FCSS_ADA_AR-6.7 FCSS Advanced Analytics 6.7 Architect Questions and Answers

Lookup tables and watchlists serve different purposes in Fortinet’s Advanced Analytics:

● Lookup tables allow for structured data storage with multiple columns, making them useful for correlating different attributes or key-value pairs.

● Watchlists are simpler and contain only a single column, often used for quick reference to flagged values, such as IP addresses or user accounts.

FortiSIEM does not allow CMDB queries to be nested within other CMDB queries. CMDB data is static information, and nesting would not add value or function properly in query execution.

When registeringagentsin FortiSIEM, the organization to which they belong depends on how they are installed:

●Windows Agents

● During installation, the setup wizard prompts the user to specify theorganization.

● This ensures the agent is correctly assigned to the organization defined during setup.

●Linux Agents

● Installation on Linux requirescommand-line parameters, including theorganization name.

● This means that the organization is explicitly defined during the installation process.

The rule is tracking asudden increase in WMI response timesover a30-minute window. The key detail here is the increase factor.

● The term1.50 times increasemeans the new value is150%of the previous baseline.

● A1.50x increasecorresponds to a150% increase, since the new value isoriginal + 150% of original.

Guaranteed Allocation:50 + 100 + 150 = 300 EPS

Actual (Incoming) Usage:25 + 50 + 75 = 150 EPS→ Unused from guarantees = 300 − 150 = 150 EPS

Burst Capacity (Licensed minus Guaranteed):520 − 300 = 220 EPS

Total Unused Capacity:150 + 220 = 370 EPS

As a Percentage of Licensed EPS:370/520 ≈ 71.15% → reported (after conversion/rounding) as ~71.460

The rule triggers an incident when there are two or more VPN logon failures within a 10-minute window, grouped by Source IP, Reporting Device, Reporting IP, and User. Let's analyze the events:

Breakdown of Events:

1. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: Sarah

2. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: John

3. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: Tom

4. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: John

5. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: Sarah

6. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: Tom

Now, applying the grouping criteria (Source IP, Reporting Device, Reporting IP, and User):

● Group 1: (1.1.1.1, 2.2.2.2, FortiGate, John) → 1 occurrence (not enough)

● Group 2: (1.1.1.1, 2.2.2.2, FortiGate, Sarah) → 1 occurrence (not enough)

● Group 3: (1.1.1.1, 2.2.2.2, FortiGate, Tom) → 2 occurrences (incident triggered)

● Group 4: (1.1.1.3, 2.2.2.2, FortiGate2, John) → 2 occurrences (incident triggered)

● Group 5: (1.1.1.3, 2.2.2.2, FortiGate2, Sarah) → 1 occurrence (not enough)

● Group 6: (1.1.1.3, 2.2.2.2, FortiGate2, Tom) → 1 occurrence (not enough)

Final Incident Count:

● One incident for Group 3 (Tom on FortiGate)

● One incident for Group 4 (John on FortiGate2)

InFortiSIEM, anintegration policycan be invokedthrough Notification Policy settings. This allows automated responses such as:

● Sending alerts toexternal systems (e.g., SIEMs, ticketing systems, SOAR platforms).

● Triggering actions based on specificincident rules.

● Integrating withthird-party solutionsforremediation, escalation, or logging.

FortiSIEMcollectorsare responsible forgathering logsfrom devices andforwarding themto the FortiSIEM cluster. Their communication with the cluster follows these key principles:

●Collectors periodically communicate with the supervisor node.

● This allows them toreport status, receive updates, and verify configurations.

●The supervisor periodically checks the health of the collector.

● Thesupervisor monitors the collector’s uptime, connectivity, and performance.

●Collectors upload event data to worker nodes but report health to the supervisor.

●Event logs are uploaded to worker nodesas per theworker upload list, ensuring distributed event processing.

●Health status is always reported directly to the supervisorfor centralized monitoring.

phRuleWorker processes events in 60-second intervals (buckets). This means that events within a one-minute window are evaluated together for rule conditions, helping detect patterns, correlations, and triggers.

phRuleWorker runs both on the supervisor and worker nodes to distribute event processing. The supervisor primarily orchestrates rule evaluation, while workers handle distributed event processing.

TheLookupTableHasfunction is used tocheck whether a specified key exists in a lookup table. It returnseither true or false, depending on whether the key is found in the table.

● If the key is present, the function returnstrue.

● If the key is absent, the function returnsfalse.

InFortiSIEM,numPointsis a parameter used inrules and the profile databaseto ensure the reliability of statistical baselines and prevent anomalies from being falsely triggered due to insufficient data.

1.To prevent premature triggering of a rule before a baseline is set and becomes active.

numPoints ensures that a rule does not trigger until a sufficient number of data points are collectedfor the baseline.

Without enough data, the system may generatefalse positivesdue to the lack of a stable historical pattern.

2.To fetch only values from the profile database that have numPoints greater than a certain threshold.

When querying theprofile database, numPoints acts as afilterto ensure that onlydata points meeting a minimum thresholdare considered for analysis.

This prevents unreliable or insufficient historical data from affecting anomaly detection.

InFortiSIEM, when an agent isuninstalled from a Windows device, the deviceremains in the CMDB (Configuration Management Database)until it ismanually removed.

●Uninstalling the agent does not automatically remove the device from the CMDB.

● CMDB maintains discovered deviceseven if they no longer report logs, ensuring historical tracking.

● Administrators mustmanually deletethe device from theCMDB > Devicessection.

The administratordeployed FortiSIEM without a collector, meaning there is no dedicated system collecting logs fromservice provider infrastructure devices. Without a collector, the FortiSIEMsupervisor and workersmust directly ingest logs, which is not ideal for amulti-tenant service provider setup. Acollector is necessaryto efficiently gather logs before forwarding them to the FortiSIEM cluster.

FortiSIEM's rule engine queries the profile database to analyze historical behavior and detect anomalies. The profile database stores statistical baselines, which include:

● Statistical average (mean values over time)

● Standard deviation (variability from the mean)

These values help the rule engine determine whether an observed metric (such as logins, failed attempts, network traffic, or system performance) deviates significantly from the normal pattern for the same hour of the day.