Pass the Fortinet Certified Professional Security Operations FCSS_ADA_AR-6.7 Questions and answers with ExamsMirror

The rule engine in FortiSIEM loads baseline data values from the profile database. This database stores historical trends and behavioral baselines for various metrics, such as CPU usage, network activity, and authentication patterns.

● Profile database maintains long-term aggregated statistics for anomaly detection.

● Baseline values are used to compare current events against expected behavior.

● This helps in detecting deviations, such as a sudden increase in failed logins or unusual traffic spikes.

phRuleWorker processes events in 60-second intervals (buckets). This means that events within a one-minute window are evaluated together for rule conditions, helping detect patterns, correlations, and triggers.

phRuleWorker runs both on the supervisor and worker nodes to distribute event processing. The supervisor primarily orchestrates rule evaluation, while workers handle distributed event processing.

The administrator deployed FortiSIEM without a collector, meaning there is no dedicated system collecting logs from service provider infrastructure devices. Without a collector, the FortiSIEM supervisor and workers must directly ingest logs, which is not ideal for a multi-tenant service provider setup. A collector is necessary to efficiently gather logs before forwarding them to the FortiSIEM cluster.

From the provided XML configuration, we need to focus on the section, which defines the attributes used for grouping.

In the SelectClause, the following attributes are listed:

reptDevName, reptDevAddr, COUNT(*), COUNT(DISTINCT user), COUNT(DISTINCT srcIpAddr)

● reptDevName represents the reporting device.

● reptDevAddr represents the reporting IP.

● COUNT(DISTINCT user) tracks unique users.

● COUNT(DISTINCT srcIpAddr) tracks distinct source IPs.

In the GroupByAttr section:

reptDevName, reptDevAddr

This confirms that the grouping is performed by Reporting Device (reptDevName) and Reporting IP (reptDevAddr).

The Z-score formula in the expression builder calculates how many standard deviations the current value is from the historical average. The formula used is:

AVG(Firewall Session) represents the current firewall session rate.

STAT_AVG(AVG(Firewall Session);112) represents the historical average over a 112-time unit window.

STAT_STDDEV(AVG(Firewall Session);112) represents the historical standard deviation over the same period.

A Z-score ≥ 3 indicates that the current firewall session rate is significantly higher than the historical average (3 standard deviations above the mean), signaling an anomaly.

In FortiSIEM, some incidents may be triggered due to temporary threshold breaches, especially in availability or performance-related monitoring. These temporary anomalies do not necessarily indicate a persistent issue or security threat.

By automatically clearing such incidents, FortiSIEM prevents unnecessary manual intervention and reduces noise in incident management.

The Windows agent (fortibank_dc.fortibank.net) is in an "Unmanaged" state, which indicates that it has not received a monitoring template from FortiSIEM. Without a template, the agent does not know what logs to collect or forward, meaning it is not sending logs to the supervisor.

The agent is registered, meaning it has completed the installation and connection process. Since it is unmanaged, it is not actively monitored or configured to send logs. To resolve this, the administrator must assign a monitoring template to enable proper log forwarding.