Fortinet FCSS_ADA_AR-6.7 Exam Questions Instant Access

Question 1

How can you empower SOC by deploying FortiSOAR? (Choose three.)

ACollaborative knowledge sharing

BAggregate logs from distributed systems

CAddress analyst skills gap

DBaseline user and traffic behavior

EReduce human error

Answer : A, C, E

Collaborative knowledge sharing: FortiSOAR enables security teams to share knowledge, automate workflows, and improve incident response efficiency by centralizing intelligence and standardizing processes.

Addressing analyst skills gap: By automating repetitive tasks and providing guided response playbooks, FortiSOAR helps SOC teams compensate for skill shortages and improve operational effectiveness.

Reducing human error: Automation and predefined workflows minimize manual interventions, reducing the likelihood of errors in incident detection, response, and remediation.

Question 2

What happens to events that the collector receives when there is a WAN link failure between the collector and the supervisor?

AEvents are buffered for up to 24 hours.

BEvents are buffered up to 10 MB before compression.

CEvents are buffered up to 10.000 logs.

DEvents are buffered up to 1 GB after compression.

Answer : D

When a WAN link failure occurs between the collector and the supervisor in FortiSIEM:

The collector does not discard events; instead, it buffers them until the connection is restored.

The buffering limit is up to 1 GB after compression to optimize storage and prevent data loss.

Once the WAN link is restored, buffered events are sent to the supervisor for processing.

Question 3

Refer to the exhibit.

If the Z-score for this rule is greater than or equal to three, what does this mean?

AThe rate of firewall connection is below historical average value.

BThe rate of firewall connection is optimum.

CThe rate firewall connection is above the historical average value.

DThe rate of firewall connection is above the current average value.

Answer : C

The Z-score formula in the expression builder calculates how many standard deviations the current value is from the historical average. The formula used is:

AVG(Firewall Session) represents the current firewall session rate.

STAT_AVG(AVG(Firewall Session);112) represents the historical average over a 112-time unit window.

STAT_STDDEV(AVG(Firewall Session);112) represents the historical standard deviation over the same period.

A Z-score 3 indicates that the current firewall session rate is significantly higher than the historical average (3 standard deviations above the mean), signaling an anomaly.

Question 4

Refer to the exhibit.

Consider the five account locked events received by FortiSIEM from domain controllers within the last 10 minutes (ten minutes is the evaluation window for the subpattern DomainAcctLockout):

If you look for one or more matching events and groupings by the same reporting IP address, reporting device, and user, how many incidents are created?

Answer : C

The rule groups events by Reporting IP, Reporting Device, and User. Let's analyze the five events:

Events Received:

1. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: John

2. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: Craig

3. Reporting IP: 1.1.1.2, Reporting Device: Server109, User: Mary

4. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: Craig (Duplicate of #2)

5. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: John (Duplicate of #1)

Grouping Based on:

Reporting IP

Reporting Device

User

Count unique groups:

1. (1.1.1.1, Server101, John) 2 occurrences (counted as one group)

2. (1.1.1.1, Server101, Craig) 2 occurrences (counted as one group)

3. (1.1.1.2, Server109, Mary) 1 occurrence (counted as one group)

Since we need at least one matching event (count >= 1) per group, incidents are created for each unique group.

Total unique groups (incidents created) = 2

John on Server101 (1.1.1.1)

Craig on Server101 (1.1.1.1)

Question 5

A service provider purchased a 500-EPS license and configured a new collector with 100 EPS for customer A, and another collector with 200 EPS for customer B.

How much is in the remaining EPS pool for future customers and for MSSP itself?

A30

B200

C100

D50

Answer : B

Total EPS License Purchased: 500 EPS

Allocated EPS:

Customer A: 100 EPS

Customer B: 200 EPS

Remaining EPS Pool:

500 (100 + 200) = 200 EPS

Question 6

Refer to the exhibit.

An administrator deploys a new collector for the first time, and notices that all the processes expect the phMonitor are down.

How can the administrator bring the processes up?

AThe collector was not deployed properly and must be redeployed.

BThe administrator needs to run the command phtools - start all on the collector.

CRebooting the collector will bring up the processes.

DThe processes will come up after the collector is registered to the supervisor.

Answer : D

When a FortiSIEM collector is deployed for the first time, most of its processes remain down until it is successfully registered with the supervisor.

The phMonitor process is running because it monitors system health, but other services remain inactive until the collector establishes communication with the supervisor.

Once the collector registers to the supervisor, it receives configurations and policies, and its processes will start automatically.

Question 7

Refer to the exhibit.

The profile database contains CPU utilization values from day one. At midnight on the second day, the CPU utilization values from the daily database will be merged with the profile database.

In the profile database, in the Hour of Day column where 9 is the value, what will be the updated minimum, maximum, and average CPU utilization values?

AMin CPU Util=32.31, Max CPU
Util=33.50 and AVG CPU
Util=32.67

BMin CPU Util=32.31, Max CPU
Util=32.31 and AVG CPU
Util=32.31

CMin CPU Util=32.31, Max CPU
Util=33.50 and AVG CPU
Util 33.50

DMin CPU Util=33.50, Max CPU
Util=33.50 and AVG CPU
Util=33.50

Answer : A

At midnight, the daily database values merge into the profile database. The new values for Hour 9 are calculated as follows:

Minimum CPU Utilization: The new minimum is the lower of the existing (32.31) and new (33.50) values 32.31

Maximum CPU Utilization: The new maximum is the higher of the existing (32.31) and new (33.50) values 33.50

Average CPU Utilization:

The previous average was 32.31 (from one point).

The new value from the daily database is 33.50 (one additional point).

The new average is calculated as:

Thus, after merging, the updated profile database values for Hour 9 are:

Min CPU Util = 32.31

Max CPU Util = 33.50

Avg CPU Util = 32.67

Fortinet FCSS - Advanced Analytics 6.7 Architect FCSS_ADA_AR-6.7 Exam Questions