Alaytic 7.4

FAZ # diagnose fortilogd lograte last 5 seconds: 78,8, last 30 seconds:132,1 last 60 seconds: 133.3 FAZ # diagnose fortilogd msgrate last 5 seconds; 1,4, last 30 seconds; 1.6, last 60 seconds: 1.6 What can you conclude about the output?. The output is not ADOM specific. There are mote event logs than trafic logs. The Iow indexing values require investigation. The log rate being highet than the message rate is not normal. Most Voted.

Which two statements about exporting and importing playbooks are true?. you can export onty one playbook at a time. A playbook that was disabled when it was exported Will be disab'ed when it is imported. You can import a playbook even if there is anather one with the same narne in the destinatjon. Playbooks can be imponed to a different FortiAnalyzer device, but only if the connectors already exist.

you are trying to configure a task in the playbook editor to run a report- However, when you try 10 select the desired playbook, you do not see it listed. What is the reason?. The report has no results and must be reconfigured. you must create a trjggef to run the report first. The playbook iS currentty running and Will be available after it iS finished. The report does not have auto-cache and extended log filtering enabled.

When managmg incidents on FortiAnalyzer. what must an analyst be aware of?. The status of the incident is always linked to the status of the attached event. Incidents must be ackrowiedged before they can be analyzed. Severity incidents rated with the level High have an initial service-level agreement (SLA) response time of 1 hour. you can manually attach generated reports to incidents.

operation-login & DSTIP==10.1.1.210 & usen:admin. operation-login & SRCIP==10.1.1.100 & DSTIP==10.1.1.210& usen:admin. operation-login & performed_on"GUI(10.1.1.210)• & usen:admin. operation-login & performed_on"GUI(10.1.1.100)• & usen:admin.

Which SQL query is in the correct order to query the database in the FortiAnalyzer?. SELECT devid FROM Slog WHERE 'user':USER1 GROUP BY devid. SELECT devid WHERE 'user:USERV FROM Slog GROUP BY devid. SELECT devid FROM Slog GROUP BY devid WHERE 'user:USER1'. SELECT FROM Slog WHERE devid 'user.'USER1' GROUP BY devid.

What is the purpose of playbook tngver variables?. To display StatistiCS about the playbook runtime. To provide the triqger informatjon to make the playtxx* start running. To use information from the trigger to fitter the action in a task. To store the start times of playbooks With On_Scbedule triggers.

what can you conclude about these search results (choose two). They wee searcbed by using text mode. They can be downloaded to a file. They are sortable by columns and customizóle. They are not available for analysis FortiView.

What is the purpose of runnütg the command diagnose sqi status sqIplD9ind?. To list the current SQL processes running. TO View the curent hcadte size. TO identify the database log insertion status. To display the SQL query connections and status.

What iS the pupase of usag data rs wfien configuring event hardlers?. They are cornrnon fitters that can be simultaneously to all evett handbers. They filter the types of logs that FortiAnaiyzer can accept frwn regrstered devic&. They appty their filter criteria to the entire event handler so that you dont have to configure the same criteria in the indiividual rules. They download new filters that can be used in event handlers,.

FortiAnaiyzer ts ustng Its cache to avoid droppng logs. The log insert lag time is increasing. The performance of Forti&talyzer is below the baseline. The sqlplugind service is caught up with new logs.

Which two statements about playbook executjon are true? (Choose two.). Even if the playbook status is Failed, individual tasks may have succeeded. FottiAnalyzer Will not commit charges made by a Failed playbook. You run the default debugging playbook to investigate playbook errors. The Playbook Monitor provides troubleshooting logs.

to add a rew chart under FortiView to be used in new reports. TO buibd a dataset and chart based on the filtered searctl results. To build a chart automatically based on the top 100 log entries. TO add charts directly to generate reports in the current ADOM.

Which statement correctty describes one difference between templates and repots?. Templates be cloned, but reports cannot be cloned. Templates are mapped to device groups,while reports are mapped to ADOMs. Reports support macros, but templates do not. Reports provide more configuration options than templates.

SELECT srcip "source Ip ", dstport AS "destinstion port" • Destindion port" FROM Slog- Where $filternAND Srcip=10.0.1.10" GROUP BY srcip, dstport - ORDER BYdstport DESC. SELECT srcip."source Ip, dstport AS ' "destinstion port" • Destindion port" FROM Slog- Where $filternAND Srcip IP !=10.0.1.10" GROUP BY srcip, dstport - ORDER BYdstport DESC. C. SELECT srcip AS -Souce IP, AS "DestinationPort" ORDER BY DSTPORT DESC- BY src@dstprt - FROUSiog- WHERE Sfllter Ato srcip. D. SELECT srctp AS IP', Etport AS -Destnat•on Port• FROUS'og- WHERE ORDER dstport- GROUP by dstp«t DESC.

