Fortinet FCP_FSM_AN-7.2 Exam Questions Instant Access

Question 1

Refer to the exhibit.

Which section contains the subpattern configuration that determines how many matching events are needed to trigger the rule?

AAggregate

BGroup By

CActions

DFilters

Answer : A

The Aggregate section contains the condition COUNT(Matched Events) >= 1, which defines how many events must match the filter criteria for the rule to trigger. This is the subpattern configuration that determines the event threshold.

Question 2

When configuring anomaly detection machine learning, in which step must you select the fields to analyze?

ADesign

BSchedule

CPrepare Data

DTrain

Answer : C

In the Prepare Data step of configuring anomaly detection in FortiSIEM, you must select the fields to analyze. This step defines the input features that the machine learning model will evaluate during training and detection.

Question 3

Refer to the exhibit.

An analyst is trying to identify an issue using an expression based on the Expression Builder settings shown in the exhibit; however, the error message shown in the exhibit indicates that the expression is invalid.

What is the correct syntax to create an expression that generates a total count of matched events?

ACOUNT(Matched Events)

B(COUNT) Matched Events

CMatched Events (COUNT)

DMatched Events COUNT()

Answer : A

The correct syntax is COUNT(Matched Events) - with proper capitalization and spacing - to generate a total count of matched events. The error in the exhibit likely stems from a formatting issue (e.g., lowercase count() or incorrect spacing), not the logical structure of the expression.

Question 4

Refer to the exhibit.

Which two conditions will match this rule and subpatterns? (Choose two.)

AA user using RDP over SSL VPN fails to log in to an application five times.

BA user runs a brute force password cracker against an RDP server.

CA user fails twice to log in when connecting through RDP.

DA user connects to the wrong IP address for an RDP session five times.

Answer : A, B

The user initiates an RDP session (Subpattern 1) and then fails to log in multiple times (Subpattern 2 with COUNT(Matched Events) >= 3) - both from the same Source IP and User within 300 seconds.

The brute force attempts typically involve a successful RDP connection followed by multiple failed logins, satisfying the sequence and grouping conditions in the rule.

Question 5

Which information can FortiSIEM retrieve from FortiClient EMS through an API connection?

AHost software versions

BFortiSIEM license

CHost login credentials

DZTNA tags

Answer : D

FortiSIEM can retrieve ZTNA tags from FortiClient EMS through an API connection, enabling dynamic user and device classification for policy enforcement and incident response.

Question 6

Refer to the exhibit.

A FortiSIEM device is receiving syslog events from a FortiGate firewall. The FortiSIEM analyst is trying to search the raw event logs for the last two hours that contain the keyword "udp". However, they are getting no results from the search, which they know should be available. Based on the filter shown in the exhibit, why are there no search results?

AThe analyst selected AND in the Next column. This is the wrong Boolean operator.

BThe Time Range value should be set to Real-Time.

CThe keyword is case sensitive. Instead of typing udp in the Value field, the analyst should type UDP.

DThe analyst selected = in the Operator column. That is the wrong operator.

Answer : D

The operator is set to '=', which performs an exact match on the entire raw event log, not a substring search. To find logs that contain the keyword 'udp', the analyst should use the CONTAIN operator instead. This will return all logs where 'udp' appears anywhere in the raw log message.

Question 7

What can you use to send data to FortiSIEM for user and entity behavior analytics (UEBA)?

AFortiSIEM agent

BSSH

CSNMP

DFortiSIEM worker

Answer : A

The FortiSIEM agent can be used to send detailed endpoint data such as user activity and process behavior to FortiSIEM, which is essential for performing User and Entity Behavior Analytics (UEBA).

Fortinet FCP - FortiSIEM 7.2 Analyst FCP_FSM_AN-7.2 Exam Questions