Prueba de Análisis de Logs

(Which two parameters does FortiAnalyzer use to identify an indicator of compromise (IOC)? (Choose two answers). IP address. URL. Policy ID. Application category.

(An analyst is using FortiAI on FortiAnalyzer to simplify certain tasks but is worried about exceeding the monthly token limit. Which query will take the fewest FortiAI tokens? (Choose one answer). Show all logs from the past week. Show logs for 192.168.1.10. Can you show me all the log entries for the endpoint 192.168.1.10?. Show logs for 192.168.1.10 (past week).

You are tasked with finding logs corresponding to a suspected attack on your network. You need to use an interface where all identified threats within a timeframe are listed and organized. You also need to be able to quickly export the information to a PDF file. Where can you go to accomplish this task?. Log View. Log Browse. FortiView. Fabric View.

Which log will generate an event with the status Unhandled?. An AV log with action=quarantine. An IPS log with action=pass. A WebFilter log with action=dropped. An AppControl log with action=blocked.

What is the purpose of running the command diagnose sql status sqlreportd?. To view a list of scheduled reports. To list the current SQL processes running. To display the SQL query connections and hcache status. To identify the database log insertion status.

Refer to the exhibits The event shown in the exhibit has been escalated to an incident. Which SOC role is responsible for handling the escalated incident?. Threat hunter. Security analyst. SOC engineer. Incident responder.

Exhibit. Assume these are all the events that exist on the FortiAnalyzer device. How many events will be added to the incident created after running this playbook?. Eleven events will be added. Seven events will be added. No events will be added. Four events will be added.

Refer to Exhibit: What does the data point at 21:20 indicate?. FortiAnalyzer is indexing logs faster than logs are being received. The fortilogd daemon is ahead in indexing by one log. The SQL database requires a rebuild because of high receive lag. FortiAnalyzer is temporarily buffering received logs so older logs can be indexed first.

Which statement about automation connectors in FortiAnalyzer is true?. An ADOM with the Fabric type comes with multiple connectors configured. The local connector becomes available after you configured any external connector. The local connector becomes available after you connectors are displayed. The actions available with FortiOS connectors are determined by automation rules configured on FortiGate.

Which statement about the FortiSIEM management extension is correct?. It allows you to manage the entire life cycle of a threat or breach. It can be installed as a dedicated VM. Its use of the available disk space is capped at 50%. It requires a licensed FortiSIEM supervisor.

You are trying to configure a task in the playbook editor to run a report. However, when you try to select the desired playbook, you do to see it listed. What is the reason?. The report does not have auto-cache and extended log filtering enabled. The playbook is currently running and will be available after it is finished. You must create a trigger to run the report first. The report has no result and must be reconfigured.

Refer to the exhibit with partial output: Your colleague exported a playbook and has sent it to you for review. You open the file in a text editor and observer the output as shown in the exhibit. Which statement about the export is true?. The export data type is zipped. The playbook is misconfigured. The option to include the connector was not selected. Your colleague put a password on the export.

(In a FortiAnalyzer Fabric deployment, which three modules from Fabric members are available for analysis on the supervisor? (Choose three answers)). Playbooks. Indicators. Logs. Events. Reports.

Which two statements regarding the outbreak detection service are true? (Choose two.). An additional license is required. It automatically downloads new event handlers and reports. Outbreak alerts are available on the root ADOM only. New alerts are received by email.

Exhibit. What is the analyst trying to create?. The analyst is trying to create a trigger variable to the used in the playbook. The analyst is trying to create an output variable to be used in the playbook. The analyst is trying to create a report in the playbook. The analyst is trying to create a SOC report in the playbook.

Which two statements about exporting and importing playbooks are true? (Choose two.). test. hola.

Which two statements about exporting and importing playbooks are true? (Choose two.). A playbook that was disabled when it was exported will be disabled when it is imported. Playbooks can be imported to a different FortiAnalyzer device, but only if the connectors already exist. You can import a playbook even if there is another one with the same name in the destination. You can export only one playbook at a time.

In firmware version 7.6, how does on-premises FortiAnalyzer store logs? (Choose one answer). Uses ClickHouse database. Uses MySQL database. Uses Postgres SQL database. Uses Elasticsearch database.

Which two statements about local logs on FortiAnalyzer are true? (Choose two.). TEST. HOLA.

Which two statements about local logs on FortiAnalyzer are true? (Choose two.). Local logs are not displayed in FortiView. Event logs are available in the root ADOM. Playbook logs for all ADOMs are in the root ADOM. Application control logs are ADOM-specific.

Which statement describes archive logs on FortiAnalyzer?. Logs that are indexed and stored in the SQL database. Logs a FortiAnalyzer administrator can access in FortiView. Logs compressed and saved in files with the .gz extension. Logs previously collected from devices that are offline.

Exhibit. What can you conclude from this output?. There is no disk quota allocated to quarantining files. FGT_B is the Security Fabric root. The allocated disk quota to ADOM1 is 3 GB. Archive logs are using more space than analytic logs.

What is the purpose of playbook trigger variables?. To display statistics about the playbook runtime. To use information from the trigger to filter the action in a task. To provide the trigger information to make the playbook start running. To store the start the times of playbooks with On_Schedule triggers.

