Fortinet FCP_FSM_AN-7.2 Exam Practice Test Instant Access

Question 1

Refer to the exhibit.

As shown in the exhibit, why are some of the fields highlighted in red?

AUnique values cannot be grouped B.

BThe attribute COUNT(Matched Events) is an invalid expression.

CNo RAW Event Log attribute information is available.

DThe Event Receive Time attribute is not available for logs.

Answer : A

The fields are highlighted in red because unique values such as Event Receive Time and Raw Event Log cannot be used in group-by operations. Grouping requires aggregatable or consistent values across events, while these fields are unique to each event, making them incompatible for grouping.

Question 2

Refer to the exhibit.

An analyst is trying to generate an incident with a title that includes the Source IP, Destination IP, User, and Destination Host Name. They are unable to add a Destination Host Name as an incident attribute.

What must be changed to allow the analyst to select Destination Host Name as an attribute?

AThe Destination Host Name must be selected as a Triggered Attribute.

BThe Destination Host Name must be set as an aggregate item in a subpattern.

CThe Destination Host Name must be added as an Event type in the FortiSIEM.

DThe Destination IP Event Attribute must be removed.

Answer : A

For an attribute like Destination Host Name to be used in the incident title, it must first be included in the Triggered Attributes list. Only attributes listed there are available for substitution in the title template (e.g., $destIpAddr, $srcIpAddr).

Question 3

Refer to the exhibit.

If you group the events by User, Source IP, and Count attributes, how many results will FortiSIEM display?

ATwo

BSix

CThree

DFive

EFour

Answer : B

Grouping by User, Source IP, and Count means that each unique combination of those three attributes will be treated as a separate result. In the table, all six rows have distinct combinations of User, Source IP, and Count - so FortiSIEM will display 6 results.

Question 4

Refer to the exhibit.

An analyst wants the rule shown in the exhibit to trigger when three failed login attempts occur within three minutes.

What should the values be for the condition time window and aggregate count?

ATime window 180 seconds, aggregate count 3

BTime window 180 seconds, aggregate count 2

CTime window 90 seconds, aggregate count 3

DTime window 90 seconds, aggregate count 2

Answer : A

To detect three failed login attempts within three minutes, you must set the aggregate count to 3 in the subpattern and the time window to 180 seconds in the rule condition. This ensures the rule triggers only if three or more failed logins occur in that timeframe.

Question 5

Refer to the exhibit.

Which section contains the subpattern configuration that determines how many matching events are needed to trigger the rule?

AAggregate

BGroup By

CActions

DFilters

Answer : A

The Aggregate section contains the condition COUNT(Matched Events) >= 1, which defines how many events must match the filter criteria for the rule to trigger. This is the subpattern configuration that determines the event threshold.

Question 6

Refer to the exhibit.

Which value would you expect the FortiSIEM parser to use to populate the Application Name field?

Aapplist

BNetwork.Service

CSSL

Dwan1

Answer : C

The Application Name field in FortiSIEM is typically populated using the value of the app field in the raw log. In this event, app='SSL', so 'SSL' is the expected application name parsed by FortiSIEM.

Question 7

Which statement about thresholds is true?

AFortiSIEM uses fixed, hardcoded global and device thresholds for all performance metrics.

BFortiSIEM uses only device thresholds for security metrics.

CFortiSIEM uses global and per device thresholds for performance metrics.

DFortiSIEM uses only global thresholds for performance metrics.

Answer : C

FortiSIEM evaluates performance metrics against both global thresholds, which apply system-wide, and per-device thresholds, which can be customized for individual devices. This dual approach allows flexibility in monitoring while ensuring consistent baseline alerting.

Fortinet FCP - FortiSIEM 7.2 Analyst FCP_FSM_AN-7.2 Exam Practice Test