Free FCP_FSM_AN-7.2 Braindumps Download Updated on Jun 12, 2026 with 44 Questions
Fortinet FCP_FSM_AN-7.2 Exam Practice Test Questions
Fortinet FCP_FSM_AN-7.2 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
NEW QUESTION # 26
Refer to the exhibit.
As shown in the exhibit, why are some of the fields highlighted in red?
- A. The Event Receive Time attribute is not available for logs.
- B. The attribute COUNT(Matched Events) is an invalid expression.
- C. No RAW Event Log attribute information is available.
- D. Unique values cannot be grouped B.
Answer: D
Explanation:
The fields are highlighted in red because unique values such as Event Receive Time and Raw Event Log cannot be used in group-by operations. Grouping requires aggregatable or consistent values across events, while these fields are unique to each event, making them incompatible for grouping.
NEW QUESTION # 27
Refer to the exhibit.
An analyst is trying to generate an incident with a title that includes the Source IP, Destination IP, User, and Destination Host Name. They are unable to add a Destination Host Name as an incident attribute.
What must be changed to allow the analyst to select Destination Host Name as an attribute?
- A. The Destination Host Name must be added as an Event type in the FortiSIEM.
- B. The Destination Host Name must be selected as a Triggered Attribute.
- C. The Destination IP Event Attribute must be removed.
- D. The Destination Host Name must be set as an aggregate item in a subpattern.
Answer: B
Explanation:
For an attribute like Destination Host Name to be used in the incident title, it must first be included in the Triggered Attributes list. Only attributes listed there are available for substitution in the title template (e.g., $destIpAddr, $srcIpAddr).
NEW QUESTION # 28
Refer to the exhibit.
Which two lookup types can you reference as the subquery in a nested analytics query? (Choose two.)
- A. SNMP Query
- B. LDAP Query
- C. Event Query
- D. CMDB Query
Answer: A,C
Explanation:
In FortiSIEM nested analytics queries, you can reference both CMDB Queries and Event Queries as subqueries. These allow correlation between CMDB data and event data for advanced detection use cases.
NEW QUESTION # 29
Refer to the exhibit.
If you group the events by User and Count attributes, how many results will FortiSIEM display?
- A. Five
- B. Two
- C. One
- D. Six
- E. Three
Answer: A
Explanation:
Grouping by User and Count yields five unique pairs: (Mike,4), (Bob,3), (Alice,2), (Bob,6), (Mike,5).
NEW QUESTION # 30
Refer to the exhibit.
Which value would you expect the FortiSIEM parser to use to populate the Application Name field?
- A. SSL
- B. applist
- C. wan1
- D. Network.Service
Answer: A
Explanation:
The Application Name field in FortiSIEM is typically populated using the value of the app field in the raw log. In this event, app="SSL", so "SSL" is the expected application name parsed by FortiSIEM.
NEW QUESTION # 31
When configuring anomaly detection machine learning, in which step must you select the fields to analyze?
- A. Train
- B. Prepare Data
- C. Schedule
- D. Design
Answer: B
Explanation:
In the Prepare Data step of configuring anomaly detection in FortiSIEM, you must select the fields to analyze. This step defines the input features that the machine learning model will evaluate during training and detection.
NEW QUESTION # 32
Refer to the exhibit.
What happens when an analyst clears an incident generated by a rule containing the automation policy shown in the exhibit?
- A. A notification is sent to the SOC manager dashboard.
- B. An email is sent to the SOC manager.
- C. The remediation script is run.
- D. No notification is sent.
Answer: D
Explanation:
The automation policy has the option "Do not notify when an incident is cleared manually" enabled. Therefore, when an analyst manually clears an incident, no notification or automation action is triggered.
NEW QUESTION # 33
What can you use to send data to FortiSIEM for user and entity behavior analytics (UEBA)?
- A. SNMP
- B. FortiSIEM agent
- C. SSH
- D. FortiSIEM worker
Answer: B
Explanation:
The FortiSIEM agent can be used to send detailed endpoint data such as user activity and process behavior to FortiSIEM, which is essential for performing User and Entity Behavior Analytics (UEBA).
NEW QUESTION # 34
Which two elements can you use to define how an automation policy activates? (Choose two.)
- A. Watchlist
- B. Rules
- C. Lookup table
- D. Time range
Answer: B,D
NEW QUESTION # 35
Refer to the exhibit.
