FCSS_ADA_AR-6.7 FCSS Advanced Analytics 6.7 Architect Question and Answers

When a WAN link failure occurs between the collector and the supervisor in FortiSIEM:

● The collector does not discard events; instead, it buffers them until the connection is restored.

● The buffering limit is up to 1 GB after compression to optimize storage and prevent data loss.

● Once the WAN link is restored, buffered events are sent to the supervisor for processing.

Total EPS License Purchased: 500 EPS

Allocated EPS:

● Customer A: 100 EPS

● Customer B: 200 EPS

Remaining EPS Pool:

500 − (100 + 200) = 200 EPS

From the exhibit, the rule exception is set for:

● Time Range: Starts at 00:00:00

● Duration: 2 days

● Recurrence Pattern: December 25th and December 26th

This means that during these two days (every year in December), the rule will not trigger incidents.

Rule exceptions temporarily suppress incident generation during the specified period.

Events are still processed, but no incidents are generated.

Therule engineinFortiSIEMloadsbaseline data valuesfrom theprofile database. This database stores historical trends and behavioral baselines for various metrics, such asCPU usage, network activity, and authentication patterns.

●Profile databasemaintainslong-term aggregated statisticsfor anomaly detection.

●Baseline valuesare used to comparecurrent eventsagainst expected behavior.

● This helps indetecting deviations, such as a sudden increase in failed logins or unusual traffic spikes.

In FortiSIEM, collectors must know where to upload event data. During registration, the supervisor provides the collector with the worker upload address.

The worker upload address tells the collector where to send logs after collection. If no worker upload address is set, the collector has no destination for its data, preventing proper registration.

Afterregistration, collectors maintaincontinuous communicationwith theSupervisorto ensure properevent processing, system health monitoring, and failover handling. The two key reasons collectors communicate with the Supervisor are:

1.To upload event data if a worker is down

If aworker node fails, thecollector can temporarily store event logsand then forward them to the Supervisor.

This ensuresevent continuityeven during infrastructure issues.

2.To report its own health status

Thecollector sends health reportsto theSupervisor, including resource usage, connectivity status, and operational logs.

This helps FortiSIEM trackcollector uptime and performance.

The exhibit shows the directory listings forthree different workers(worker1,worker2, andworker3) under the/querywkr/active/13127*path, which indicatesactive query tasksassigned to each worker.

1.Worker1 (worker1)

The output doesnotshow any subdirectories or task files (13127t0,13127t1, etc.), meaningWorker1 is not assigned any tasks.

2.Worker2 (worker2)

The output showsone task (13127t1)under/querywkr/active/13127*.

The workerhas only one assigned task, not two, so optionsC and D are incorrect.

3.Worker3 (worker3)

The output showstwo tasks (13127t0and13127t1), indicating that Worker3 is processingtwo tasksfor query ID 13127.

In FortiSIEM, some incidents may be triggered due to temporary threshold breaches, especially in availability or performance-related monitoring. These temporary anomalies do not necessarily indicate a persistent issue or security threat.

By automatically clearing such incidents, FortiSIEM prevents unnecessary manual intervention and reduces noise in incident management.

In aFortiSIEM deployment,device discoveryis handled by theSupervisor, even when aCollectoris present.

● TheSupervisor initiates active scansusing protocols such asSNMP, WMI, SSH, and API queriesto discover devices in the network.

●Collectors do not perform discovery; they primarilycollect and forward logsfrom designated devices to the Supervisor.

●Workers handle event processing, not discovery.

TheLookupTableGetfunction is designed toenrich event databy referencing a lookup table. However, itcannot be used directly in analytic queriesfor filtering data before processing. Instead, it is meant to be applied as adisplay filterto enhance results after retrieval.

In the given query,LookupTableGet(MalwareIPList : Source IP : Confidence) >= 87is being used in afilter condition, which leads to an error because the function is not valid in this context. It should be appliedafterthe data is retrieved, not as a pre-processing filter.

InFortiSIEM,SQLite databasesused forbaseliningare stored in the/opt/phoenix/cachedirectory. This location is used fortemporary storage and caching of profile datathat is essential for anomaly detection and trend analysis.

●Baselininginvolves analyzing historical data to determine expected behavior patterns.

●SQLite databasesstore aggregated statistics, which are referenced during rule evaluations.

● Thecache directoryallows quick access to these values without querying the main database repeatedly.

InFortiSIEM, anintegration policycan be invokedthrough Notification Policy settings. This allows automated responses such as:

● Sending alerts toexternal systems (e.g., SIEMs, ticketing systems, SOAR platforms).

● Triggering actions based on specificincident rules.

● Integrating withthird-party solutionsforremediation, escalation, or logging.

FortiSIEM's User and Entity Behavior Analytics (UEBA) uses AI-driven modeling to detect anomalies and security risks based on user activity. The risk weighting for UEBA tags allows customization of the AI model by prioritizing certain behaviors or indicators over others.

Adjusting risk weightings fine-tunes how the AI model evaluates risk, helping organizations align detection sensitivity with their security policies. This provides a customized risk scoring mechanism without requiring full AI retraining.

phRuleWorker processes events in 60-second intervals (buckets). This means that events within a one-minute window are evaluated together for rule conditions, helping detect patterns, correlations, and triggers.

phRuleWorker runs both on the supervisor and worker nodes to distribute event processing. The supervisor primarily orchestrates rule evaluation, while workers handle distributed event processing.