Pass the Fortinet Fortinet Certified Professional Security Operations FCSS_ADA_AR-6.7 Questions and answers with CertsForce

Group By automatically applies a COUNT aggregation.

When using Group By in FortiSIEM structured queries, it automatically applies a COUNT(*) function unless a different aggregation (such as SUM, AVG, or MAX) is specified. This helps summarize data by counting occurrences of grouped attributes.

Group By is applied to real-time and historical searches.

Grouping functions work in both real-time (live event monitoring) and historical (past event analysis) searches, making it useful for trend analysis, anomaly detection, and correlation.

The Z-score formula in the expression builder calculates how many standard deviations the current value is from the historical average. The formula used is:

AVG(Firewall Session)represents the current firewall session rate.

STAT_AVG(AVG(Firewall Session);112)represents the historical average over a 112-time unit window.

STAT_STDDEV(AVG(Firewall Session);112)represents the historical standard deviation over the same period.

AZ-score ≥ 3indicates that the current firewall session rate issignificantly higherthan the historical average (3 standard deviations above the mean), signaling ananomaly.

Automatic remediation inFortiSIEMenablesreal-time responseto security threats without manual intervention. While this can improve response times, it also introducesrisksbecauseactions are taken automatically based on predefined rules, without human verification.

● Automated responsescould mistakenly block legitimate usersfrom critical systems or applications.

●Misconfigured rulesmightdisconnect essential systems, causing business disruptions.

● If an incident isa false positive,automatic remediation may interfere with normal operationsunnecessarily.

In FortiSIEM, an agent’s status of "Running Inactive" indicates that the agent is installed and running but not actively sending data or has encountered a misconfiguration. The following reasons can cause this status:

1. The agent was registered incorrectly

If an agent was not registered properly, it might not establish a proper connection with the FortiSIEM system, resulting in an inactive status.

2. The agent is temporarily down

If the agent goes offline (e.g., due to system shutdown, network issues, or agent crash), it will show as inactive.

3. The template was not assigned

Agents require a template to function correctly. If no template is assigned, the agent cannot collect or process events, leading to an inactive state.

When registeringagentsin FortiSIEM, the organization to which they belong depends on how they are installed:

●Windows Agents

● During installation, the setup wizard prompts the user to specify theorganization.

● This ensures the agent is correctly assigned to the organization defined during setup.

●Linux Agents

● Installation on Linux requirescommand-line parameters, including theorganization name.

● This means that the organization is explicitly defined during the installation process.

The rule groups events by Reporting IP, Reporting Device, and User. Let's analyze the five events:

Events Received:

1. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: John

2. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: Craig

3. Reporting IP: 1.1.1.2, Reporting Device: Server109, User: Mary

4. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: Craig (Duplicate of #2)

5. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: John (Duplicate of #1)

Grouping Based on:

● Reporting IP

● Reporting Device

● User

Count unique groups:

1. (1.1.1.1, Server101, John) → 2 occurrences (counted as one group)

2. (1.1.1.1, Server101, Craig) → 2 occurrences (counted as one group)

3. (1.1.1.2, Server109, Mary) → 1 occurrence (counted as one group)

Since we need at least one matching event (count >= 1) per group, incidents are created for each unique group.

Total unique groups (incidents created) = 2

● John on Server101 (1.1.1.1)

● Craig on Server101 (1.1.1.1)

Lookup tables and watchlists serve different purposes in Fortinet’s Advanced Analytics:

● Lookup tables allow for structured data storage with multiple columns, making them useful for correlating different attributes or key-value pairs.

● Watchlists are simpler and contain only a single column, often used for quick reference to flagged values, such as IP addresses or user accounts.