Exhibit. Laptop1 is used by several administrators to manage FortiAnalyzer. You want to configure a generic text filter that matches all login attempts to the web interface generated by any user other than admin'', and coming from Laptop1. Which filter will achieve the desired result?. Operation-login and performed_on==''GUI(10.1.1.100)' and user!=admin. Operation-login and performed_on==''GU (10.1.1.120)' and user!=admin. Operation-login and srcip== 10.1.1.100 and dstip==10.1.1.1.210 and user==admin. Operation-login and dstip==10.1.1.210 and user!-admin.

You find that as part of your role as an analyst, you frequently search log View using the same parameters. Instead of defining your search filters repeatedly, what can you do to save time?. Configure a custom dashboard. Configure a custom view. Configure a data selector. Configure a macro and apply it to device groups.

Exhibit. What can you conclude about these search results? (Choose two.). They can be downloaded to a file. They are sortable by columns and customizable. They are not available for analysis in FortiView. They were searched by using text mode.

Which two modules can be imported and exported between ADOMs on FortiAnalyzer? (Choose two.). Templates. Reports. Charts. Datasets.

Refer to the exhibit. An analyst is using FortiView to look at the top threats recorded by FortiAnalyzer in the last 2 hours. What can the analyst conclude from the exhibit? (Choose one answer). There are cross-site scripting (XSS) attacks on an Apache web server. The attacks that have CVE IDs attached require priority attention. Only IPS threats constitute genuine threats. There are no critical level threats.

Which log will generate an event with the status Contained?. An AV log with action=quarantine. An IPS log with action=pass. A WebFilter log with action=dropped. An AppControl log with action=blocked.

Which FortiAnalyzer feature allows you to use a proactive approach when managing your network security?. FortiView Monitor. Outbreak alert services. Incidents dashboard. Threat hunting.

(Refer to the exhibit. Which statement about the displayed event is correct? (Choose one answer). An incident was created from this event. The risk source is isolated. The security risk was escalated. The security event risk is considered open.

What are the two methods you can use to send notifications when an event is generated by an event handler? (Choose two answers). Send SNMP trap. Send an alert through the FortiGuard server. Send an alert through Fabric connectors. Send SMS notification.

What are two effects of enabling auto-cache in a FortiAnalyzer report? (Choose two.). The generation time for reports is decreased. When new logs are received, the hard-cache data is updated automatically. FortiAnalyzer local cache is used to store generated reports. The size of newly generated reports is optimized to conserve disk space.

After generating a report, you notice the information you were expecting to see is not included in it. However, you confirm that the logs are there. Check the time frame covered by the report. Disable auto-cache. Increase the report utilization quota. Test the dataset.

Refer to Exhibit: Client-1 is trying to access the internet for web browsing. All FortiGate devices in the topology are part of a Security Fabric with logging to FortiAnalyzer configured. All firewall policies have logging enabled. All web filter profiles are configured to log only violations. Which statement about the logging behavior for this specific traffic flow is true?. Only FGT-B will create traffic logs. FGT-B will see the MAC address of FGT-A as the destination and notifies FGT-A to log this flow. FGT B will create traffic logs and will create web filter logs if it detects a violation. Only FGT-A will create web filter logs if it detects a violation.

Which statement about the FortiSOAR management extension is correct?. It requires a FortiManager configured to manage FortiGate. It runs as a docker container on FortiAnalyzer. It requires a dedicated FortiSOAR device or VM. It does not include a limited trial by default.

Which three tasks can be performed on FortiAnalyzer using FortiAI? (Choose three.). Configure site-to-site VPN using FortiAI. Perform Incident investigation and response. Identify potential impacts and recommend remediation. Configure SD-WAN overlay using FortiAI. Perform threat hunting.

Which SQL query is in the correct order to query the database in the FortiAnalyzer?. SELECT devid FROM $log GROUP BY devid WHERE 'user',,' users1'. SELECT FROM $log WHERE devid 'user',, USER1' GROUP BY devid. SELCT devid WHERE 'user'-' USER1' FROM $log GROUP By devid. SELECT devid FROM $log WHERE 'user'=' GROUP BY devid.

(How does FortiAnalyzer block indicators? (Choose one answer). It uses an automation script to update FortiGate with the block list. It uses a FortiManager connector to send the block list. It uses a FortiClient EMS connector to send the block list. It uses a webhook to allow FortiGate to send the block list.

Which two statements about local logs on FortiAnalyzer are true? (Choose two.). They are not supported in FortiView. You can view playbook logs for all ADOMs in the root ADOM. Event logs show system-wide information, whereas application logs are ADOM-specific. Event logs are available only in the root ADOM.

Exhibit. Based on the partial outputs displayed, which devices can be members of a FortiAnalyzer Fabric?. FortiAnalyzer1 and FortiAnalyzer3. FortiAnalyzer1 and FortiAnalyzer2. FortiAnalyzer2 and FortiAnalyzer3. All devices listed can be members.

Exhibit. What is the purpose of using the Chart Builder feature on FortiAnalyzer?. To build a chart automatically based on the top 100 log entries. To add charts directly to generate reports in the current ADOM. To add a new chart under FortiView to be used in new reports. To build a dataset and chart based on the filtered search results.