these fortilogd rate commands are general logging statistics rather than an ADOM-specific view.

Exact Extract: Study Guide p.216: playbook jobs with one or more failed tasks are labeled Failed, even if some actions succeeded.

Technical Deep Dive: The correct answer is C. FortiAnalyzer marks the overall playbook job as Failed when any task in the job fails. That does not mean every task failed; it means the job requires review because the workflow did not complete cleanly. Option A is not the status described in the FortiAnalyzer guide for this scenario. Option B is a task-dependency style outcome, not the overall job status tested here. Option D is wrong because success requires all required tasks to complete successfully.

Exact Extract: Study Guide p.59: event logs show system-wide information; application logs are ADOM-specific, and non-root ADOMs show only application logs.

Technical Deep Dive: The correct answers are C and D. FortiAnalyzer local logs include system-wide event logs and ADOM-specific application logs. Because non-root ADOMs show only application logs, system event logs are effectively a root-ADOM visibility item. Option A is wrong because local audit logs are accessible in Log View under ADOMs. Option B overstates playbook visibility; playbook/application logs are ADOM-specific and should not be treated as all centralized in root for every ADOM.

Exact Extract: Study Guide p.58: Log View search results can be downloaded, and raw/text filtering helps with exact field syntax.

Technical Deep Dive: The correct answers are A and D. FortiAnalyzer Log View allows administrators to download filtered logs as text or CSV, so the displayed search results can be exported to a file. The exhibit also indicates a text-mode search/filter rather than a purely GUI-built filter. Option B would be true for formatted log tables in general, but the question asks what can be concluded from the displayed search results. Option C is not supported; whether FortiView can analyze related data depends on whether the logs are analytics logs, not merely on the search display.

Exact Extract: Study Guide p.21-p.24: HA is not supported on supervisors; members provide analyzer features and supervisor visibility does not require log forwarding to supervisor storage.

Technical Deep Dive: The correct answers are B and C. Fabric members must retain analyzer capabilities such as events and reports; collector mode lacks Incidents and Events and reporting, so member devices operate with analyzer functionality. The supervisor provides centralized visibility into logs collected on members rather than requiring members to forward all logs into supervisor storage. Option A is false because HA is not available for the supervisor. Option D is false because the guide states members do not have to share the supervisor time zone.

Exact Extract: Study Guide p.22-p.24: analyzer is the default mode; collector mode forwards logs, including to syslog/CEF, and mixed deployments improve scale.

Technical Deep Dive: The correct answers are A and D. In collector mode, FortiAnalyzer collects logs and forwards them to another analyzer, syslog server, or CEF server depending on forwarding mode. A topology using both collectors and analyzers can improve performance and regional scalability by offloading collection and keeping analysis/reporting on analyzer devices. Option B is wrong because analyzer mode is the default, not collector mode. Option C is wrong because collector mode has fewer features and does not provide reporting or event-management capabilities.

Exact Extract: Study Guide p.168-p.172: templates define layout, while reports include report settings and more configuration.

Technical Deep Dive: The correct answer is A. Reports provide more configuration options because they include the layout/template plus operational settings such as time period, target devices, scheduling, filters, output behavior, and advanced settings. Templates contain the Editor-tab layout elements and do not include basic or advanced report settings. Option B is wrong because both reports and templates can be cloned. Option C is wrong because templates can include macros. Option D is wrong because templates are not mapped to device groups as stated.

Exact Extract: Study Guide p.211: trigger variables use information from the event or incident trigger in later playbook tasks.

Technical Deep Dive: The correct answer is B. Trigger variables allow a playbook task to reuse values from the event or incident that started the playbook, such as endpoint IP, device, severity, or incident fields. That allows a task to filter a report, get matching logs, or target a response action dynamically. Option A describes monitoring statistics, not variables. Option C reverses the relationship: the trigger starts the playbook, and the variables are then available to tasks. Option D is unrelated to ON_SCHEDULE timing.

Exact Extract: Study Guide p.120: FortiAI can support incident investigation, response, threat hunting, impact analysis, and remediation recommendations.

