Fortinet FCSS_ADA_AR-6.7 Exam Practice Test Instant Access

Question 1

Refer to the exhibit.

This is an example of a baseline profile that is configured in the backend of FortiSIEM.

Which two Group By attributes are configured for this profile? (Choose two.)

ALogon Failure

BReporting Device

CReporting IP

DDistinct User
From the provided XML configuration, we need to focus on the <GroupByAttr> section, which defines the attributes used for grouping.
In the SelectClause, the following attributes are listed:
reptDevName, reptDevAddr, COUNT(*), COUNT(DISTINCT user), COUNT(DISTINCT srcIpAddr)
reptDevName represents the reporting device.
reptDevAddr represents the reporting IP.
COUNT(DISTINCT user) tracks unique users.
COUNT(DISTINCT srcIpAddr) tracks distinct source IPs.
In the GroupByAttr section:
<GroupByAttr>reptDevName, reptDevAddr</GroupByAttr>
This confirms that the grouping is performed by Reporting Device (reptDevName) and Reporting IP (reptDevAddr).

Answer : B, C

Question 2

Which syntax will register a collector to the supervisor?

AphProvisionCollector -add <user><super ID><organization><collectorName>

BphProvisionCollector -add <user><collector IP><organizationid><collectorName>

CphProvisionCollector -add <user><super IP><organization><workerName>

DphProvisionCollector -add <user><collector IP><organization><superName>
The phProvisionCollector command is used to register a collector to the supervisor in FortiSIEM. The correct syntax requires:
User The admin username for authentication.
Password The password for authentication.
Super IP The IP address of the supervisor, which manages the collector.
Organization The organization to which the collector belongs.
Worker Name The name of the worker node responsible for handling events from this collector.

Answer : C

Question 3

From where does the rule engine load the baseline data values?

AThe memory

BThe profile report

CThe profile database

DThe daily database
The rule engine in FortiSIEM loads baseline data values from the profile database. This database stores historical trends and behavioral baselines for various metrics, such as CPU usage, network activity, and authentication patterns.
Profile database maintains long-term aggregated statistics for anomaly detection.
Baseline values are used to compare current events against expected behavior.
This helps in detecting deviations, such as a sudden increase in failed logins or unusual traffic spikes.

Answer : C

Question 4

FortiSIEM provides all rules with the ability to automatically change an active incident status to auto-cleared, based on an extra set of defined criteria.

Why would you configure FortiSIEM to automatically change an active incident status to auto-cleared?

ABecause availability or performance-related problems may trigger a threshold temporarily.

BBecause too many active incidents can spike the resource usaqe on FortiSIEM.

CBecause you need a way to reduce a backlog of incident responses.

DBecause some security-related incidents occur on a temporary basis.
In FortiSIEM, some incidents may be triggered due to temporary threshold breaches, especially in availability or performance-related monitoring. These temporary anomalies do not necessarily indicate a persistent issue or security threat.
By automatically clearing such incidents, FortiSIEM prevents unnecessary manual intervention and reduces noise in incident management.

Answer : A

Question 5

A service provider purchases a licensed EPS of 520. The guaranteed EPS allocated to three customers is 50, 100, and 150 respectively. At the end of every three-minute interval, incoming EPS is calculated at every collector and the value is sent to the central decision-making engine on the supervisor node.

The incoming EPS for the first collector is 25. the incoming EPS for the second collector is 50, and the incoming EPS for the third collector is 75.

Based on the information provided, what is the unused events total calculated by the supervisor?

A76.000

B35.960

C75.960

D71.460
Guaranteed Allocation: 50 + 100 + 150 = 300 EPS
Actual (Incoming) Usage: 25 + 50 + 75 = 150 EPS
Unused from guarantees = 300 150 = 150 EPS
Burst Capacity (Licensed minus Guaranteed): 520 300 = 220 EPS
Total Unused Capacity: 150 + 220 = 370 EPS
As a Percentage of Licensed EPS: 370/520 71.15% reported (after conversion/rounding) as ~71.460

Answer : D

Question 6

Refer to the exhibit.

Which scenario is not a supported nested query scenario?

AThe outer query is the event query, and the inner query is the event query.

BThe outer query is the event query, and the inner query is the CMDB query.

CThe outer query is the CMDB query, and the inner query is the event query.

DThe outer query is the CMDB query, and the inner query is the CMDB query.
FortiSIEM does not allow CMDB queries to be nested within other CMDB queries. CMDB data is static information, and nesting would not add value or function properly in query execution.

Answer : D

Question 7

How can you customize the AI model on FortiSIEM?

ARetrain the AI model

BReconfigure UEBA rules

CAdjust risk weighting for UEBA tags

DAdjust number of samples collected by the UEBA agents
FortiSIEM's User and Entity Behavior Analytics (UEBA) uses AI-driven modeling to detect anomalies and security risks based on user activity. The risk weighting for UEBA tags allows customization of the AI model by prioritizing certain behaviors or indicators over others.
Adjusting risk weightings fine-tunes how the AI model evaluates risk, helping organizations align detection sensitivity with their security policies. This provides a customized risk scoring mechanism without requiring full AI retraining.

Answer : C

Fortinet FCSS_ADA_AR-6.7 FCSS - Advanced Analytics 6.7 Architect Exam Practice Test