Fortinet Updated FCSS_ADA_AR-6.7 Exam Questions and Answers by raymond

In a nested event query, the inner query executes first, and its results feed into the outer query. Since the Source IP comes from the report "Failed Logons to Network Devices", which is part of the inner query, the nested time range applies to it. The other attributes, Reporting IP and Event Type, belong to the outer query and are not affected by the nested time range.

When a FortiSIEM collector is deployed for the first time, most of its processes remain down until it is successfully registered with the supervisor.

The phMonitor process is running because it monitors system health, but other services remain inactive until the collector establishes communication with the supervisor.

Once the collector registers to the supervisor, it receives configurations and policies, and its processes will start automatically.

From theFilterssection in the exhibit, we see:

1.Event Type IN EventTypes: Domain Account Locked

This means the rule will match events where the event type is classified under theDomain Account Lockedcategory.

2.Reporting IP IN Applications: Domain Controller

This means the rule is filtering for events where the reporting IP is classified under theDomain Controller applications group.

3.Logical Operator: AND

The filters are combined usingAND, meaning both conditions must be met for an event to match.

Since both conditions must be true, the rule is effectively filtering events where:

● Theevent typebelongs to theDomain Account Locked CMDB group

● Thereporting IPbelongs to theDomain Controller applications group

Lookup tables and watchlists serve different purposes in Fortinet’s Advanced Analytics:

● Lookup tables allow for structured data storage with multiple columns, making them useful for correlating different attributes or key-value pairs.

● Watchlists are simpler and contain only a single column, often used for quick reference to flagged values, such as IP addresses or user accounts.