Fortinet FCSS_ADA_AR-6.7 FCSS Advanced Analytics 6.7 Architect Exam Practice Test

FortiSIEM's rule engine queries the profile database to analyze historical behavior and detect anomalies. The profile database stores statistical baselines, which include:

● Statistical average (mean values over time)

● Standard deviation (variability from the mean)

These values help the rule engine determine whether an observed metric (such as logins, failed attempts, network traffic, or system performance) deviates significantly from the normal pattern for the same hour of the day.

InFortiSIEM,SQLite databasesused forbaseliningare stored in the/opt/phoenix/cachedirectory. This location is used fortemporary storage and caching of profile datathat is essential for anomaly detection and trend analysis.

●Baselininginvolves analyzing historical data to determine expected behavior patterns.

●SQLite databasesstore aggregated statistics, which are referenced during rule evaluations.

● Thecache directoryallows quick access to these values without querying the main database repeatedly.

TheWindows agent (fortibank_dc.fortibank.net)is in an"Unmanaged"state, which indicates that it has not received amonitoring templatefrom FortiSIEM. Without a template, the agent does not know what logs to collect or forward, meaning it isnot sending logs to the supervisor.

Theagent is registered, meaning it has completed the installation and connection process. Since it isunmanaged, it isnot actively monitoredor configured to send logs. To resolve this, the administrator mustassign a monitoring templateto enable proper log forwarding.

These three processes are essential for aFortiSIEM collector, as they handle event parsing, agent communication, and system monitoring.

●phParseris responsible forparsing and processing collected logsbefore forwarding them.

●phAgentManagermanages agent communication, ensuring logs are received and forwarded correctly.

●phMonitorAgentmonitors the health of the collector itself, reporting system status to the FortiSIEM supervisor.

phReportMasterandphRuleMasterdo not run on collectors. They are supervisor/worker processes handling reporting and rule evaluation, respectively.

The admin password is a mandatory field, as indicated in the exhibit ("Required" in red). It is needed for authentication and administrative access.

The organization name ("University") is necessary to associate the collector with the correct organization.

The Admin User (uniadmin) is a required field for defining the administrator of the collector.

InFortiSIEM baselining, anhourly bucketis used to maintainhourly-specific statistical baselines. This helps detect anomalies by comparing current activity against historical norms foreach hour of the day, separately forweekdays and weekends.

The system maintainshourly profiles, ensuring that anomalies are detected based on similar timeframes. This approach prevents false positives due to natural variations in network activity across different times of the day and different days of the week.

Atmidnight, thedaily database valuesmerge into theprofile database. The new values forHour 9are calculated as follows:

●Minimum CPU Utilization:The new minimum is the lower of the existing (32.31) and new (33.50) values →32.31

●Maximum CPU Utilization:The new maximum is the higher of the existing (32.31) and new (33.50) values →33.50

●Average CPU Utilization:

● The previous average was32.31(from one point).

● The new value from the daily database is33.50(one additional point).

● The new average is calculated as:

Thus, after merging, the updated profile database values forHour 9are:

●Min CPU Util = 32.31

●Max CPU Util = 33.50

●Avg CPU Util = 32.67

The exhibit shows a FortiSIEM cluster deployed in a multi-tenant service provider environment, serving multiple customers. The architecture includes:

1. Customers with Collectors

Customer A and Customer B (AWS) have collectors deployed within their environments.

Collectors gather and forward logs to the FortiSIEM cluster for centralized analysis.

2. Customers Without Collectors

Customer C does not have a collector; instead, it sends logs directly to the FortiSIEM cluster.

3. Super Organization Managing Infrastructure

The service provider infrastructure devices (e.g., networking and security appliances) are managed directly by the FortiSIEM cluster.

This mixed setup, where some customers use collectors while others send logs directly, represents a hybrid deployment with and without collectors.

EPS burstingin FortiSIEM allows temporary spikes in events per second (EPS) beyond the licensed limit, but only if there areaccumulated unused EPS credits. This ensures flexibility in handling short-term surges without requiring a permanent license upgrade.

● FortiSIEMaccumulates unused EPS creditswhen actual EPS usage is below the licensed limit.

● When anevent surgeoccurs, FortiSIEM canburst up to 5x the licensed EPS,but only if there are sufficient accumulated credits.

This allowsadaptive scalingwhile preventing abuse of resources beyond allocated licensing.

