FCSS_ADA_AR-6.7 FCSS Advanced Analytics 6.7 Architect Questions and Answers

Thelicense filelocated at/etc/opsd/.fortisiem4x0is critical for thecollector's operation, as it verifies the collector'sregistration with the supervisorand enables proper functionality.

If thislicense file is removed, the collector:

● Willlose its registrationwith the supervisor.

● Willstop receiving updates and configurationsfrom the FortiSIEM supervisor.

● Will requirere-registrationwith the supervisor to obtain a new license file.

InFortiSIEM baselining, anhourly bucketis used to maintainhourly-specific statistical baselines. This helps detect anomalies by comparing current activity against historical norms foreach hour of the day, separately forweekdays and weekends.

The system maintainshourly profiles, ensuring that anomalies are detected based on similar timeframes. This approach prevents false positives due to natural variations in network activity across different times of the day and different days of the week.

TheLookupTableHasfunction is used tocheck whether a specified key exists in a lookup table. It returnseither true or false, depending on whether the key is found in the table.

● If the key is present, the function returnstrue.

● If the key is absent, the function returnsfalse.

When a FortiSIEM collector is deployed for the first time, most of its processes remain down until it is successfully registered with the supervisor.

The phMonitor process is running because it monitors system health, but other services remain inactive until the collector establishes communication with the supervisor.

Once the collector registers to the supervisor, it receives configurations and policies, and its processes will start automatically.

Automatic remediation inFortiSIEMenablesreal-time responseto security threats without manual intervention. While this can improve response times, it also introducesrisksbecauseactions are taken automatically based on predefined rules, without human verification.

● Automated responsescould mistakenly block legitimate usersfrom critical systems or applications.

●Misconfigured rulesmightdisconnect essential systems, causing business disruptions.

● If an incident isa false positive,automatic remediation may interfere with normal operationsunnecessarily.

FortiSIEM enforces a device limit based on licensing and system-wide constraintsto ensure proper resource allocation and performance management.

The device limit is determined by the purchased license.

● FortiSIEM licensing includes limits on thenumber of devicesthat can be monitored.

● Thelicense type(e.g.,Enterprise vs. Service Provider) defines themaximum number of devicessupported.

For Service Provider editions, the device limit applies system-wide and is shared across all customers.

● In anMSSP (Managed Security Service Provider) setup, the totaldevice limit applies across all customers, rather than being allocated individually.

● This allowsflexible resource allocationbased on customer needs.

Lookup tables and watchlists serve different purposes in Fortinet’s Advanced Analytics:

● Lookup tables allow for structured data storage with multiple columns, making them useful for correlating different attributes or key-value pairs.

● Watchlists are simpler and contain only a single column, often used for quick reference to flagged values, such as IP addresses or user accounts.

The Z-score formula in the expression builder calculates how many standard deviations the current value is from the historical average. The formula used is:

AVG(Firewall Session)represents the current firewall session rate.

STAT_AVG(AVG(Firewall Session);112)represents the historical average over a 112-time unit window.

STAT_STDDEV(AVG(Firewall Session);112)represents the historical standard deviation over the same period.

AZ-score ≥ 3indicates that the current firewall session rate issignificantly higherthan the historical average (3 standard deviations above the mean), signaling ananomaly.

phRuleWorker processes events in 60-second intervals (buckets). This means that events within a one-minute window are evaluated together for rule conditions, helping detect patterns, correlations, and triggers.

phRuleWorker runs both on the supervisor and worker nodes to distribute event processing. The supervisor primarily orchestrates rule evaluation, while workers handle distributed event processing.

The incident shown in the exhibit indicates that a firewall detected malware but could not remediate it. The firewall identified the EICAR_TEST_FILE virus and logged the source IP (10.0.3.10) as the origin of the threat.

To remediate this, the administrator should take action at the network level, specifically using FortiOS to block the source IP address. The option "Run the block IP FortiOS 5.4" provides the ability to block traffic from the infected IP at the firewall level, effectively preventing further threats from that source.

From the exhibit, the rule exception is set for:

● Time Range: Starts at 00:00:00

● Duration: 2 days

● Recurrence Pattern: December 25th and December 26th

This means that during these two days (every year in December), the rule will not trigger incidents.

Rule exceptions temporarily suppress incident generation during the specified period.

Events are still processed, but no incidents are generated.

Based on the provided exhibit, we can determine how long the UEBA agent has been operationally down by looking at the "First Occurred" and "Last Occurred" timestamps.

● First Occurred: Sep 13, 2021, at 01:10 PM

● Last Occurred: Sep 14, 2021, at 09:10 AM

From Sep 13, 01:10 PM to Sep 14, 01:10 AM → 12 hours

From Sep 14, 01:10 AM to Sep 14, 09:10 AM → 8 hours

Total downtime = 12 + 8 = 20 hours

In FortiSIEM, an agent’s status of "Running Inactive" indicates that the agent is installed and running but not actively sending data or has encountered a misconfiguration. The following reasons can cause this status:

1. The agent was registered incorrectly

If an agent was not registered properly, it might not establish a proper connection with the FortiSIEM system, resulting in an inactive status.

2. The agent is temporarily down

If the agent goes offline (e.g., due to system shutdown, network issues, or agent crash), it will show as inactive.

3. The template was not assigned

Agents require a template to function correctly. If no template is assigned, the agent cannot collect or process events, leading to an inactive state.

Total EPS License Purchased: 500 EPS

Allocated EPS:

● Customer A: 100 EPS

● Customer B: 200 EPS

Remaining EPS Pool:

500 − (100 + 200) = 200 EPS