Important Details

Question 1

Basic SQL commands

Answer 1

SELECT, INSERT, UPDATE, DELETE. These are the declarative verbs

Question 2

SELECT statement order

Answer 2

FROM: specifies the table
WHERE: specifies the conditions
GROUP BY: groups results by one or more columns
ORDER BY: orders the results by rows
LIMIT: limits the number of records returned based on a specified value
OFFSET: offsets the results by the number specified

Question 3

ORDER BY syntax

Answer 3

ORDER BY column_name/column_number asc/desc

Ascending is default for this clause

Question 4

NULLIF

Answer 4

Takes two arguments. If the first two are equal, then NULL is returned. otherwise, the first argument is returned. NULL represents unknown data, not zero. Used with SELECT

Question 4

Aggregate Function vs Normal Functions

Answer 4

Aggregate uses the entire column of data as their input and produce a single output. Normal operates on each element in the column

Question 5

COALESCE

Answer 5

Returns the first non-NULL expression among its arguments. NULL is returned only if all arguments are NULL. Used with SELECT

Question 6

Aggregate function examples

Answer 6

Function(Expression)
AVG
COUNT - number of rows, even if some columns contain NULL value
FIRST
LAST
MAX
MIN
SUM

Question 7

Out of ordinary operators

Answer 7

% - Modulus. Divides left hand operand by right hand operand and returns remainder
<> - Not equal to
!< Not less than
!> not greater than

Question 8

How to retrieve root domain of a device within a statement

Answer 8

root_domain(hostname)

Question 9

Fabric with multiple FGTs

Answer 9

The fabric eliminates duplicate logs. Each fortigate will generate logs as long as the event wasn’t logged by the previous fortigate along the path of traffic. Consider what configuration the fortigate has according to the question. Such as if only one of the FGT is performing SNAT, then that FGT will be the only one that generates the SNAT traffic log. Apply for other things like web filtering, wherever it is being performed, it will generate the UTM logs

Question 10

FortiAnalyzer Fabric

Answer 10

Two Modes: Supervisor - One per fabric, acts as the root
Member - Sends information to supervisor. Does NOT forward their logs to the supervisor
Must be configured in same time zone.
Collectors cannot be members.

Supervisor includes only the following modules:
Device Manager
Log view
Incident & Events
System Settings
Management Extensions

Question 11

ADOMS are enabled by default (T or F)

Answer 11

False

Question 12

Log Phases

Answer 12

1: Raw - logs received from registered device. No immediate analytic support, viewable in Log Browse, .log file type
2: Indexed (Analytics Logs) - Added to SQL database and indexed. Has immediate analytic support, considered “online.” Can view them in Log View, FortiView, Events, and Reports
3: Archived - Compressed and rolled over in log file saved with .gz extension. No immediate analytic support. Considered “offline,” viewable in Log Browse

Question 13

Log View Modes

Answer 13

Filter(GUI) and Text(Manual)

Question 14

Can you sort and customize Raw logs? (Yes or No)

Answer 14

No. Only formatted logs

Question 15

You can only disable FortiView via CLI? (T or F)

Answer 15

True

Question 16

IOC

Answer 16

Indicators of Compromise: Requires a FortiGuard subscription

Question 17

Two IOC statuses

Answer 17

Infected: Indicates a real breach. A match or matchers of the blacklisted IPs or domain generation algorithms (DGAs) have been found in the web logs

Suspicious: Indicates a possible breach with varying degrees of confidence

Question 18

Two Categories to filter IOC entries

Answer 18

Blocklist: Indicates items marked as infected

Suspicious: indicates a match was found in the suspicious list in the IOC database. FortiAnalyzer flags the endpoint for further analysis, compares the flagged log entries with the endpoint’s previous statistics for the same day, and then updates the score. If the score exceeds the threshold, that endpoint is listed or updated in Compromised Hosts

Question 19

Log Fetching Details

Answer 19

Log Fetching can only happen between two FortiAnalyzer devices. A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the same time with different FortiAnalyzer devices at the other end.

You can establish only one log-fetching session at a time between two FAZ devices

Should run same firmware version
Source and Destination ADOM are of the same type
Destination ADOM must have enough space allocated for the incoming logs
Must add the devices to Device manager before you can see their logs in the client
Data Policy on the client must retain logs of the specified time period

Question 20

Command to see the SQL insertion status

Answer 20

diagnose sql status sqlplugind

Question 21

Log Rate vs Message Rate

Answer 21

One log message can consist of multiple logs in LZ4 format. Thus, it is normal for the msgrate to be lower then lograte

Question 22

Insert Rate vs. Receive Rate

Answer 22

Insert Rate = SQL Insertion Rate
Handled by sqlplugind
Receive Rate = Raw Receiving Rate
Handled by fortilogd

Question 23

Log Insert Lag Time

Answer 23

Amount of time between log received and log inserted in the database

Question 24

MEA

Answer 24

Management Extension Application, Licensed applications and run them on FortiAnalyzer Two Options are FortiSOAR and FortiSIEM

