Pass the Fortinet Certified Professional Security Operations FCP_FAZ_AN-7.6 Questions and answers with Dumpstech

Exact Extract: Study Guide p.78 and p.81: a data selector is a common filter applied before every rule in the event handler.

Technical Deep Dive: The correct answer is C. Data selectors prevent analysts from repeating the same filtering logic in each event-handler rule. They narrow the data evaluated by the handler using device, subnet, and log-field criteria before individual rules are processed. Option A is wrong because data selectors do not control what FortiAnalyzer accepts from registered devices. Option B is invented; they do not download filters. Option D is too broad because a data selector is applied to selected handlers, not automatically to all event handlers at the same time.

Exact Extract: Study Guide p.82: " Unhandled " means the security event risk is not mitigated or contained, and an IPS/AV pass action is an example.

Technical Deep Dive: The correct answer is B because an IPS log with action=pass means the traffic matched or was observed in a way that generated a security event, but the traffic was not blocked, dropped, or quarantined. FortiAnalyzer therefore treats the event as still open from a SOC workflow perspective. Option A is wrong because quarantine isolates the malicious object and maps to Contained. Options C and D are wrong because dropped or blocked actions mean enforcement already occurred, which maps to Mitigated rather than Unhandled.

Exact Extract: Study Guide p.202: FortiOS connector actions appear only after enabling an automation rule using the Incoming Webhook Call trigger on FortiGate.

Technical Deep Dive: The correct answer is D. A FortiAnalyzer playbook can list a FortiOS connector after FortiGate is added, but the available FortiOS actions depend on FortiGate-side automation rules. FortiGate must expose an Incoming Webhook trigger so FortiAnalyzer can call the automation stitch. A FortiAnalyzer Event Handler is used on FortiAnalyzer to generate events, not to expose FortiOS connector actions. Fabric Connector events and FortiOS Event Log triggers do not provide the FortiAnalyzer-to-FortiGate action handoff tested here.

Exact Extract: Study Guide p.184: templates and datasets cannot be exported directly; chart exports include the associated dataset.

Technical Deep Dive: The correct answer is C. In Report Definitions, the export/import rule is specific: reports and charts can be moved, templates and datasets cannot be exported directly. When a chart is exported, the dataset associated with that chart is included automatically, so importing the chart also imports the dataset. Option A is wrong because templates cannot be exported. Option B is wrong for the same reason. Option D is wrong because datasets are not directly exportable as standalone objects.

Exact Extract: Study Guide p.105-p.106: incident analysis includes audit history, and incident settings/status should be kept up to date.

Technical Deep Dive: The correct answer is A. When an analyst changes an incident status to Closed: False Positive, FortiAnalyzer records the action in the incident audit history. That preserves accountability and allows other analysts to see what changed and why. The corresponding event is not automatically reclassified as mitigated. The incident is not deleted just because it is closed. The incident number remains stable because it is the identifier used to track the case through its lifecycle.

Exact Extract: Study Guide p.82: Mitigated means a security risk was blocked or dropped.

Technical Deep Dive: The correct answer is C. The exhibit shows a mitigated event with blocked web activity, so the accurate statement is that the security risk was blocked. A dropped action would also be a mitigated outcome, but the displayed event specifically indicates blocked. Option B describes Contained status, where the risk source is isolated. Option D is wrong because the event type shown is Web Filter, not application control. Option A is less precise than the exhibit because the action shown is blocked rather than dropped.

Exact Extract: Study Guide p.39-p.41: logs are saved first, and parsers are needed to normalize raw logs into standardized fields.

Technical Deep Dive: The correct answer is C. FortiAnalyzer does not discard a log simply because a matching parser is unavailable. The received log is still saved in the FortiAnalyzer log workflow. However, normalization requires a parser that can extract fields and map them into FortiAnalyzer’s common schema. Without that parser, the log remains stored but not normalized. Option A is too destructive. Option B assumes a generic parser is automatically applied. Option D confuses storage/archive state with parser availability.

Exact Extract: Study Guide p.82: " Unhandled " indicates the security event risk is considered open.

Technical Deep Dive: The displayed event is best interpreted as open/unhandled, so the correct answer is C. In FortiAnalyzer, event status is not just a label; it tells the analyst whether the risk still requires action. A risk source being isolated would map to Contained, while traffic being blocked or dropped maps to Mitigated. An incident being created from an event is a separate workflow action and cannot be concluded from the event status alone unless the exhibit explicitly shows the incident linkage.

Exact Extract: Study Guide p.25-p.26: the supervisor displays member logs, can aggregate report data, and shows events generated on members.

Technical Deep Dive: The correct answers are C, D, and E. FortiAnalyzer Fabric supervisor visibility includes logs collected on members, events generated by member event handlers, and reports that fetch and aggregate data from multiple members. Playbooks are not available as a supervisor-to-member execution module; the guide states supervisors cannot run automation playbooks on members. Indicators are not listed in the Fabric supervisor modules described for member analysis in the study guide.

Exact Extract: Study Guide p.189: for missing report data, check the report time frame and test the dataset.

Technical Deep Dive: The correct answers are A and D. If the logs exist but the generated report lacks expected information, the first checks are whether the report time frame includes those logs and whether the dataset query returns the expected rows. Reports are only as accurate as their time filter and SQL dataset. Disabling auto-cache is not the normal fix; cache improves performance and scheduled reports use it. Increasing a quota does not correct a wrong time range or broken SQL query unless the report fails for resource reasons, which is not the scenario described.