FCSS_ADA_AR-6.7 Exam Dumps - FCSS Advanced Analytics 6.7 Architect

The rule groups events by Reporting IP, Reporting Device, and User. Let's analyze the five events:

Events Received:

1. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: John

2. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: Craig

3. Reporting IP: 1.1.1.2, Reporting Device: Server109, User: Mary

4. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: Craig (Duplicate of #2)

5. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: John (Duplicate of #1)

Grouping Based on:

● Reporting IP

● Reporting Device

● User

Count unique groups:

1. (1.1.1.1, Server101, John) → 2 occurrences (counted as one group)

2. (1.1.1.1, Server101, Craig) → 2 occurrences (counted as one group)

3. (1.1.1.2, Server109, Mary) → 1 occurrence (counted as one group)

Since we need at least one matching event (count >= 1) per group, incidents are created for each unique group.

Total unique groups (incidents created) = 2

● John on Server101 (1.1.1.1)

● Craig on Server101 (1.1.1.1)

TheLookupTableHasfunction is used tocheck whether a specified key exists in a lookup table. It returnseither true or false, depending on whether the key is found in the table.

● If the key is present, the function returnstrue.

● If the key is absent, the function returnsfalse.

When aWAN link failureoccurs between thecollectorand thesupervisorin FortiSIEM, the collectorbuffers event filesuntil the connection is restored. By default:

● Thecollector can store up to 10,000 event filesbefore reaching its buffer limit.

● Once the WAN link is restored, thecollector uploads the stored event filesto the supervisor for processing.

● If thebuffer limit is exceeded,older event files may be overwrittento make space for new ones.

The rule is tracking asudden increase in WMI response timesover a30-minute window. The key detail here is the increase factor.

● The term1.50 times increasemeans the new value is150%of the previous baseline.

● A1.50x increasecorresponds to a150% increase, since the new value isoriginal + 150% of original.

InFortiSIEM, collectors need to upload event logs to aworker nodefor processing. However, if there isno dedicated worker, thesupervisor can function as the workerto receive data.

● The error message suggests that aworker upload addressmust be defined before adding a collector.

● Since there isno dedicated worker, the administrator canset the Supervisor IP as the upload destinationto enable log collection.

The exhibit shows a FortiSIEM cluster deployed in a multi-tenant service provider environment, serving multiple customers. The architecture includes:

1. Customers with Collectors

Customer A and Customer B (AWS) have collectors deployed within their environments.

Collectors gather and forward logs to the FortiSIEM cluster for centralized analysis.

2. Customers Without Collectors

Customer C does not have a collector; instead, it sends logs directly to the FortiSIEM cluster.

3. Super Organization Managing Infrastructure

The service provider infrastructure devices (e.g., networking and security appliances) are managed directly by the FortiSIEM cluster.

This mixed setup, where some customers use collectors while others send logs directly, represents a hybrid deployment with and without collectors.

From the"Clear If"condition in the exhibit:

●WITHIN 5 minutes, the system checks if the patternAllPingLossSrv_CLEARoccurs.

● TheHost IP of the clear condition must match the Host IP of the original rule(Clear_Condition.Host IP = Original_Rule.Host IP).

● If this condition is met, the systemautomatically clears the incidentbecause it indicates that network connectivity has been restored (packet loss has dropped).

Thus, theincident was auto-clearedbecause the system detected that the issue was resolved within the defined5-minute window, meeting the conditions for auto-clearance.

TheLookupTableGetfunction is designed toenrich event databy referencing a lookup table. However, itcannot be used directly in analytic queriesfor filtering data before processing. Instead, it is meant to be applied as adisplay filterto enhance results after retrieval.

In the given query,LookupTableGet(MalwareIPList : Source IP : Confidence) >= 87is being used in afilter condition, which leads to an error because the function is not valid in this context. It should be appliedafterthe data is retrieved, not as a pre-processing filter.