The Z-score formula in the expression builder calculates how many standard deviations the current value is from the historical average. The formula used is:

AVG(Firewall Session)represents the current firewall session rate.

STAT_AVG(AVG(Firewall Session);112)represents the historical average over a 112-time unit window.

STAT_STDDEV(AVG(Firewall Session);112)represents the historical standard deviation over the same period.

AZ-score ≥ 3indicates that the current firewall session rate issignificantly higherthan the historical average (3 standard deviations above the mean), signaling ananomaly.

The rule triggers an incident when there are two or more VPN logon failures within a 10-minute window, grouped by Source IP, Reporting Device, Reporting IP, and User. Let's analyze the events:

Breakdown of Events:

1. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: Sarah

2. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: John

3. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: Tom

4. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: John

5. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: Sarah

6. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: Tom

Now, applying the grouping criteria (Source IP, Reporting Device, Reporting IP, and User):

● Group 1: (1.1.1.1, 2.2.2.2, FortiGate, John) → 1 occurrence (not enough)

● Group 2: (1.1.1.1, 2.2.2.2, FortiGate, Sarah) → 1 occurrence (not enough)

● Group 3: (1.1.1.1, 2.2.2.2, FortiGate, Tom) → 2 occurrences (incident triggered)

● Group 4: (1.1.1.3, 2.2.2.2, FortiGate2, John) → 2 occurrences (incident triggered)

● Group 5: (1.1.1.3, 2.2.2.2, FortiGate2, Sarah) → 1 occurrence (not enough)

● Group 6: (1.1.1.3, 2.2.2.2, FortiGate2, Tom) → 1 occurrence (not enough)

Final Incident Count:

● One incident for Group 3 (Tom on FortiGate)

● One incident for Group 4 (John on FortiGate2)

When registeringagentsin FortiSIEM, the organization to which they belong depends on how they are installed:

●Windows Agents

● During installation, the setup wizard prompts the user to specify theorganization.

● This ensures the agent is correctly assigned to the organization defined during setup.

●Linux Agents

● Installation on Linux requirescommand-line parameters, including theorganization name.

● This means that the organization is explicitly defined during the installation process.

FortiSIEMcollectorsare responsible forgathering logsfrom devices andforwarding themto the FortiSIEM cluster. Their communication with the cluster follows these key principles:

●Collectors periodically communicate with the supervisor node.

● This allows them toreport status, receive updates, and verify configurations.

●The supervisor periodically checks the health of the collector.

● Thesupervisor monitors the collector’s uptime, connectivity, and performance.

●Collectors upload event data to worker nodes but report health to the supervisor.

●Event logs are uploaded to worker nodesas per theworker upload list, ensuring distributed event processing.

●Health status is always reported directly to the supervisorfor centralized monitoring.

Collaborative knowledge sharing: FortiSOAR enables security teams to share knowledge, automate workflows, and improve incident response efficiency by centralizing intelligence and standardizing processes.

Addressing analyst skills gap: By automating repetitive tasks and providing guided response playbooks, FortiSOAR helps SOC teams compensate for skill shortages and improve operational effectiveness.

Reducing human error: Automation and predefined workflows minimize manual interventions, reducing the likelihood of errors in incident detection, response, and remediation.

When a FortiSIEM collector is deployed for the first time, most of its processes remain down until it is successfully registered with the supervisor.

The phMonitor process is running because it monitors system health, but other services remain inactive until the collector establishes communication with the supervisor.

Once the collector registers to the supervisor, it receives configurations and policies, and its processes will start automatically.

In a multi-tenant FortiSOAR deployment, a Managed Security Service Provider (MSSP) hosts a shared FortiSOAR instance that serves multiple customers. Each customer operates as a separate tenant within the instance, ensuring data isolation and security.

FortiSOAR uses secure network connectivity (VPNs, direct connections, or secure tunnels) between the MSSP’s FortiSOAR manager node and the customer’s devices.

The customer does not need to install additional software or tenant nodes; instead, the MSSP manages multi-tenancy at the platform level.

The phProvisionCollector command is used to register a collector to the supervisor in FortiSIEM. The correct syntax requires:

● User → The admin username for authentication.

● Password → The password for authentication.

● Super IP → The IP address of the supervisor, which manages the collector.

● Organization → The organization to which the collector belongs.

● Worker Name → The name of the worker node responsible for handling events from this collector.