Fortinet FCP_FAZ_AN-7.6 Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst Exam Practice Test

Exact Extract: Study Guide p.82: " Unhandled " indicates the security event risk is considered open.

Technical Deep Dive: The displayed event is best interpreted as open/unhandled, so the correct answer is C. In FortiAnalyzer, event status is not just a label; it tells the analyst whether the risk still requires action. A risk source being isolated would map to Contained, while traffic being blocked or dropped maps to Mitigated. An incident being created from an event is a separate workflow action and cannot be concluded from the event status alone unless the exhibit explicitly shows the incident linkage.

Exact Extract: Study Guide p.202: FortiOS connector actions require an Incoming Webhook Call trigger configured on FortiGate.

Technical Deep Dive: The correct answer is B. The FortiOS connector can appear once FortiGate is added to FortiAnalyzer, but FortiAnalyzer will not show the FortiOS automation actions until FortiGate has the proper automation rule. The trigger required is Incoming webhook/Incoming Webhook Call. A FortiAnalyzer Event Handler is a FortiAnalyzer-side event generator, not a FortiGate trigger for connector actions. Fabric Connector event and IP ban are not the trigger type required to expose FortiOS connector actions.

Exact Extract: Study Guide p.19-p.20: the first FortiGate creates the traffic log, while upstream devices complete UTM logging.

Technical Deep Dive: The correct answer is D. Client traffic first reaches the access-layer FortiGate, which creates the initial traffic log. The upstream FortiGate applies the web filter profile; therefore, if the session violates the web filtering policy, the upstream FortiGate generates the web filter UTM log. Because the web filter profile is configured to log only violations, no web filter log appears unless a violation occurs. Options A and C incorrectly place web filter logging on FGT-B. Option B misstates how Security Fabric logging avoids duplicate logs; FortiGates do not notify peers to log the flow.

Exact Extract: Study Guide p.22-p.24: analyzer is the default mode; collector mode forwards logs, including to syslog/CEF, and mixed deployments improve scale.

Technical Deep Dive: The correct answers are A and D. In collector mode, FortiAnalyzer collects logs and forwards them to another analyzer, syslog server, or CEF server depending on forwarding mode. A topology using both collectors and analyzers can improve performance and regional scalability by offloading collection and keeping analysis/reporting on analyzer devices. Option B is wrong because analyzer mode is the default, not collector mode. Option C is wrong because collector mode has fewer features and does not provide reporting or event-management capabilities.

Exact Extract: The FortiAnalyzer 7.6 Analyst Study Guide states that administrators can use CLI commands “to gather log rate and device usage statistics” to understand “the log volume and whether your disk quota is configured appropriately.” It also explains that if log volume is too high, FortiAnalyzer may not be able to retain “analytics logs or archive logs for the amount of time configured in the ADOM.”

Technical Deep Dive: The correct answer is B because the exhibit shows the disk quota allocation for ADOM1 split into two major areas: Logs and Database . Under the ADOM1 row, the Logs quota is shown as 900.0 MB , and the Database quota is shown as 2.1 GB . When these are added together, the total allocated quota for ADOM1 is approximately 3 GB .

Option A is not the best answer because the output does not show that ADOM1 has exactly 300 MB of total disk space remaining. It is true that the Logs section has roughly 299 MB remaining because 900 MB quota minus 601 MB used is about 299 MB. However, the question asks what can be concluded from the whole output, and the output also includes the database quota and database usage. So treating 300 MB as the total remaining ADOM space is incomplete.

Option C is wrong because archive/log-file usage is not greater than analytic/database usage in the output. The Logs section shows about 601 MB used, while the Database section shows about 1.9 GB used. The study guide separates archive logs from analytics logs: archive logs are rolled and compressed log files, while analytics logs are indexed in the SQL database for immediate analysis. Here, the database/analytic side is using more space than the log/archive side.

Option D is wrong because the exhibit showing 0.0 KB for quarantine does not mean no quota is allocated to quarantining files. It only means quarantine usage is currently zero. The output is reporting current disk usage and quota allocation, not proving that quarantine storage is unavailable.

Exact Extract: Study Guide p.130-p.132: blacklisted IP or DGA matches produce an Infected verdict and appear under Compromised Hosts.

Technical Deep Dive: The correct answer is B. When IOC analysis finds web logs matching blacklisted IP addresses or domain-generation algorithm patterns, FortiAnalyzer treats that as a real breach and creates/updates an infected compromised-host entry for the endpoint. Option A describes suspicious-list behavior, where FortiAnalyzer flags the host for further analysis. Option C is wrong because blacklisted matches are classified as Infected, not merely Suspicious. Option D overstates the automatic endpoint response; quarantine is a separate response action, not the IOC engine classification itself.