You discover that a few reports are taking a long time to generate. WhiCh two steps can you take to troubleshoot? (Choose two-). Remove Old reports from hcache. Review report diagnostics. Enable auto-cache and run the reports egain. Inctease ADOM reports quota.

You must índ a specifc secuity event log in the FortiAnayzer logs displayed in FortiView, but, so far, you have been unsuccessfuL Which two tasks should you perform to investigate Why you are having this issue? (Choose two-). Check logs in the Loq Browse,. gz log files in FütNiew. Rebuild the SQL datóase and cbeck FortiView. Review the ADOM data policy.

WhiCh two statements regard•ng the outbreak detectton service are true? (Choose two.). An edditonal license is required. OJtbreak alerts are availabk on the root ADOM only. New elets ve received by email. It automsatcaly downloads new event handlers and reptyts.

WhiCh log Will generate an event with the status Contained?. AN IPS log with action-pass. An AV log wiht action-quarantine. A WebFiher log with action=dropped,. An AppControI log with action•blocked.

You need to move reports between two ADOMs. Which two statements are true? (Chose two.). The date and time Will be appended to the original report name to avoid conEcts. You need to convert the reports into templates frst. AIl charts end datasets associated with the report Will be imported together. The ADOMs must be compatible types.

Which st8tement 'bout automation comectors in FortiAnab•zer is true?. An ADOM with the Febric type comes with multiple connectors configured. The 'dions available with FortiOS cornectors are determined by automation rules confgured on FMtiGate,. The bocal connectM becomes avelable after you configure eny external. Íbe SOC module must be enabled before external are disp'ayed-.

Wich statement about the FortiSlEM management extension is correct?. It requires a licensed FortiSlEM supervisor. Its use of the available disk space is capped at. It can be installed 's a dedicated VM. It albws you to manage entire life cycle of a tyeat or breach.

You find that ss pet of yout role as an analyst, you frequentty search Log View usng the sarne parameters. Instead of defning your se" Etes repetedly, what can you do to save time?. Configure a custom dashboard. Configure a data selector. Configure a custom view. Confqure a macro ard apply it to device qrmos.

Which statement about exportlng Items in Report Definitions is true?. Template exports contain associated charts and datasets. Datasets can be exported. Chart exports contain associeted datasets. Tem#ates can be exported.

Bath FGT-Aand FGT-B Will create trafic logs. FGT•A Will see the MAC address of FGT-B in the packets and know it does not peed to log this flow. FGT-A Will create logs for web filtet events only if FGT-B did not úeady detect a violatjon. Only FGT-A Will create traffic logs,.

Archive logs are using more space than analytic logs. FGT-B is the Security Fabric root. The allocated disk quota to ADOMI is 3 GB. There is no disk quota allocated to quarantining files.

What happens when the indicator of compromise (10C) engine on FortiAnalyzer finds web logs that match blackliste. The detection engine classifies those logs as Suspicious. The endpoint is marked as Compromised and, optionally, can be put in quarantine. A new Infected entry is added for the corresponding endpoint under Compromised Hosts. FortiAnalyzer flags the associated host for further analysis.

You are tasked with finding logs corresponding to a suspected attack on your network. You need to use an interface where all identified threats within your timeframe are listed and orgarized. also need to PDF file Where can you go to accomplish this task?. FortiView. Log. Log Browse. Fabric view.

The security event risk is considered open. The security risk was Hockd or dropped. An incident was created from this event-. The risk source is isolated.

Which two statements regaróng FortiAn'yzer operating modes are true? (Chone two.). When runring in collector mode, FodiAnalyzer can forward logs to a sysiog servers. FortiAnalyzer rens in collector mode by default uréess it is configured for HA-. A topology with FortiAnlyzer devices running in both modes can improve their performarce. You can create and edit report when Forti.AnaFyzer is running in collector mode.

As part of your analysis, you discover that a Medium severity level incident is fully remediated. You Change the incident status to closed Remediated. Which statement about your update is true. The corresponding aent Will marked as Mitigated. The incident no longer be deleted. incident severity be lowere&. The Incidents dashboards will be updated.

Your colleague put a password on the export. The option to include the connector was not selected. The playbook is misconfgured. The export data type is zipped.

Which statement about sending notifications with incident updates is true?. Notifications can be sent only when an incident is created or deleted. Each incident can send notifications to a single external platform. Each connector used can have different notification settings. You must configure an output profile to send notifications by email.

Which two methods can you use to send notifications when an event occurs that matches a configured event handler? (Choose two.). Send SNMP trap. Send Alert through FortiSIEM MEA. Send Alert through Fabric Connectors. Send SMS notification.

