Weekend Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Home
Fortinet
Fortinet Certified Professional Security Operations
FCP_FSM_AN-7.2
FCP - FortiSIEM 7.2 Analyst Questions and Answers

Pass the Fortinet Certified Professional Security Operations FCP_FSM_AN-7.2 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam FCP_FSM_AN-7.2 Premium Access

View all detail and faqs for the FCP_FSM_AN-7.2 exam

Go to Exam

435 Students Passed

88% Average Score

96% Same Questions

Viewing page 1 out of 1 pages

Viewing questions 1-10 out of questions

Questions # 1:

What can you use to send data to FortiSIEM for user and entity behavior analytics (UEBA)?

Options:

FortiSIEM agent

SSH

SNMP

FortiSIEM worker

Answer

Explanation

The FortiSIEM agent can be used to send detailed endpoint data such as user activity and process behavior to FortiSIEM, which is essential for performing User and Entity Behavior Analytics (UEBA).

Questions # 2:

Refer to the exhibit.

Question # 2

The analyst is troubleshooting the analytics query shown in the exhibit.

Why is this search not producing any results?

Options:

The Time Range is set incorrectly.

The inner and outer nested query attribute types do not match.

You cannot reference User and Event Type attributes in the same search.

The Boolean operator is wrong between the attributes.

Answer

Questions # 3:

How can you query the configuration management database (CMDB) in an analytics search?

Options:

Click Value > Select from CMDB.

On the CMDB tab, select an entry, and then click Create Search.

On the Admin tab, click CMDB Search.

Click Attribute > Select from CMDB.

Answer

Explanation

In an analytics search, you can query the CMDB by clicking Value > Select from CMDB, which allows you to choose values directly from CMDB entries for the selected attribute, enabling precise filtering based on asset data.

Questions # 4:

Refer to the exhibit.

Question # 4

If you group the events by User, Source IP, and Count attributes, how many results will FortiSIEM display?

Options:

Two

Six

Three

Five

Four

Answer

Explanation

Grouping by User, Source IP, and Count means that each unique combination of those three attributes will be treated as a separate result. In the table, all six rows have distinct combinations of User, Source IP, and Count - so FortiSIEM will display 6 results.

Questions # 5:

Refer to the exhibit.

Question # 5

Which value would you expect the FortiSIEM parser to use to populate the Application Name field?

Options:

applist

Network.Service

SSL

wan1

Answer

Explanation

The Application Name field in FortiSIEM is typically populated using the value of the app field in the raw log. In this event, app="SSL", so "SSL" is the expected application name parsed by FortiSIEM.

Questions # 6:

Refer to the exhibit.

Question # 6

What happens when an analyst clears an incident generated by a rule containing the automation policy shown in the exhibit?

Options:

No notification is sent.

An email is sent to the SOC manager.

The remediation script is run.

A notification is sent to the SOC manager dashboard.

Answer

Questions # 7:

What are two required components of a rule? (Choose two.)

Options:

Exception policy

Subpattern

Detection Technology

Clear policy

Answer

B, C

Explanation

A Subpattern defines the specific conditions or event patterns the rule is designed to detect, and the Detection Technology specifies the type of detection logic (e.g., real-time, historical). Both are essential for a rule to function in FortiSIEM.

Questions # 8:

Refer to the exhibit.

Question # 8

Which two lookup types can you reference as the subquery in a nested analytics query? (Choose two.)

Options:

LDAP Query

CMDB Query

SNMP Query

Event Query

Answer

B, D

Questions # 9:

Refer to the exhibit.

Question # 9

Which two conditions will match this rule and subpatterns? (Choose two.)

Options:

A user using RDP over SSL VPN fails to log in to an application five times.

A user runs a brute force password cracker against an RDP server.

A user fails twice to log in when connecting through RDP.

A user connects to the wrong IP address for an RDP session five times.

Answer

A, B

Explanation

The user initiates an RDP session (Subpattern 1) and then fails to log in multiple times (Subpattern 2 with COUNT(Matched Events) >= 3) - both from the same Source IP and User within 300 seconds.

The brute force attempts typically involve a successful RDP connection followed by multiple failed logins, satisfying the sequence and grouping conditions in the rule.

Viewing page 1 out of 1 pages

Viewing questions 1-10 out of questions