Milsabores

Which statement about automation connectors on FortiAnalyzer is true?. An ADOM with the Fabric type comes with multiple connectors configured. The local connector comes online once you have a playbook task referencing it. The actions available with FortiOS connectors are determined by automation rules configured on FortiGate. The playbook module must be enabled before external connectors are displayed.

Which three modules does FortiAnalyzer automatically download content from with a valid SOC Automation service license? (Choose three.). Report templates. Dashboards. Event handlers. Active Connectors. Playbooks. Incident templates.

Which two observations can you make after reviewing this log entry? (Choose two.). This is a formatted view of the log. This is a normalized log. This log is in a raw log format. This is the original log that FortiAnalyzer received from FortiGate.

What is the purpose of using the Chart Builder feature on FortiAnalyzer7?. To build a chart automatically based on the top 100 log entries. To add charts to generate reports directly in the current ADOM. To add a new chart under FortiView to be used in new reports. To build a dataset and chart based on the filtered search results.

The playbook shown in the exhibit requires fine-tuning. A task needs to be configured to run a report on the updated asset list that the FortiAnalyzer receives from the FortiClient EMS. Which SOC role is responsible for making this change?. Threat hunter. SOC engineer. Security analyst. Incident responder.

Which operation can you use SQL SELECT queries for?. To alter tables in the database. To purge log entries from the database. To insert new data into an existing table. To display the database schema.

What does the data point at 21:20 indicate?. FortiAnalyzer is indexing logs faster than logs are being received. The sqlpugind daemon is behind in receiving logs by one log. The fortilogd daemon is ahead in indexing by one log. The log insert lag time is high.

Which two parameters does FortiAnalyzer use to identify an indicator of compromise (IOC)? (Choose two.). Application category. IP address. URL. Policy ID.

Which statement describes archive logs on FortiAnalyzer?. Logs that are parsed and normalized by FortiAnalyzer and available in the log view. Logs received from other FortiAnalyzer devices. Logs compressed and saved in files with the .gz extension. Logs that are indexed and stored in the SQL database.

An analyst needs to move reports between two ADOMs. Which two statements are true? (Choose two.). All charts and datasets associated with the report will be imported together. The date and time will be appended to the original report name to avoid conflicts. The ADOMs must be compatible types. The reports must be converted into templates first.

After generating a report you notice that the information you were expecting to see is not included in that report. However, you confirm that the logs are there. Which two actions must you perform? (Choose two.). Test the dataset. Check the time frame covered by the report. Increase the report utilization quota. Enable auto-cache.

When managing incidents on FortiAnalyzer, which fact must an analyst be aware of?. The status of the incident is always linked to the status of the attached event. A playbook can be run from the Incidents page. Incidents must be acknowledged before they can be analyzed. Indicators found on the Incidents page can be enriched only from the Indicators page.

You are trying to configure a task in the playbook editor to run a report. However, when you try to select the desired report you do not see it listed. What is the reason?. The report template needs to be switched to one that is available for playbooks. You must create a trigger to run the report first. The playbook is currently running and the report will be available after it is finished. The report does not have auto-cache and extended log filtering enabled.

Which three types of indicators can FortiAnalyzer identify? (Choose three.). Email address. Host name. Domain. URL. IP address.

What can you conclude from this output?. The allocated disk quota to ADOM1 is 3 GB. There is no disk quota allocated to quarantining files. Archive logs are using more space than analytic logs. ADOM1 has 300 MB of disk space remaining.

You created a playbook on FortiAnalyzer that uses a FortiOS connector. When you configure FortiGate, which type of trigger must you use so that the actions in an automation stitch are available in the FortiOS connector?. Fabric Connector event. Incoming webhook. IP ban. FortiAnalyzer Event Handler.

Which two conclusions can you make about these search results? (Choose two.). The logs have been parsed by FortiGate log parser. They were searched using text mode. They are sortable by columns and customizable. They can be downloaded to a CSV file.

What are the two methods you can use to send notifications when an event is generated by an event handler? (Choose two.). Send an alert through the FortiGuard server. Send an alert through Fabric connectors. Send SMS notification. Send SNMP trap.

Which two actions should you take to view compromised hosts on FortiAnalyzer? (Choose two.). Enable device detection on FortiGate devices that are sending logs to FortiAnalyzer. Enable web filtering in firewall policies on FortiGate devices, and make sure the FortiGate logs are sent to FortiAnalyzer. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date. Subscribe to the Outbreak Detection Service so that the FortiAnalyzer has the latest event handlers.