What will happen when a device being analyzed by the machine learning configuration shown in the exhibit has a consistently high memory utilization?
- A. FortiSIEM will lower the CPU utilization trigger requirement for CPU utilization.
- B. FortiSIEM will update the model with a higher memory utilization average value.
- C. FortiSIEM will trigger an incident for high memory utilization.
- D. FortiSIEM will update the regression tables for memory utilization, and average sent and received bytes.
Answer: B
Explanation:
In the configuration shown, FortiSIEM uses Memory Util, Sent Bytes, and Received Bytes as input features to predict CPU Utilization via a regression model. If a device shows consistently high memory utilization, the model will incorporate that into its training data and update itself with a higher average value for memory utilization, influencing future CPU utilization predictions.
NEW QUESTION # 36
Refer to the exhibit.
If you group the events by Reporting Device, Reporting IP, and Application Category, how many results will FortiSIEM display?
- A. Five
- B. Two
- C. One
- D. Four
- E. Six
Answer: A
Explanation:
Grouping by Reporting Device, Reporting IP, and Application Category yields five unique tuples: (FW01, 10.1.1.1, DB), (FW02, 10.1.1.2, WebApp), (FW01, 10.1.1.1, SSH), (FW03, 10.1.1.3, DB), and (FW04, 10.1.1.4, SSH).
NEW QUESTION # 37
Which two settings must you configure to allow FortiSIEM to apply tags to devices in FortiClient EMS? (Choose two.)
- A. FortiEMS API credentials defined on FortiSIEM
- B. ZTNA tags defined on FortiSIEM
- C. Remediation script configured
- D. FortiSIEM API credentials defined on FortiEMS\
Answer: A,D
Explanation:
To allow FortiSIEM to apply tags to devices in FortiClient EMS, FortiEMS API credentials must be defined on FortiSIEM to enable communication with EMS, and FortiSIEM API credentials must be defined on FortiEMS to allow EMS to accept tagging instructions from FortiSIEM. This bidirectional API trust is essential for tag application.
NEW QUESTION # 38
Where can an analyst configure rule notifications and automated remediation on FortiSIEM?
- A. Automation policy
- B. Notification policy
- C. Notification engine
- D. Response policies
Answer: A
NEW QUESTION # 39
What can you use to send data to FortiSIEM for user and entity behavior analytics (UEBA)?
- A. SNMP
- B. FortiSIEM agent
- C. SSH
- D. FortiSIEM worker
Answer: B
Explanation:
The FortiSIEM agent can be used to send detailed endpoint data such as user activity and process behavior to FortiSIEM, which is essential for performing User and Entity Behavior Analytics (UEBA).
NEW QUESTION # 40
Refer to the exhibit.
An analyst is trying to generate an incident with a title that includes the Source IP, Destination IP, User, and Destination Host Name. They are unable to add a Destination Host Name as an incident attribute.
What must be changed to allow the analyst to select Destination Host Name as an attribute?
- A. The Destination Host Name must be added as an Event type in the FortiSIEM.
- B. The Destination Host Name must be selected as a Triggered Attribute.
- C. The Destination IP Event Attribute must be removed.
- D. The Destination Host Name must be set as an aggregate item in a subpattern.
Answer: B
Explanation:
For an attribute like Destination Host Name to be used in the incident title, it must first be included in the Triggered Attributes list. Only attributes listed there are available for substitution in the title template (e.g., $destIpAddr, $srcIpAddr).
NEW QUESTION # 41
How does FortiSIEM update the incident table if a performance rule triggers repeatedly?
- A. FortiSIEM changes the incident status to Repeated, and updates the Last Seen timestamp.
- B. FortiSIEM updates the Incident Count value and Last Seen timestamp.
- C. FortiSIEM generates a new incident based on the Rule Frequency value, and updates the First Seen and Last Seen timestamps.
- D. FortiSIEM generates a new incident each time the rule triggers, and updates the First Seen and Last Seen timestamps.
Answer: B
Explanation:
When a performance rule triggers repeatedly, FortiSIEM updates the existing incident by incrementing the Incident Count and refreshing the Last Seen timestamp. This avoids flooding the incident table with duplicates while still tracking repeated occurrences.