Technical Deep Dive: The correct answers are B, C, and E. FortiAI in FortiAnalyzer is designed to assist SOC workflows: interpreting security events, generating incident summaries, identifying possible impacts, recommending remediation, generating queries, and supporting threat hunting. Site-to-site VPN and SD-WAN overlay configuration are FortiGate/FortiManager network configuration tasks, not the FortiAnalyzer FortiAI use cases described in the Analyst guide. The guide keeps FortiAI scoped to FortiAnalyzer security operations and analytics workflows.

Exact Extract: Study Guide p.188: diagnose sql status sqlreportd checks SQL query connections and hcache status for reports.

Technical Deep Dive: The correct answer is C. The sqlreportd diagnostic is a report troubleshooting command focused on SQL query connections and hcache status. It is useful when reports are slow because report generation depends heavily on hcache and SQL query execution. Option A is handled by scheduled report listing commands. Option B maps to diagnose sql process list. Option D maps more closely to sqlplugind insertion status, not sqlreportd.

Exact Extract: Study Guide p.130-p.132: blacklisted IP or DGA matches produce an Infected verdict and appear under Compromised Hosts.

Technical Deep Dive: The correct answer is B. When IOC analysis finds web logs matching blacklisted IP addresses or domain-generation algorithm patterns, FortiAnalyzer treats that as a real breach and creates/updates an infected compromised-host entry for the endpoint. Option A describes suspicious-list behavior, where FortiAnalyzer flags the host for further analysis. Option C is wrong because blacklisted matches are classified as Infected, not merely Suspicious. Option D overstates the automatic endpoint response; quarantine is a separate response action, not the IOC engine classification itself.

Exact Extract: Study Guide p.159: SELECT * FROM $log can be used to obtain the schema for a selected log type.

Technical Deep Dive: The correct answer is C. FortiAnalyzer datasets use SQL SELECT queries not only to extract report data but also to reveal available columns for a log type. Running SELECT * FROM $log and testing the dataset shows the column headings available in the database schema. Option A is wrong because SELECT is read-only and does not purge data. Option B is wrong because WHERE is optional; FROM is the mandatory clause. Option D is wrong because macros represent dataset queries in abbreviated form, so SELECT logic is directly related to macros.

Exact Extract: Study Guide p.202-p.203: FortiOS connector actions require automation rules configured on FortiGate.

Technical Deep Dive: The correct answer is D. FortiAnalyzer lists the FortiOS connector after FortiGate is added, but the available actions depend on FortiGate automation configuration. Specifically, the FortiGate side must have automation rules using the Incoming Webhook Call trigger before actions become available to the connector. Option A is wrong because Fabric ADOMs do not automatically come with multiple usable external connectors. Options B and C misunderstand the local connector, which is available by default for local FortiAnalyzer actions.

Exact Extract: Study Guide p.21: FortiAnalyzer Fabric operates with a supervisor and members; members send information to the supervisor for centralized monitoring.

Technical Deep Dive: The correct answer is D. The exhibit shows devices that meet the conditions to participate as FortiAnalyzer Fabric members, so all listed devices can be members. The key concept is that Fabric membership is about centralized monitoring visibility between FortiAnalyzer systems, not about forcing every member into HA or a single time zone. A member remains an operating FortiAnalyzer device and reports member information to the supervisor. The distractor pairs are too restrictive because they unnecessarily exclude devices that still satisfy the Fabric member role.

Exact Extract: Study Guide p.157-p.159: datasets are SQL SELECT queries over $log, and WHERE filters narrow returned log rows.

Technical Deep Dive: The correct answer is A. The required dataset must select source IP, destination IP, and URL from $log, then filter web-filter logs where the category description equals Gambling. Option A uses the correct fields and catdesc filter. Option B incorrectly uses IPv6 aliases that do not match the expected output. Option C filters Dating instead of Gambling. Option D reverses the table and filter logic by placing Gambling in the FROM position and $log in the WHERE expression, which is invalid for the intended dataset.

Exact Extract: Study Guide p.78: event handlers can use notification profiles; p.107 describes external notifications through Fabric connectors.

Technical Deep Dive: The correct answers are A and C. When an event handler generates an event, FortiAnalyzer can use notification mechanisms such as SNMP traps through notification profiles. FortiAnalyzer also supports sending alerts to external platforms using configured Fabric connectors. FortiGuard is not an alert delivery server in this workflow; it supplies threat intelligence and outbreak content. SMS notification is not one of the event-handler notification methods described in the guide sections relevant to this question.