FCSS_ADA_AR-6.7 Sample Questions Answers

When registeringagentsin FortiSIEM, the organization to which they belong depends on how they are installed:

●Windows Agents

● During installation, the setup wizard prompts the user to specify theorganization.

● This ensures the agent is correctly assigned to the organization defined during setup.

●Linux Agents

● Installation on Linux requirescommand-line parameters, including theorganization name.

● This means that the organization is explicitly defined during the installation process.

In a multi-tenant FortiSOAR deployment, a Managed Security Service Provider (MSSP) hosts a shared FortiSOAR instance that serves multiple customers. Each customer operates as a separate tenant within the instance, ensuring data isolation and security.

FortiSOAR uses secure network connectivity (VPNs, direct connections, or secure tunnels) between the MSSP’s FortiSOAR manager node and the customer’s devices.

The customer does not need to install additional software or tenant nodes; instead, the MSSP manages multi-tenancy at the platform level.

Thelicense filelocated at/etc/opsd/.fortisiem4x0is critical for thecollector's operation, as it verifies the collector'sregistration with the supervisorand enables proper functionality.

If thislicense file is removed, the collector:

● Willlose its registrationwith the supervisor.

● Willstop receiving updates and configurationsfrom the FortiSIEM supervisor.

● Will requirere-registrationwith the supervisor to obtain a new license file.

FortiSOAR supports multipledata ingestion modesto allow efficient data collection and automation. The three primary modes are:

1.Rule-Based

FortiSOAR ingests data when specific rules are triggered based on defined conditions.

This enables automation and intelligence-driven event ingestion.

2.App Push

External applications canpushdata into FortiSOAR usingAPIs and integrations.

This is useful forreal-time ingestionfrom external tools like SIEMs, ticketing systems, and threat intelligence platforms.

3.Schedule-Based

Data is ingested based onpredefined schedules.

This is useful for periodic polling of external systems, fetching logs, and running automated tasks at set intervals.

Total EPS License Purchased: 500 EPS

Allocated EPS:

● Customer A: 100 EPS

● Customer B: 200 EPS

Remaining EPS Pool:

500 − (100 + 200) = 200 EPS

Atmidnight, thedaily database valuesmerge into theprofile database. The new values forHour 9are calculated as follows:

●Minimum CPU Utilization:The new minimum is the lower of the existing (32.31) and new (33.50) values →32.31

●Maximum CPU Utilization:The new maximum is the higher of the existing (32.31) and new (33.50) values →33.50

●Average CPU Utilization:

● The previous average was32.31(from one point).

● The new value from the daily database is33.50(one additional point).

● The new average is calculated as:

Thus, after merging, the updated profile database values forHour 9are:

●Min CPU Util = 32.31

●Max CPU Util = 33.50

●Avg CPU Util = 32.67

In FortiSIEM, an agent’s status of "Running Inactive" indicates that the agent is installed and running but not actively sending data or has encountered a misconfiguration. The following reasons can cause this status:

1. The agent was registered incorrectly

If an agent was not registered properly, it might not establish a proper connection with the FortiSIEM system, resulting in an inactive status.

2. The agent is temporarily down

If the agent goes offline (e.g., due to system shutdown, network issues, or agent crash), it will show as inactive.

3. The template was not assigned

Agents require a template to function correctly. If no template is assigned, the agent cannot collect or process events, leading to an inactive state.

InFortiSIEM, when an agent isuninstalled from a Windows device, the deviceremains in the CMDB (Configuration Management Database)until it ismanually removed.

●Uninstalling the agent does not automatically remove the device from the CMDB.

● CMDB maintains discovered deviceseven if they no longer report logs, ensuring historical tracking.

● Administrators mustmanually deletethe device from theCMDB > Devicessection.

FortiSIEMcollectorsare responsible forgathering logsfrom devices andforwarding themto the FortiSIEM cluster. Their communication with the cluster follows these key principles:

●Collectors periodically communicate with the supervisor node.

● This allows them toreport status, receive updates, and verify configurations.

●The supervisor periodically checks the health of the collector.

● Thesupervisor monitors the collector’s uptime, connectivity, and performance.

●Collectors upload event data to worker nodes but report health to the supervisor.

●Event logs are uploaded to worker nodesas per theworker upload list, ensuring distributed event processing.

●Health status is always reported directly to the supervisorfor centralized monitoring.

Group By automatically applies a COUNT aggregation.

When using Group By in FortiSIEM structured queries, it automatically applies a COUNT(*) function unless a different aggregation (such as SUM, AVG, or MAX) is specified. This helps summarize data by counting occurrences of grouped attributes.

Group By is applied to real-time and historical searches.

Grouping functions work in both real-time (live event monitoring) and historical (past event analysis) searches, making it useful for trend analysis, anomaly detection, and correlation.

When a FortiSIEM collector is deployed for the first time, most of its processes remain down until it is successfully registered with the supervisor.

The phMonitor process is running because it monitors system health, but other services remain inactive until the collector establishes communication with the supervisor.

Once the collector registers to the supervisor, it receives configurations and policies, and its processes will start automatically.

From the"Clear If"condition in the exhibit:

●WITHIN 5 minutes, the system checks if the patternAllPingLossSrv_CLEARoccurs.

● TheHost IP of the clear condition must match the Host IP of the original rule(Clear_Condition.Host IP = Original_Rule.Host IP).

● If this condition is met, the systemautomatically clears the incidentbecause it indicates that network connectivity has been restored (packet loss has dropped).

Thus, theincident was auto-clearedbecause the system detected that the issue was resolved within the defined5-minute window, meeting the conditions for auto-clearance.

The rule is tracking asudden increase in WMI response timesover a30-minute window. The key detail here is the increase factor.

● The term1.50 times increasemeans the new value is150%of the previous baseline.

● A1.50x increasecorresponds to a150% increase, since the new value isoriginal + 150% of original.

The rule triggers an incident when there are two or more VPN logon failures within a 10-minute window, grouped by Source IP, Reporting Device, Reporting IP, and User. Let's analyze the events:

Breakdown of Events:

1. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: Sarah

2. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: John

3. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: Tom

4. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: John

5. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: Sarah

6. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: Tom

Now, applying the grouping criteria (Source IP, Reporting Device, Reporting IP, and User):

● Group 1: (1.1.1.1, 2.2.2.2, FortiGate, John) → 1 occurrence (not enough)

● Group 2: (1.1.1.1, 2.2.2.2, FortiGate, Sarah) → 1 occurrence (not enough)

● Group 3: (1.1.1.1, 2.2.2.2, FortiGate, Tom) → 2 occurrences (incident triggered)

● Group 4: (1.1.1.3, 2.2.2.2, FortiGate2, John) → 2 occurrences (incident triggered)

● Group 5: (1.1.1.3, 2.2.2.2, FortiGate2, Sarah) → 1 occurrence (not enough)

● Group 6: (1.1.1.3, 2.2.2.2, FortiGate2, Tom) → 1 occurrence (not enough)

Final Incident Count:

● One incident for Group 3 (Tom on FortiGate)

● One incident for Group 4 (John on FortiGate2)