NEW QUESTION # 42
Which two attributes can you not select together in the Group By and Display Fields? (Choose two.)
- A. Reporting IP
- B. Raw Event Log
- C. Event Reporting Time
- D. Source IP
- E. Destination IP
Answer: B,E
NEW QUESTION # 43
Which analytics search can be used to apply a user and entity behavior analytics (UEBA) tag to an event for a failed login by the user JSmith?
- A. Username CONTAIN smit
- B. User = smith
- C. Username NOT END WITH jsmith
- D. User IS jsmith
Answer: D
Explanation:
The correct syntax to match an exact username in FortiSIEM analytics search is User IS jsmith. This ensures that the UEBA tag is applied only when the event is specifically tied to the user "jsmith", which is required for accurate behavioral analytics.
NEW QUESTION # 44
Refer to the exhibit.
According to the automation policy configuration shown in the exhibit, what happens if an associated rule triggers?
- A. FortiSIEM sends an email, because that is first on the list.
- B. FortiSIEM performs all selected actions.
- C. FortiSIEM fails to the integration policy, because no policy is defined.
- D. FortiSIEM runs the remediation script, because that takes precedence over all other options.
Answer: B
Explanation:
When an associated rule triggers, FortiSIEM performs all selected actions in the automation policy. In this case, it will send an email/SMS/webhook, run the remediation script, invoke the integration policy (even if none is currently defined), and create a case. All checked actions are executed.
NEW QUESTION # 45
Refer to the exhibit.
As shown in the exhibit, why are some of the fields highlighted in red?
- A. The Event Receive Time attribute is not available for logs.
- B. The attribute COUNT(Matched Events) is an invalid expression.
- C. No RAW Event Log attribute information is available.
- D. Unique values cannot be grouped B.
Answer: D
Explanation:
The fields are highlighted in red because unique values such as Event Receive Time and Raw Event Log cannot be used in group-by operations. Grouping requires aggregatable or consistent values across events, while these fields are unique to each event, making them incompatible for grouping.
NEW QUESTION # 46
Refer to the exhibit.
If a rule containing the automation policy shown in the exhibit triggers, what will happen?
- A. Associated source IP addresses will be blocked on devices in the Network CMDB group.
- B. Associated source IP addresses will be blocked on two FortiGate firewalls.
- C. Associated source IP addresses will be blocked on devices in the Aviation organization.
- D. Associated source IP addresses will be blocked on all FortiGate firewalls.
Answer: B
Explanation:
The automation policy is configured to run a remediation script named "Fortinet FortiOS - Block Source IP FortiOS via API". It specifies enforcement on two FortiGate devices: FortiGate508 and FortiGate90D. Therefore, associated source IP addresses will be blocked on those two FortiGate firewalls only.
NEW QUESTION # 47
What must you configure to apply ZTNA tags from FortiSIEM to devices in FortiClient EMS?
- A. API connection from FortiClient EMS to FortiSIEM
- B. API connection from FortiSIEM to FortiClient EMS
- C. Syslog connection to FortiSIEM from FortiGate firewalls
- D. Syslog connection to FortiGate firewalls from FortiSIEM
Answer: B
NEW QUESTION # 48
Which information can FortiSIEM retrieve from FortiClient EMS through an API connection?
- A. Host software versions
- B. ZTNA tags
- C. FortiSIEM license
- D. Host login credentials
Answer: B
Explanation:
FortiSIEM can retrieve ZTNA tags from FortiClient EMS through an API connection, enabling dynamic user and device classification for policy enforcement and incident response.
NEW QUESTION # 49
Refer to the exhibit.
How was this incident cleared?
- A. The endpoint was rebooted and sent an all-clear signal to FortiSIEM.
- B. The analyst manually cleared the incident from the incident table.
- C. FortiSIEM cleared the incident automatically after 24 hours.
- D. The incident was cleared automatically by the rule.
Answer: D
Explanation:
The Incident Status shows "Auto Cleared", and the Cleared Reason states: "Rule has not been triggered for 20 minutes." This indicates that the incident was automatically cleared by the rule logic after a defined period of inactivity.
NEW QUESTION # 50
......
Updated Verified FCP_FSM_AN-7.2 dumps Q&As - Pass Guarantee or Full Refund: https://dumpstorrent.exam4pdf.com/FCP_FSM_AN-7.2-dumps-torrent.html
