FCP_FAZ_AN-7.6 Exam Dumps - Fortinet Certified Professional Security Operations Questions and Answers

Exact Extract: Study Guide p.57-p.58: filtered Log View examples can show web filter category/action details, including allowed or blocked website categories.

Technical Deep Dive: The correct answer is B. The exhibit indicates social networking web activity is being allowed, not blocked. If the logs were application control logs, the log type/subtype would point to application control rather than web filtering. If unrated websites were blocked, the category/action fields would show that specific category and enforcement action. A custom view cannot be concluded unless the GUI explicitly displays a saved custom view name or custom view indicator.

Exact Extract: Study Guide p.200-p.203: playbooks run from a trigger and tasks can filter events before adding them to an incident.

Technical Deep Dive: The correct answer is D. The playbook task is filtering events using the configured criteria, and only the events that match those criteria are added to the incident. Because the task is configured to match any of the listed conditions, the analyst must count unique events matching severity, event type, or tag filters. The exhibit contains four unique matching events. Options A and B overcount by treating all or most events as matching. Option C is wrong because the filter is not empty and the exhibit shows events that meet the task criteria.

Exact Extract: Official Fortinet 7.6 documentation: historical logs migrate from PSQL to ClickHouse, and real-time logs insert into ClickHouse.

Technical Deep Dive: The correct answer is A. FortiAnalyzer 7.6 uses ClickHouse as the backend log database for on-premises log analytics. This change supports faster analytical queries and scalable handling of large log datasets. MySQL and Elasticsearch are not the FortiAnalyzer 7.6 log database. PostgreSQL was used in previous versions for log tables, but Fortinet’s 7.6 documentation states that historical logs are migrated from PSQL to ClickHouse and new real-time logs are inserted into ClickHouse.

Exact Extract: Study Guide p.217: zipped/base64 encoded JSON is one of the playbook export data types.

Technical Deep Dive: The correct answer is A. The exhibit shows encoded data rather than readable plain-text JSON, which indicates the playbook was exported in the zipped/base64 encoded format. That does not mean the playbook is misconfigured. It also does not prove connectors were excluded; connector inclusion is a separate export option. There is no indication of password protection. The key visual clue is that the export contains encoded data plus integrity information instead of a readable JSON playbook structure.

Exact Extract: Study Guide p.184: reports and charts can be imported/exported; templates and datasets cannot be exported directly.

Technical Deep Dive: The correct answers are B and C. FortiAnalyzer allows reports and charts to be imported and exported between same-type ADOMs or FortiAnalyzer devices. The guide explicitly says templates and datasets cannot be exported directly. Datasets move only as dependencies of exported charts, not as standalone exportable modules. Therefore, reports and charts are the two modules that match the direct import/export capability described in the guide.

Exact Extract: Study Guide p.184: templates and datasets cannot be exported directly; chart exports include the associated dataset.

Technical Deep Dive: The correct answer is C. In Report Definitions, the export/import rule is specific: reports and charts can be moved, templates and datasets cannot be exported directly. When a chart is exported, the dataset associated with that chart is included automatically, so importing the chart also imports the dataset. Option A is wrong because templates cannot be exported. Option B is wrong for the same reason. Option D is wrong because datasets are not directly exportable as standalone objects.

Exact Extract: Study Guide p.141: Insert Rate is the rate logs are indexed; Receive Rate is the rate raw logs reach FortiAnalyzer.

Technical Deep Dive: The correct answer is A. At the indicated time, the insert-rate value is higher than the receive-rate value, which means FortiAnalyzer is indexing logs faster than new logs are arriving. This can happen when the database is catching up with previously received logs. Option B is too literal and unsupported; the graph shows rates, not a one-log daemon lead. Option C is wrong because a rebuild is not indicated by a single favorable rate point. Option D would apply when received logs are waiting because indexing is behind, which is the reverse condition.

Exact Extract: Study Guide p.141: Log Insert Lag Time is the time between log receipt and indexing.

Technical Deep Dive: The correct answer is A. A rising data point on the Log Insert Lag Time graph means the delay between receiving logs and indexing them is increasing. That indicates the database/indexing pipeline is falling behind at that moment. Option B is wrong because the chart is not proving cache use to avoid drops. Option C might become true if lag exceeds baseline persistently, but a single point only shows lag behavior. Option D is the opposite: if sqlplugind were caught up, lag would be low or decreasing.

Exact Extract: Study Guide p.78 and p.81: a data selector is a common filter applied before every rule in the event handler.

Technical Deep Dive: The correct answer is C. Data selectors prevent analysts from repeating the same filtering logic in each event-handler rule. They narrow the data evaluated by the handler using device, subnet, and log-field criteria before individual rules are processed. Option A is wrong because data selectors do not control what FortiAnalyzer accepts from registered devices. Option B is invented; they do not download filters. Option D is too broad because a data selector is applied to selected handlers, not automatically to all event handlers at the same time.

Exact Extract: Study Guide p.120: FortiAI can support incident investigation, response, threat hunting, impact analysis, and remediation recommendations.

Technical Deep Dive: The correct answers are B, C, and E. FortiAI in FortiAnalyzer is designed to assist SOC workflows: interpreting security events, generating incident summaries, identifying possible impacts, recommending remediation, generating queries, and supporting threat hunting. Site-to-site VPN and SD-WAN overlay configuration are FortiGate/FortiManager network configuration tasks, not the FortiAnalyzer FortiAI use cases described in the Analyst guide. The guide keeps FortiAI scoped to FortiAnalyzer security operations and analytics workflows.