The Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst (FCP_FAZ_AN-7.6)

Exact Extract: Study Guide p.130-p.132: blacklisted IP or DGA matches produce an Infected verdict and appear under Compromised Hosts.

Technical Deep Dive: The correct answer is B. When IOC analysis finds web logs matching blacklisted IP addresses or domain-generation algorithm patterns, FortiAnalyzer treats that as a real breach and creates/updates an infected compromised-host entry for the endpoint. Option A describes suspicious-list behavior, where FortiAnalyzer flags the host for further analysis. Option C is wrong because blacklisted matches are classified as Infected, not merely Suspicious. Option D overstates the automatic endpoint response; quarantine is a separate response action, not the IOC engine classification itself.

Exact Extract: Study Guide p.9: Tier 2 Incident Responder investigates escalated alerts in more depth for response.

Technical Deep Dive: The correct answer is D. When an event is escalated into an incident, the SOC role responsible for deeper handling and response is the incident responder. Tier 1 security analysts handle monitoring and triage. Threat hunters proactively search for complex or hidden threats rather than owning every escalated incident. SOC engineers maintain tools such as SIEM/SOAR platforms but are not the primary incident-handling role. The guide’s SOC role model places escalated response work with the Incident Responder.

Exact Extract: Study Guide p.82: " Unhandled " indicates the security event risk is considered open.

Technical Deep Dive: The displayed event is best interpreted as open/unhandled, so the correct answer is C. In FortiAnalyzer, event status is not just a label; it tells the analyst whether the risk still requires action. A risk source being isolated would map to Contained, while traffic being blocked or dropped maps to Mitigated. An incident being created from an event is a separate workflow action and cannot be concluded from the event status alone unless the exhibit explicitly shows the incident linkage.

Exact Extract: Study Guide p.211: output variables use the output from a preceding task as input to the current task.

Technical Deep Dive: The correct answer is B. The exhibit shows the analyst referencing output from an earlier task, such as a generated report identifier, so a later task can attach that result to an incident. That is an output variable. A trigger variable would pull values from the event or incident that started the playbook. The analyst is not creating the report object itself, nor creating a SOC report definition; the report task has already produced data, and the current task is consuming that output dynamically.

Exact Extract: Study Guide p.217-p.218: exported playbooks preserve enabled/disabled status, and name conflicts are handled on import.

Technical Deep Dive: The correct answers are A and C. A playbook imported into another ADOM or FortiAnalyzer retains the enabled or disabled status it had when exported, which is why automatic playbooks should be exported disabled. If an imported playbook name already exists, FortiAnalyzer creates a new name with a timestamp to avoid conflicts, so importing with the same name is allowed. Option B is wrong because connectors can be included in the export. Option D is wrong because multiple playbooks can be exported at once.

Exact Extract: Study Guide p.139: one compressed log message can contain multiple logs; message/log rate differences should be interpreted carefully.

Technical Deep Dive: The correct answer is C. If the exhibit shows message rate higher than log rate, that is not the normal relationship highlighted in the guide. FortiAnalyzer explains the normal case where one log message can contain multiple logs, making log rate higher than message rate. Options A and B cannot be concluded without indexing-completion or log-type breakdown information. Option D is wrong because these fortilogd rate outputs are not ADOM-specific unless a specific ADOM-scoped command is used.

Exact Extract: Official Fortinet FortiSIEM MEA guidance: after enabling the Collector MEA, it must be registered to a licensed FortiSIEM Supervisor.

Technical Deep Dive: The correct answer is D. FortiSIEM MEA on FortiAnalyzer functions as a FortiSIEM collector component and must register to a FortiSIEM Supervisor for operation. Option A describes FortiSOAR-style incident lifecycle management more than FortiSIEM MEA. Option B is wrong because the management extension runs on FortiAnalyzer rather than as a dedicated VM for the MEA itself. Option C is inaccurate because Fortinet documents CPU/RAM caps for MEAs, not a 50% disk-space cap as the defining requirement.

Exact Extract: Study Guide p.57-p.58: filtered Log View examples can show web filter category/action details, including allowed or blocked website categories.

Technical Deep Dive: The correct answer is B. The exhibit indicates social networking web activity is being allowed, not blocked. If the logs were application control logs, the log type/subtype would point to application control rather than web filtering. If unrated websites were blocked, the category/action fields would show that specific category and enforcement action. A custom view cannot be concluded unless the GUI explicitly displays a saved custom view name or custom view indicator.

Exact Extract: Study Guide p.107: more than one Fabric connector can be configured, with the same or different notification settings.

Technical Deep Dive: The correct answer is A. FortiAnalyzer can send incident status-change notifications through external platform connectors, and each connector can have its own settings. That flexibility lets a SOC notify Teams, ticketing, or other platforms differently depending on the connector and activity type. Option B is wrong because the guide permits multiple connectors. Option C confuses report output profiles with incident notifications. Option D is too narrow because notifications are not limited only to created or deleted incidents.