FCP_FAZ_AN-7.6 Exam Dumps - Fortinet Certified Professional Security Operations Questions and Answers

Exact Extract: Study Guide p.210: after creating a new playbook, FortiAnalyzer needs a few minutes to parse it.

Technical Deep Dive: The correct answer is A. FortiAnalyzer must parse the newly created playbook before it can execute reliably. Parsing checks the playbook definition and prepares it for execution by the automation engine. Option B is wrong because FortiAnalyzer is not automatically debugging the playbook; debugging happens after a failed or problematic run. Option C is unrelated to playbook creation. Option D is wrong because FortiAnalyzer can track multiple jobs; the wait is about playbook parsing, not waiting for all other playbooks to stop.

Exact Extract: Study Guide p.159: SELECT * FROM $log can be used to obtain the schema for a selected log type.

Technical Deep Dive: The correct answer is C. FortiAnalyzer datasets use SQL SELECT queries not only to extract report data but also to reveal available columns for a log type. Running SELECT * FROM $log and testing the dataset shows the column headings available in the database schema. Option A is wrong because SELECT is read-only and does not purge data. Option B is wrong because WHERE is optional; FROM is the mandatory clause. Option D is wrong because macros represent dataset queries in abbreviated form, so SELECT logic is directly related to macros.

Exact Extract: Study Guide p.25-p.26: the supervisor displays member logs, can aggregate report data, and shows events generated on members.

Technical Deep Dive: The correct answers are C, D, and E. FortiAnalyzer Fabric supervisor visibility includes logs collected on members, events generated by member event handlers, and reports that fetch and aggregate data from multiple members. Playbooks are not available as a supervisor-to-member execution module; the guide states supervisors cannot run automation playbooks on members. Indicators are not listed in the Fabric supervisor modules described for member analysis in the study guide.

Exact Extract: Study Guide p.208: to run a report as a playbook task, the report must already exist and have auto-cache and extended log filtering enabled.

Technical Deep Dive: The correct answer is A. If the report is not visible as an available report task target, the usual reason is that it does not meet the report-task prerequisites. FortiAnalyzer requires the report to exist already and to have both auto-cache and extended log filtering enabled. Option B is irrelevant because a running playbook does not hide a report definition. Option C is wrong because the trigger starts the playbook, not the report listing. Option D is wrong because report results are not the prerequisite for listing the report as a task target.

Exact Extract: Study Guide p.187: troubleshoot slow reports by reviewing diagnostics and enabling auto-cache to reduce generation time.

Technical Deep Dive: The correct answers are B and D. When reports take too long, Fortinet recommends checking report diagnostics and hcache timing, log rates, insert/receive rate, and log insert lag. Enabling auto-cache is also a documented way to improve report generation performance. Option A is not a recommended troubleshooting step in the study guide; removing old hcache blindly can make reports slower because hcache must be rebuilt. Option C is not the relevant control for report generation time in this scenario.

Exact Extract: Study Guide p.202: FortiOS connector actions appear only after enabling an automation rule using the Incoming Webhook Call trigger on FortiGate.

Technical Deep Dive: The correct answer is D. A FortiAnalyzer playbook can list a FortiOS connector after FortiGate is added, but the available FortiOS actions depend on FortiGate-side automation rules. FortiGate must expose an Incoming Webhook trigger so FortiAnalyzer can call the automation stitch. A FortiAnalyzer Event Handler is used on FortiAnalyzer to generate events, not to expose FortiOS connector actions. Fabric Connector events and FortiOS Event Log triggers do not provide the FortiAnalyzer-to-FortiGate action handoff tested here.

Exact Extract: Study Guide p.82: Mitigated means a security risk was blocked or dropped.

Technical Deep Dive: The correct answer is C. The exhibit shows a mitigated event with blocked web activity, so the accurate statement is that the security risk was blocked. A dropped action would also be a mitigated outcome, but the displayed event specifically indicates blocked. Option B describes Contained status, where the risk source is isolated. Option D is wrong because the event type shown is Web Filter, not application control. Option A is less precise than the exhibit because the action shown is blocked rather than dropped.

Exact Extract: Study Guide p.189: verify logs from the report time frame and test the dataset query when expected data is missing.

Technical Deep Dive: The correct answers are A and D. This duplicate scenario tests the same reporting troubleshooting logic. A report can be empty or incomplete even while the logs exist if the report uses a time window that excludes them or if the dataset filters them out. Testing the dataset proves whether the SQL query is actually retrieving the intended rows. Disabling auto-cache is a performance workaround only in very specific stale-cache investigations and is not the recommended first step. Report quota is not the issue when the report runs but contains the wrong data.

Exact Extract: Study Guide p.54: custom views save search filters, device, and time period for repeated Log View searches.

Technical Deep Dive: The correct answer is B. A custom view is designed for exactly this use case: an analyst repeatedly searches Log View with the same filters and wants to avoid rebuilding them every time. A custom dashboard shows widgets and summary data but does not preserve a Log View search workflow. A data selector is used mainly as a reusable filter for event handlers and related features. A macro is for report data extraction, not for reusing interactive log-search parameters.

Exact Extract: Study Guide p.59: root ADOM shows local event logs; application logs are ADOM-specific.

Technical Deep Dive: The correct answers are B and D. Local event logs are available from the root ADOM and provide system-wide FortiAnalyzer information. Application logs, including logs generated by FortiAnalyzer applications such as playbooks and incident management, are ADOM-specific. Option A is wrong because local logs are accessible in Log View. Option C is wrong because playbook/application logs are not all simply placed in the root ADOM for every ADOM; non-root ADOMs show application logs relevant to that ADOM.