Which statement describes archive logs on FortiAnalyzer?. Logs previously collected from devices that are offline. Logs compressed and saved in files with the .gz extension. Logs that are indexed and stored in the SQL database. Logs a FortiAnalyzer administrator can access in FortiView.

Why must you wait for several minutes before you run a playbook that you just created?. FortiAnalyzer needs that time to debug the new playbook. FortiAnalyzer needs that time to debug the new playbook. FortiAnalyzer needs that time to parse the new playbook. FortiAnalyzer needs that time to ensure there are no Other playbooks.

Which two actions should an administrator take to View Compromised Hosts on FortiAnalyzer? (Choose two.). Make sure all endpoints are reachable by FortiAnalyzer. Enable device detection on the FortiGate devices that are sending logs to FortiAnalyzer. Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date.

You created a playbook on FortiAnalyzer that uses a FortiOS connector When configuring the FortiGate side, which type of trigger must be used so that the actions in an automation stitch are available in tl. FortiOS Event Log. Incoming webhook. FortiAnalyzer Event Handler. FortiAnalyzer Event Handler.

What are two effects of enabling auto-cache in a FortiAnaIyzer report? (Choose two.). The generation time for reports is decreased. When new logs are received the hard-cache data is updated automatically. FortiAnalyzer local cache is used to store generated reports. The size of newly generated reports is optimized to conserve disk space.

Both messages and logs are almost finished indexing. The output is ADOM specific. The message rate being lower than the log rate is normal. There are more traffic logs than e.ent logs.

Which statement about SQL SELECT queries is true?. Tbey are not usá in macros. They must be follÜwed imm¿ately by a WHERE Clause. They can be used to display the database schema. They can be used to purge log entries from the database.

A playbook contains five tasks in total. An administrator runs the plabook and four out of five tasks finish successfdly, but one task fail What W'll be the status of the playbook after it is run?. Success. Attention—required. Upstream_failed. Failed.

Which statem,ent about the FortiSOAR rrmagement extension is correct?. It requires a FortiMrtager confçured to manage FortiGate. It runs as a docker container on FortiAnalyzer. It requires a dedicated FortiSOAR daice or VM. It dces not indude a limited trial by default.

As part of your analysis, you discover that an incident is a false positive. You Change the incident status to Closed: False Positive. The incident Will be deleted. The incident number Will be changed. The corresponding event Will be marked as Mitigated. The audit history log Will be updated.

You want to design a playbook that runs a series of tasks in parallel. How can you accomplish this goal?. Connect a trigger or task to multiple tasks. Queue the same playbook to run multiple times. Create multiple triggers and link one task to uch trigger. Set up multiple comectors.

An incident was created from this event. The risk source is isolated. The security event risk is considered open. The security risk was blocked or dropped.

The analyst is trying to create a SOC report in the playbook. The analyst is trying to create a report in the playbook. The analyst is trying to create an output variable to be used in the playbook. The analyst is trying to create a trigger variable to be used in the playbook.

Which FortiAnalyzer feature allows you to use a proactive approach when managing your network security?. Incidents dashboard. Outbreak alert services. FortiView Monitor. Threat hunting.

After generating a report, you notice the information you were expecting to see is not included in it. However, you confirm that the log. Which two actions should you perform? (Choose two-). Check the time frame covered by the report. Test the dataset. Disable auto cache. Increase the report utilization quota.

The SQL database requires a rebuild because of high receive lag. FortiAnalyzer is temporarily buffering received logs so Older logs can be indexed first. The fortilogd daemon is ahead in indexing by one log. FortiAnalyzer is indexing logs faster than logs are being received.

Which statement regarding macros on FortiAnalyzer is true?. Macros are predefined templates for reports and cannot be customized. Macros are ADOM-specific and each ADOM type has unique macros relevant to that ADOM. Macros are supported only on the FortiGate ADOMs. Macros are useful in generating excel log files automatically based on the report settings.

Which two statements about local logs on FortiAnalyzer are true? (Choose two.). You can View playbook logs for all ADOMs in the root ADOM. Event logs show system-wide information, whereas application logs are ADOM specific. They are not supported in FortiView. Event logs are available only in the root ADOM.

An administrator on your team has configured multiple reports to run periodically. Management has an additional request that all new company email inbox for accessibility. The mail server has already been configured on FortiAnalyzer. Which item must you configure on FortiAnalyzer so that emails are sent when the reports are generated?. Add a mailto: option within the report layouts. Enable the option to email all reports under the mail server. Enable email notifications under the report calendar. Enable an output profile on the reports.

No events Will be added. Eleven events Will be added. Four events Will be added. Seven events Will be added.