Exact Extract: Study Guide p.202-p.203: FortiOS connector actions require automation rules configured on FortiGate.

Technical Deep Dive: The correct answer is D. FortiAnalyzer lists the FortiOS connector after FortiGate is added, but the available actions depend on FortiGate automation configuration. Specifically, the FortiGate side must have automation rules using the Incoming Webhook Call trigger before actions become available to the connector. Option A is wrong because Fabric ADOMs do not automatically come with multiple usable external connectors. Options B and C misunderstand the local connector, which is available by default for local FortiAnalyzer actions.

Exact Extract: Study Guide p.189: verify logs from the report time frame and test the dataset query when expected data is missing.

Technical Deep Dive: The correct answers are A and D. This duplicate scenario tests the same reporting troubleshooting logic. A report can be empty or incomplete even while the logs exist if the report uses a time window that excludes them or if the dataset filters them out. Testing the dataset proves whether the SQL query is actually retrieving the intended rows. Disabling auto-cache is a performance workaround only in very specific stale-cache investigations and is not the recommended first step. Report quota is not the issue when the report runs but contains the wrong data.

Exact Extract: Study Guide p.21: FortiAnalyzer Fabric operates with a supervisor and members; members send information to the supervisor for centralized monitoring.

Technical Deep Dive: The correct answer is D. The exhibit shows devices that meet the conditions to participate as FortiAnalyzer Fabric members, so all listed devices can be members. The key concept is that Fabric membership is about centralized monitoring visibility between FortiAnalyzer systems, not about forcing every member into HA or a single time zone. A member remains an operating FortiAnalyzer device and reports member information to the supervisor. The distractor pairs are too restrictive because they unnecessarily exclude devices that still satisfy the Fabric member role.

Exact Extract: Study Guide p.118: token usage includes prompt and response; more text and larger responses consume more tokens.

Technical Deep Dive: The correct answer is A. The best low-token prompt is concise and scoped: it specifies the endpoint and limits the response to the past week. Option C is verbose and asks for all log entries, increasing both input and output tokens. Option B asks for all logs for the past week without limiting to an endpoint, which can generate a large response. Option D is short, but it lacks a time window, so it can produce a broader and more token-heavy response than option A.

Exact Extract: Study Guide p.82: Unhandled means the security event risk is open and not mitigated or contained.

Technical Deep Dive: The correct answer is D. The exhibit shows the event status as Unhandled, which FortiAnalyzer defines as an open security event risk. That means the analyst should not treat the event as already blocked, quarantined, or isolated. Option A cannot be concluded because incident creation is a separate escalation action. Option B maps to Contained, not Unhandled. Option C uses a workflow term that is not the status shown in the event.

Exact Extract: Official Fortinet Administration Guide: Management Extension Applications are installed and run on FortiAnalyzer; CLI options include enabling the fortisoar container.

Technical Deep Dive: The correct answer is B. FortiSOAR MEA is a management extension application hosted by FortiAnalyzer, not a separate FortiSOAR appliance requirement for this question. FortiAnalyzer uses Docker-based MEA support, and FortiSOAR MEA is one of the supported extensions. Option A is wrong because FortiManager is not required just to run the FortiSOAR MEA. Option C describes a standalone FortiSOAR deployment, not the management extension. Option D is wrong because Fortinet documents FortiSOAR MEA trial licensing behavior for evaluation use.

Exact Extract: Study Guide p.59: event logs show system-wide information; application logs are ADOM-specific, and non-root ADOMs show only application logs.

Technical Deep Dive: The correct answers are C and D. FortiAnalyzer local logs include system-wide event logs and ADOM-specific application logs. Because non-root ADOMs show only application logs, system event logs are effectively a root-ADOM visibility item. Option A is wrong because local audit logs are accessible in Log View under ADOMs. Option B overstates playbook visibility; playbook/application logs are ADOM-specific and should not be treated as all centralized in root for every ADOM.

Exact Extract: Study Guide p.184: reports and charts can be imported/exported between same-type ADOMs; chart exports include associated datasets.

Technical Deep Dive: The correct answers are A and C. FortiAnalyzer requires the source and destination ADOMs to be the same type when moving reports or charts. Reports contain charts, and exported charts carry their associated datasets, so the reporting dependency comes across with the import workflow. Option B describes name-conflict behavior for playbook imports, not the report-moving requirement tested here. Option D is wrong because reports can be imported/exported directly; converting them to templates first is not required.

Exact Extract: Study Guide p.159: SELECT * FROM $log can be used to obtain the schema for a selected log type.