In your role as an analyst, you frequently search the log view using the same parameters. Instead of defining the same search filters repeatedly, what can you do to save time?. Configure a custom dashboard. Configure a chart template and apply it to device groups. Configure a report template. Configure a custom view.

Which three types of traffic does the safeguarding event handler scan? (Choose three.). Web. Application. VoIP. Email. DNS.

What does the orange status indicator on the FortiGuard Connector indicate?. The connection is down. The connection is successful. The connection is unknown. The connection is disconnected.

What are two effects of enabling auto-cache in a FortiAnalyzer report? (Choose two.). The size of newly generated reports is optimized to conserve disk space. The hcache data is updated automatically when new logs are received. The report generation time is reduced. FortiAnalyzer local cache is used to store generated reports.

When there are no matching parsers for a device log, what does FortiAnalyzer do?. Stores the log but doesn’t normalize it. Applies the generic SYSLOG parser. Drops the log. Archives the log for future analysis.

How does FortiAnalyzer block indicators?. It uses a webhook to allow FortiGate to send the block list. It uses a FortiClient EMS connector to send the block list. It uses a FortiManager connector to send the block list. It uses an automation script to update FortiGate with the block list.

Client-1 is trying to access the internet for web browsing. All FortiGate devices in the topology are part of a Security Fabric with logging to FortiAnalyzer configured. All firewall policies have logging enabled. All web filter profiles are configured to log only violations. Which statement about the logging behavior for this specific traffic flow is true?. FGT-A will create all traffic logs except for security logs. FGT-A will create logs for web filter events only if FGT-B did not already detect a violation. FGT-A will see the MAC address of FGT-B in the packets and know it does not need to log this flow. Both FGT-A and FGT-B will create traffic logs.

What is the purpose of running the command diagnose sql status sqlreportd?. To identify the configuration status of all configured reports. To view a list of current reports that are running. To display the SQL query connections and hcache status. To list the current running SQL processes.

What is the analyst trying to create?. A trigger variable to use in a playbook. A SOC report in a playbook. A report in a playbook. An output variable to use in a playbook.

Which two statements about local logs on FortiAnalyzer are true? (Choose two.). Playbook logs for all ADOMs are in the root ADOM. Application control logs are ADOM specific. Local logs are not displayed in FortiView. Event logs are available in the root ADOM.

In a FortiAnalyzer Fabric deployment, which three modules from Fabric members are available for analysis on the supervisor? (Choose three.). Reports. Playbooks. Logs. Indicators. Events.

What is the purpose of running the command diagnose sql status sqlplugind?. To identify the database log insertion status. To list the current running SQL processes. To view the amount of time between log received and log inserted into the database. To display the SQL query connections and hcache status.

Refer to the exhibit. A FortiAnalyzer analyst is customizing a SQL query to use in a report. Which SQL query should the analyst run to get the expected results?. SELECT srcip AS "Source IP", dstport AS "Destination Port" FROM $log - WHERE $filter AND srcip = !'10.0.1.10' GROUP BY Source IP, Destination Port ORDER BY dstport DESC. SELECT srcip AS "Source IP", dstport AS "Destination Port" FROM $log - WHERE $filter AND srcip = '10.0.1.10' GROUP BY srcip, dstport - ORDER BY dstport DESC. SELECT srcip AS "Source IP", dstport AS "Destination Port" FROM $log - WHERE $filter AND Source IP != '10.0.1.10' GROUP BY srcip, dstport - ORDER BY dstport DESC. SELECT srcip AS "Source IP", dstport AS "Destination Port" ORDER BY dstport DESC - GROUP BY srcip, dstport - FROM $log - WHERE $filter AND srcip = '10.0.1.10'.

You must find a specific security event log in the FortiAnalyzer logs displayed in FortiView, but so far, you have been unsuccessful. Which two tasks should you perform to investigate why you are having this issue? (Choose two.). Review the ADOM data policy. Check logs in Log Browse. Disable FortiView using the CLI and then enable it again. Rebuild the SQL database and check FortiView.

What can you conclude about the output?. The output is ADOM specific. Both messages and logs are almost finished indexing. The message rate being higher than the log rate is not normal. There are more traffic logs than event logs.

You are tasked with finding logs corresponding to a suspected attack on your network. You must use an interface where all identified threats within your timeframe are listed and organized. You also must be able to quickly export the information to a PDF file. Where can you go to accomplish this task?. Incident. Log View. FortiAnalyzer Dashboards. FortiView.