Question 25

Event Handlers

Answer 25

Looks for specific conditions in the logs Can enable or disable them, comes with predefined event handlers Disabled handlers do not generate events

Question 26

Event Handler Aggregates

Answer 26

Aggregate Expression has three options: COUNT - A minimum threshold count of matching logs COUNT_DISTINCT - Select field that must be distinct SUM - multiple options like duration, sent/received bytes, and sent/received packets Aggregate Duration - The minimum threshold in minutes to generate events These two work together. The number of matching logs (expression) must occur in the number of (duration) in order to generate an event

Question 27

Event Status

Answer 27

Unhandled - The security risk is not mitigated or contained, so it is considered open. Examples: IPS/AV log with action=pass, Botnet and IoC events are also considered Unhandled Contained - The risk source is isolated. AV log with action=quarantine Mitigated - The security risk is mitigated by being blocked or dropped. IPS/AV log with action=block/drop Blank - Other Scenarios. Both allow and block actions can be seen in logs associated

Question 28

Out of ordinary text filters for Event Handlers

Answer 28

~ Contained !~ not contained

Question 29

Importing/Exporting Event Handlers

Answer 29

By default, they are restricted to the ADOM where they were created. Must export them or create them in different ADOMs. Can export them to zipped, text, or CLI configuration. If name exists already, options are to rename, replace, or skip import

Question 30

Outbreak Detection Service

Answer 30

Licensed Feature Allows customers to receive information about malware outbreaks Automatically downloads new event handlers and reports related to outbreaks

Question 31

Report Elements

Answer 31

A report is a set of data organized in charts. Charts consist of two elements: Datasets - SQL SELECT queries that extract specific data from the database Format - how the data is displayed (pie charts, bar charts, or tables)

Question 32

FROM is the only mandatory clause for a SELECT statement. (T or F)

Answer 32

True

Question 33

Templates

Answer 33

Specifies the layout - text, charts, and macros- to include in the report that uses it. FAZ provides predefined templates. Can clone predefined templates or create custom ones. Can't edit or delete predefined templates They don't contain any data. Data is added to the report when you generate it. Doesn't contain report settings, must edit those directly

Question 34

Predefined Reports

Answer 34

can run these with default settings, or edit settings such as: Time period Devices Filters Report Schedule(on demand or scheduled) cannot adjust schedule from calendar, must be done from the specific configuration of the report

Question 35

Macros

Answer 35

Specify which data to extract from the logs. They represent dataset queries in abbreviated form. Can insert them as data into templates and reports ADOM Specific!

Question 36

Default Charts and Datasets

Answer 36

The Chart Library contains hundreds of charts, cannot edit default charts Datasets Library contains hundreds of datasets, cannot edit default datasets Can clone and edit just like templates and reports.

Question 37

Export to Report Chart

Answer 37

Allows you to automatically build a dataset and chart based on a filtered search result

Question 38

External Storage for Reports

Answer 38

Requires configuration of a mail server to email reports Can also upload generated reports to a server (FTP/SFTP/SCP) Configure output profiles per ADOM, then enable notification for each report

Question 39

hcache

Answer 39

SQL Hard Cache - Must be built before FAZ can generate report. Increases report generation time and uses system resources. If no new logs are received for the reporting period, the hcache doesn't need to rebuild. Enable auto-cache - Automatically updates hcache when new logs come in and FAZ generates new log tables.

Question 40

Grouping Reports

Answer 40

Benefits: Reduces the number of hcache tables, improves auto-cache completion time. CLI: configure system report group

Question 41

Moving Reports between ADOMs

Answer 41

Each ADOM has its own reports, libraries, and advanced settings. ADOMs must be of the same type when importing

Question 42

Attach Reports to Incidents

Answer 42

Manually from an existing reports Manually from an existing incident Automatically through playbook automation

Question 43

Playbook Triggers

Answer 43

The first thing that must be configured when creating a playbook EVENT_TRIGGER INCIDENT_TRIGGER ON_SCHEDULE ON_DEMAND

Question 44

Fabric Connectors

Answer 44

Allows playbooks to interact with devices in the Fabric and standalone devices. Only the local(FAZ) connector is ready to be used by default. Green: Connection successful Black: Connection Unknown Red: Connection Down Other connectors available: EMS, FortiOS, FortiGuard, FortiMail, FortiCASB, others Type of connector used determines the available actions. In order to see actions related to the FortiOS connector, you must enable an automation rule using the Incoming Webhook Call trigger on the FortiGate side

Question 45

Playbook Variables

Answer 45

Output variables: Output of previous task is the input of current task Trigger Variables: Use some of the information from the trigger to filter the action in the task

Question 46

Importing and Exporting Playbooks

Answer 46

Playbooks are defined per ADOM IMPORTING: If playbook has same name as existing playbook, FAZ creates a new name that includes a timestamp. They are imported with the same status as when they were exported(enable or disabled) EXPORTING: The connectors can be included, resulting file uses JSON format If you need to be able to read the contents of the JSON file in plain text, you must choose the text version during the export process