Technical Deep Dive: The correct answer is C. FortiAnalyzer datasets use SQL SELECT queries not only to extract report data but also to reveal available columns for a log type. Running SELECT * FROM $log and testing the dataset shows the column headings available in the database schema. Option A is wrong because SELECT is read-only and does not purge data. Option B is wrong because WHERE is optional; FROM is the mandatory clause. Option D is wrong because macros represent dataset queries in abbreviated form, so SELECT logic is directly related to macros.

Exact Extract: Study Guide p.173: macros represent dataset queries in abbreviated form, and macros are ADOM-specific.

Technical Deep Dive: The correct answer is C. FortiAnalyzer macros are not Excel-generation shortcuts and are not fixed templates. A macro is an abbreviated way to insert data extracted by a dataset query into a report without using a chart. Because reports, libraries, and related definitions are separated by ADOM, macros are ADOM-specific. Option A is wrong because custom macros can be created. Option B invents an Excel-specific behavior not described by the guide. Option D is too restrictive because macros are not limited only to FortiGate ADOMs.

Exact Extract: Study Guide p.9: Tier 2 Incident Responder investigates escalated alerts in more depth for response.

Technical Deep Dive: The correct answer is D. When an event is escalated into an incident, the SOC role responsible for deeper handling and response is the incident responder. Tier 1 security analysts handle monitoring and triage. Threat hunters proactively search for complex or hidden threats rather than owning every escalated incident. SOC engineers maintain tools such as SIEM/SOAR platforms but are not the primary incident-handling role. The guide’s SOC role model places escalated response work with the Incident Responder.

Exact Extract: Study Guide p.210: after creating a new playbook, FortiAnalyzer needs a few minutes to parse it.

Technical Deep Dive: The correct answer is A. FortiAnalyzer must parse the newly created playbook before it can execute reliably. Parsing checks the playbook definition and prepares it for execution by the automation engine. Option B is wrong because FortiAnalyzer is not automatically debugging the playbook; debugging happens after a failed or problematic run. Option C is unrelated to playbook creation. Option D is wrong because FortiAnalyzer can track multiple jobs; the wait is about playbook parsing, not waiting for all other playbooks to stop.

Exact Extract: Study Guide p.175: Chart Builder automatically builds a dataset and chart from filtered Log View search results.

Technical Deep Dive: The correct answer is D. Chart Builder is a shortcut for turning a useful filtered log search into reusable reporting content. The analyst first filters Log View to the desired data, then uses Chart Builder to create the dataset and chart automatically. Option A is wrong because it is not based on a fixed top-100 list. Option B is incomplete because the feature creates chart/dataset objects rather than merely adding a chart to a generated report. Option C incorrectly places the output under FortiView instead of reporting libraries.

Exact Extract: Study Guide p.141: Insert Rate is the rate logs are indexed; Receive Rate is the rate raw logs reach FortiAnalyzer.

Technical Deep Dive: The correct answer is A. At the indicated time, the insert-rate value is higher than the receive-rate value, which means FortiAnalyzer is indexing logs faster than new logs are arriving. This can happen when the database is catching up with previously received logs. Option B is too literal and unsupported; the graph shows rates, not a one-log daemon lead. Option C is wrong because a rebuild is not indicated by a single favorable rate point. Option D would apply when received logs are waiting because indexing is behind, which is the reverse condition.

Exact Extract: Study Guide p.200-p.203: playbooks run from a trigger and tasks can filter events before adding them to an incident.

Technical Deep Dive: The correct answer is D. The playbook task is filtering events using the configured criteria, and only the events that match those criteria are added to the incident. Because the task is configured to match any of the listed conditions, the analyst must count unique events matching severity, event type, or tag filters. The exhibit contains four unique matching events. Options A and B overcount by treating all or most events as matching. Option C is wrong because the filter is not empty and the exhibit shows events that meet the task criteria.

Exact Extract: Study Guide p.217-p.218: exported playbooks preserve enabled/disabled status, and name conflicts are handled on import.

Technical Deep Dive: The correct answers are A and C. A playbook imported into another ADOM or FortiAnalyzer retains the enabled or disabled status it had when exported, which is why automatic playbooks should be exported disabled. If an imported playbook name already exists, FortiAnalyzer creates a new name with a timestamp to avoid conflicts, so importing with the same name is allowed. Option B is wrong because connectors can be included in the export. Option D is wrong because multiple playbooks can be exported at once.

Exact Extract: Study Guide p.216: playbook jobs with one or more failed tasks are labeled Failed, even if some actions succeeded.

Technical Deep Dive: The correct answer is C. FortiAnalyzer marks the overall playbook job as Failed when any task in the job fails. That does not mean every task failed; it means the job requires review because the workflow did not complete cleanly. Option A is not the status described in the FortiAnalyzer guide for this scenario. Option B is a task-dependency style outcome, not the overall job status tested here. Option D is wrong because success requires all required tasks to complete successfully.