An analyst is using FortiAI on FortiAnalyzer to simplify certain tasks but is worried about exceeding the monthly token limit. Which query will take the fewest FortiAI tokens?. Show logs for 192.168.1.10 (past weeks). Show logs for 192.168.1.10. Can you show me all the log entries for the endpoint 192.168.1.10?. Show all logs from the past week.

Which two statements regarding the outbreak detection service are true? (Choose two.). It automatically downloads new log parsers and reports. It automatically downloads new event handlers and reports. New downloads need to be accepted by system administrators. An additional license is required.

As part of your analysis, you discover that a Medium severity level incident is fully remediated. You change the incident status to Closed: Remediated. How will FortiAnalyzer handle this incident?. The corresponding event will be marked as Mitigated. The incident will be deleted from the incident queue. The incidents dashboards will be updated. The incident severity will be nullified.

Refer to the exhibits. Assume these are all the events that exist on FortiAnalyzer. How many events will be added to the incident created after running this playbook?. Seven events will be added. No events will be added. Four events will be added. Six events will be added.

Refer to the exhibits. The event shown in the exhibit has been escalated to an incident. Which SOC role is responsible for handling the escalated incident?. Incident responder. Threat hunter. SOC engineer. Security analyst.

Which statement about sending notifications with incident updates is true?. Notifications can be sent only when an incident is created or deleted. You must configure an output profile to send notifications by email. All connectors used for sending notifications must share the same notification settings. Each incident can send notifications to multiple external platforms.

An analyst is using FortiView to examine the top threats observed over the last 2 hours. What can the analyst conclude from the exhibit?. A cross-site scripting (XSS) attack occurred on a DNS server. A SQL injection attack occurred on an application. FortiAnalyzer has logged only three types of IPS attacks. Malware attacks should be prioritized over IPs attacks.

Which statement correctly describes one difference between templates and reports?. Reports can be moved between ADOMs but templates cannot. Templates can be cloned, but reports cannot be cloned. Templates do not include advanced report settings, but reports do. Reports support macros but templates do not.

In firmware version 7.6, how does on-premises FortiAnalyzer store logs?. Uses ClickHouse database. Uses Postgres SQL database. Uses MySQL database. Uses ElasticSearch database.

Which three tasks can be performed on FortiAnalyzer using FortiAI? (Choose two.). Identify potential impacts and recommended remediation. Perform threat hunting. Configure SD-WAN overlay using FortiAI. Configure site-to-site VPN using FortiAI.

An analyst is trying to create a dataset to pull all gambling websites that were visited by end users. Which SQL query on FortiAnalyzer will give the result shown in the exhibit?. select srcip as “SourceIP”, dstip as “DestIP”, url from $log where catdesc = ‘Dating’. select srcip as “SourceIP”, dstip as “DestIP”, url from ‘Gambling’ where catdesc = $log. select srcip as “SourceIPv6”, dstip as “DestIPv6”, url from $log where catdesc = ‘Gambling’. select srcip as “SourceIP”, dstip as “DestIP”, url from $log where catdesc = ‘Gambling’.

Which statement about the displayed event is correct?. An incident was created from this event. The security event risk is considered open. The security risk was escalated. The risk source is isolated.

Which statement about exporting items in Report Definitions is true?. Templates can be exported. Chart exports do not contain associated datasets. Template exports do not contain associated charts and datasets. Datasets can be exported.

What conclusion can you draw from the exhibit?. Unrated websites are being blocked. Social networking websites are being allowed. These are application control logs from FortiGate. This is a custom view that was set by the analyst.

Which three types of logs does FortiAnalyzer collect from FortiGate devices for normalization? (Choose three.). System. Traffic. Event. Security. Firewall.

Which two statements about playbook execution are true? (Choose two.). FortiAnalyzer will commit changes made by a Failed playbook. You can run the default debugging playbook to investigate playbook errors. The Playbook Monitor provides troubleshooting logs. If the playbook status is Failed, all individual tasks in the playbook will fail.

Which two modules can be imported and exported between ADOMs on FortiAnalyzer? (Choose two.). Reports. Templates. Datasets. Charts.

An administrator on your team has configured multiple reports to run periodically. Management has requested that all new generated reports be sent to a company email inbox for accessibility. The mail server has already been configured on FortiAnalyzer. Which item must you configure on FortiAnalyzer so that emails are sent when the reports are generated?. Enable an output profile on the reports. Enable the option to email all reports under the mail server. Configure a new data policy for log uploads to email. Configure the email notifications section under the report calendar.