Free Practice Questions for Fortinet FCSS_ADA_AR-6.7 Exam

TheWindows agent (fortibank_dc.fortibank.net)is in an"Unmanaged"state, which indicates that it has not received amonitoring templatefrom FortiSIEM. Without a template, the agent does not know what logs to collect or forward, meaning it isnot sending logs to the supervisor.

Theagent is registered, meaning it has completed the installation and connection process. Since it isunmanaged, it isnot actively monitoredor configured to send logs. To resolve this, the administrator mustassign a monitoring templateto enable proper log forwarding.

The administratordeployed FortiSIEM without a collector, meaning there is no dedicated system collecting logs fromservice provider infrastructure devices. Without a collector, the FortiSIEMsupervisor and workersmust directly ingest logs, which is not ideal for amulti-tenant service provider setup. Acollector is necessaryto efficiently gather logs before forwarding them to the FortiSIEM cluster.

phRuleMaster runs on both the supervisor and worker nodes, allowing distributed event processing. It receives filtered data from phRuleWorkers and organizes it into buckets before evaluation. Every 30 seconds, it processes the rule data in parallel, ensuring efficient rule execution. The incorrect options suggest that phRuleMaster runs only on the supervisor or evaluates rules sequentially, both of which are inaccurate.

In FortiSIEM, an agent’s status of "Running Inactive" indicates that the agent is installed and running but not actively sending data or has encountered a misconfiguration. The following reasons can cause this status:

1. The agent was registered incorrectly

If an agent was not registered properly, it might not establish a proper connection with the FortiSIEM system, resulting in an inactive status.

2. The agent is temporarily down

If the agent goes offline (e.g., due to system shutdown, network issues, or agent crash), it will show as inactive.

3. The template was not assigned

Agents require a template to function correctly. If no template is assigned, the agent cannot collect or process events, leading to an inactive state.

TheLookupTableGetfunction is designed toenrich event databy referencing a lookup table. However, itcannot be used directly in analytic queriesfor filtering data before processing. Instead, it is meant to be applied as adisplay filterto enhance results after retrieval.

In the given query,LookupTableGet(MalwareIPList : Source IP : Confidence) >= 87is being used in afilter condition, which leads to an error because the function is not valid in this context. It should be appliedafterthe data is retrieved, not as a pre-processing filter.

The exhibit shows the directory listings forthree different workers(worker1,worker2, andworker3) under the/querywkr/active/13127*path, which indicatesactive query tasksassigned to each worker.

1.Worker1 (worker1)

The output doesnotshow any subdirectories or task files (13127t0,13127t1, etc.), meaningWorker1 is not assigned any tasks.

2.Worker2 (worker2)

The output showsone task (13127t1)under/querywkr/active/13127*.

The workerhas only one assigned task, not two, so optionsC and D are incorrect.

3.Worker3 (worker3)

The output showstwo tasks (13127t0and13127t1), indicating that Worker3 is processingtwo tasksfor query ID 13127.

Afterregistration, collectors maintaincontinuous communicationwith theSupervisorto ensure properevent processing, system health monitoring, and failover handling. The two key reasons collectors communicate with the Supervisor are:

1.To upload event data if a worker is down

If aworker node fails, thecollector can temporarily store event logsand then forward them to the Supervisor.

This ensuresevent continuityeven during infrastructure issues.

2.To report its own health status

Thecollector sends health reportsto theSupervisor, including resource usage, connectivity status, and operational logs.

This helps FortiSIEM trackcollector uptime and performance.

The administrator is running an analytic search that groups results bySource IP, Reporting IP, and User, and filters only those with aCOUNT >= 3.

Looking at the data:

●Adminhas three failed attempts from thesame Source IP (203.0.113.4)andReporting IP (10.0.1.99).

●JanandSarahappear onlyonce or twicein the dataset.

●Tomhasmultiple entries, but they are fromdifferent Source IPs and Reporting IPs, meaning they are not counted as three under the same group.

FortiSIEM's User and Entity Behavior Analytics (UEBA) uses AI-driven modeling to detect anomalies and security risks based on user activity. The risk weighting for UEBA tags allows customization of the AI model by prioritizing certain behaviors or indicators over others.

Adjusting risk weightings fine-tunes how the AI model evaluates risk, helping organizations align detection sensitivity with their security policies. This provides a customized risk scoring mechanism without requiring full AI retraining.