Fortinet FCSS_ADA_AR-6.7 Exam Questions Instant Access

Question 1

Refer to the exhibit.

Which statement about the rule filters events shown in the exhibit is true?

AThe rule filters events with an event type that equals Domain Account Locked and a reporting IP that equals Domain Controller applications.

BThe rule filters events with an event type that belong to the Domain Account Locked CMDB group or a reporting IP that belong to the Domain Controller applications group.

CThe rule filters events with an event type that belong to the Domain Account Locked CMDB group and a reporting IP that belong to the Domain Controller applications group.

DThe rule filters events with an event type that belong to the Domain Account Locked CMDB group and a user that belongs to the Domain Controller applications group.

Answer : C

From the Filters section in the exhibit, we see:

1. Event Type IN EventTypes: Domain Account Locked

2. Reporting IP IN Applications: Domain Controller

3. Logical Operator: AND

Since both conditions must be true, the rule is effectively filtering events where:

The event type belongs to the Domain Account Locked CMDB group

The reporting IP belongs to the Domain Controller applications group

Question 2

Refer to the exhibit.

The service provider deployed FortiSIEM without a collector and added three customers on the supervisor.

What mistake did the administrator make?

AThe number of workers on the FortiSIEM cluster must match the number of customers added

BCollectors must be deployed on all customer premises before they are added to organization on the supervisor.

CAt least one collector must be deployed to collect logs from service provider infrastructure devices.

DCustomer A and customer B have overlapping IP addresses.

Answer : C

The administrator deployed FortiSIEM without a collector, meaning there is no dedicated system collecting logs from service provider infrastructure devices. Without a collector, the FortiSIEM supervisor and workers must directly ingest logs, which is not ideal for a multi-tenant service provider setup. A collector is necessary to efficiently gather logs before forwarding them to the FortiSIEM cluster.

Question 3

Refer to the exhibit.

Why is the windows device still in the CMDB, even though the administrator uninstalled the windows agent?

AThe device must be deleted from backend of FortiSIEM

BThe device has performance jobs assigned

CThe device was not installed properly

DThe device must be deleted manually from the CMDB

Answer : A

Question 4

Refer to the exhibit.

An administrator deploys a new collector for the first time, and notices that all the processes expect the phMonitor are down.

How can the administrator bring the processes up?

AThe collector was not deployed properly and must be redeployed.

BThe administrator needs to run the command phtools - start all on the collector.

CRebooting the collector will bring up the processes.

DThe processes will come up after the collector is registered to the supervisor.

Answer : D

When a FortiSIEM collector is deployed for the first time, most of its processes remain down until it is successfully registered with the supervisor.

The phMonitor process is running because it monitors system health, but other services remain inactive until the collector establishes communication with the supervisor.

Once the collector registers to the supervisor, it receives configurations and policies, and its processes will start automatically.

Question 5

Refer to the exhibit.

The window for this rule is 30minutes.

What is this rule tracking?

AA sudden 50% increase in WMI response times over a 30-minute time window

BA sudden 1.50 times increase in WMI response times over a 30-minute time window

CA sudden 150% increase in WMI response times over a 30-minute time window

DA sudden 75% increase in WMI response times over a 30-minute time window

Answer : C

The rule is tracking a sudden increase in WMI response times over a 30-minute window. The key detail here is the increase factor.

The term 1.50 times increase means the new value is 150% of the previous baseline.

A 1.50x increase corresponds to a 150% increase, since the new value is original + 150% of original.

Question 6

Which syntax will register a collector to the supervisor?

AphProvisionCollector -add <user><super ID><organization><collectorName>

BphProvisionCollector -add <user><collector IP><organizationid><collectorName>

CphProvisionCollector -add <user><super IP><organization><workerName>

DphProvisionCollector -add <user><collector IP><organization><superName>

Answer : C

The phProvisionCollector command is used to register a collector to the supervisor in FortiSIEM. The correct syntax requires:

User The admin username for authentication.

Password The password for authentication.

Super IP The IP address of the supervisor, which manages the collector.

Organization The organization to which the collector belongs.

Worker Name The name of the worker node responsible for handling events from this collector.

Question 7

Refer to the exhibit.

What are three possible reasons why the Agent Status displays Running Inactive? (Choose three.)

AThe agent was registered incorrectly

BThe collector was not assigned to the agent

CThe agent is temporarily down

DThe template was not assigned

EThe template was removed

Answer : A, C, D

In FortiSIEM, an agent's status of 'Running Inactive' indicates that the agent is installed and running but not actively sending data or has encountered a misconfiguration. The following reasons can cause this status:

1. The agent was registered incorrectly

If an agent was not registered properly, it might not establish a proper connection with the FortiSIEM system, resulting in an inactive status.

2. The agent is temporarily down

If the agent goes offline (e.g., due to system shutdown, network issues, or agent crash), it will show as inactive.

3. The template was not assigned

Agents require a template to function correctly. If no template is assigned, the agent cannot collect or process events, leading to an inactive state.

Fortinet FCSS - Advanced Analytics 6.7 Architect FCSS_ADA_AR-6.7 Exam Questions