Fortinet FCSS_ADA_AR-6.7 Exam Practice Test Instant Access

Question 1

Which two statements about the maximum device limit on FortiSIEM are true? (Choose two.)

AThe device limit is based on the license type that was purchased from Fortinet.

BThe device limit is defined per customer and every customer is assigned a fixed number of device limit by the service provider.

CThe device limit is only applicable to enterprise edition.

DThe device limit is defined for the whole system and is shared by every customer on a service provider edition.
FortiSIEM enforces a device limit based on licensing and system-wide constraints to ensure proper resource allocation and performance management.
The device limit is determined by the purchased license.
FortiSIEM licensing includes limits on the number of devices that can be monitored.
The license type (e.g., Enterprise vs. Service Provider) defines the maximum number of devices supported.
For Service Provider editions, the device limit applies system-wide and is shared across all customers.
In an MSSP (Managed Security Service Provider) setup, the total device limit applies across all customers, rather than being allocated individually.
This allows flexible resource allocation based on customer needs.

Answer : A, D

Question 2

Which three statements about collector communication with the FortiSIEM cluster are true? (Choose three.)

ACollectors communicate periodically with the supervisor node.

BThe supervisor periodically checks the health of the collector.

CThe only communication between the collector and the supervisor is during the registration process.

DThe supervisor does not initiate any connections to the collector node.

ECollector upload event data to any node in the worker upload list, but report their health directly to the supervisor node.
FortiSIEM collectors are responsible for gathering logs from devices and forwarding them to the FortiSIEM cluster. Their communication with the cluster follows these key principles:
Collectors periodically communicate with the supervisor node.
This allows them to report status, receive updates, and verify configurations.
The supervisor periodically checks the health of the collector.
The supervisor monitors the collector's uptime, connectivity, and performance.
Collectors upload event data to worker nodes but report health to the supervisor.
Event logs are uploaded to worker nodes as per the worker upload list, ensuring distributed event processing.
Health status is always reported directly to the supervisor for centralized monitoring.

Answer : A, B, E

Question 3

Refer to the exhibit.

The exhibit shows the output of an SQL command that an administrator ran to view the natural_id value, after logging into the Postgres database.

What does the natural_id value identify?

AThe collector

BAn agent

CThe worker

DThe supervisor
The natural_id value in the ph_sys_connector table of the FortiSIEM Postgres database uniquely identifies a collector.
The SQL query retrieves details from ph_sys_connector, which stores information about registered collectors.
The cust_org_id field indicates the organization ID the collector belongs to.
The name field shows the collector's name (OrgA_Collector).
The ip_addr field lists the collector's IP address (10.10.2.91).
The natural_id value uniquely identifies the collector in the system.

Answer : A

Question 4

In the event of a WAN link failure between the collector and the supervisor, by default, what is the maximum number of event files stored on the collector?

A20,000

B10,000

C40,000

D30,000
When a WAN link failure occurs between the collector and the supervisor in FortiSIEM, the collector buffers event files until the connection is restored. By default:
The collector can store up to 10,000 event files before reaching its buffer limit.
Once the WAN link is restored, the collector uploads the stored event files to the supervisor for processing.
If the buffer limit is exceeded, older event files may be overwritten to make space for new ones.

Answer : B

Question 5

From where does the rule engine load the baseline data values?

AThe memory

BThe profile report

CThe profile database

DThe daily database
The rule engine in FortiSIEM loads baseline data values from the profile database. This database stores historical trends and behavioral baselines for various metrics, such as CPU usage, network activity, and authentication patterns.
Profile database maintains long-term aggregated statistics for anomaly detection.
Baseline values are used to compare current events against expected behavior.
This helps in detecting deviations, such as a sudden increase in failed logins or unusual traffic spikes.

Answer : C

Question 6

What is the disadvantage of automatic remediation?

AIt can make a disruptive change to a user, block access to an application, or disconnect critical systems from the network.

BExternal threats or attacks detected by FortiSIEM will need user interaction to take action on an already overworked SOC team.

CIt is equivalent to running an IPS in monitor-only mode-watches but does not block.

DThreat behavior occurring during the night could take hours to respond to.
Automatic remediation in FortiSIEM enables real-time response to security threats without manual intervention. While this can improve response times, it also introduces risks because actions are taken automatically based on predefined rules, without human verification.
Automated responses could mistakenly block legitimate users from critical systems or applications.
Misconfigured rules might disconnect essential systems, causing business disruptions.
If an incident is a false positive, automatic remediation may interfere with normal operations unnecessarily.

Answer : A

Question 7

What happens to UEBA events when a user is off-net?

AThe agent will cache events locally if it cannot upload them to a FortiSIEM collector

BThe agent will drop the events if it cannot upload them to a FortiSIEM collector

CThe agent will upload the events to the Worker if it cannot upload them to a FortiSIEM collector

DThe agent will upload the events the events to the Supervisor if it cannot upload them to a FortiSIEM collector
When a User and Entity Behavior Analytics (UEBA) agent is off-net, meaning it is disconnected from the network and cannot reach the FortiSIEM collector, it temporarily stores (caches) events locally until it can re-establish a connection.
This caching mechanism prevents data loss by ensuring events are retained even when the agent is offline.
Once the connection to the FortiSIEM collector is restored, the agent uploads the cached events.
This ensures continuity in user behavior monitoring, even when users are disconnected.

Answer : A

Fortinet FCSS_ADA_AR-6.7 FCSS - Advanced Analytics 6.7 Architect Exam Practice Test