Questions for the FCP FSM AN 7 2 were updated on : Nov 23 ,2025
Refer to the exhibit.
If you group the events by User, Source IP, and Count attributes, how many results will FortiSIEM
display?
B
Explanation:
Grouping by User, Source IP, and Count means that each unique combination of those three
attributes will be treated as a separate result. In the table, all six rows have distinct combinations of
User, Source IP, and Count - so FortiSIEM will display 6 results.
Refer to the exhibit.
A FortiSIEM device is receiving syslog events from a FortiGate firewall. The FortiSIEM analyst is trying
to search the raw event logs for the last two hours that contain the keyword "udp". However, they
are getting no results from the search, which they know should be available. Based on the filter
shown in the exhibit, why are there no search results?
D
Explanation:
The operator is set to "=", which performs an exact match on the entire raw event log, not a
substring search. To find logs that contain the keyword "udp", the analyst should use the CONTAIN
operator instead. This will return all logs where "udp" appears anywhere in the raw log message.
How does FortiSIEM update the incident table if a performance rule triggers repeatedly?
B
Explanation:
When a performance rule triggers repeatedly, FortiSIEM updates the existing incident by
incrementing the Incident Count and refreshing the Last Seen timestamp. This avoids flooding the
incident table with duplicates while still tracking repeated occurrences.
Refer to the exhibit.
The configuration shown in the exhibit is incorrect.
What must you change to allow this configuration to be successfully applied to FortiSIEM?
B
Explanation:
The Run Mode is set to Local, which is not valid for training machine learning models in FortiSIEM. To
apply this configuration correctly, the Run Mode must be set to ML, which enables proper model
training and prediction using selected fields.
Refer to the exhibit.
An analyst wants the rule shown in the exhibit to trigger when three failed login attempts occur
within three minutes.
What should the values be for the condition time window and aggregate count?
A
Explanation:
To detect three failed login attempts within three minutes, you must set the aggregate count to 3 in
the subpattern and the time window to 180 seconds in the rule condition. This ensures the rule
triggers only if three or more failed logins occur in that timeframe.
Which information can FortiSIEM retrieve from FortiClient EMS through an API connection?
D
Explanation:
FortiSIEM can retrieve ZTNA tags from FortiClient EMS through an API connection, enabling dynamic
user and device classification for policy enforcement and incident response.
Refer to the exhibit.
If a rule containing the automation policy shown in the exhibit triggers, what will happen?
D
Explanation:
The automation policy is configured to run a remediation script named "Fortinet FortiOS - Block
Source IP FortiOS via API". It specifies enforcement on two FortiGate devices: FortiGate508 and
FortiGate90D. Therefore, associated source IP addresses will be blocked on those two FortiGate
firewalls only.
When configuring anomaly detection machine learning, in which step must you select the fields to
analyze?
C
Explanation:
In the Prepare Data step of configuring anomaly detection in FortiSIEM, you must select the fields to
analyze. This step defines the input features that the machine learning model will evaluate during
training and detection.
Refer to the exhibit.
According to the automation policy configuration shown in the exhibit, what happens if an
associated rule triggers?
B
Explanation:
When an associated rule triggers, FortiSIEM performs all selected actions in the automation policy. In
this case, it will send an email/SMS/webhook, run the remediation script, invoke the integration
policy (even if none is currently defined), and create a case. All checked actions are executed.
Refer to the exhibit.
As shown in the exhibit, why are some of the fields highlighted in red?
A
Explanation:
The fields are highlighted in red because unique values such as Event Receive Time and Raw Event
Log cannot be used in group-by operations. Grouping requires aggregatable or consistent values
across events, while these fields are unique to each event, making them incompatible for grouping.
How can you query the configuration management database (CMDB) in an analytics search?
A
Explanation:
In an analytics search, you can query the CMDB by clicking Value > Select from CMDB, which allows
you to choose values directly from CMDB entries for the selected attribute, enabling precise filtering
based on asset data.
Refer to the exhibit.
Which two conditions will match this rule and subpatterns? (Choose two.)
A, B
Explanation:
The user initiates an RDP session (Subpattern 1) and then fails to log in multiple times (Subpattern 2
with COUNT(Matched Events) >= 3) - both from the same Source IP and User within 300 seconds.
The brute force attempts typically involve a successful RDP connection followed by multiple failed
logins, satisfying the sequence and grouping conditions in the rule.
Refer to the exhibit.
Which two lookup types can you reference as the subquery in a nested analytics query? (Choose
two.)
C, D
Explanation:
In FortiSIEM nested analytics queries, you can reference both CMDB Queries and Event Queries as
subqueries. These allow correlation between CMDB data and event data for advanced detection use
cases.
Which items are used to define a subpattern?
A
Explanation:
A subpattern in FortiSIEM is defined using Filters to match specific events, Aggregate conditions to
apply statistical thresholds (e.g., COUNT), and Group By attributes to segment data for evaluation.
These three components collectively determine how the subpattern functions.
Refer to the exhibit.
An analyst is trying to identify an issue using an expression based on the Expression Builder settings
shown in the exhibit; however, the error message shown in the exhibit indicates that the expression
is invalid.
What is the correct syntax to create an expression that generates a total count of matched events?
A
Explanation:
The correct syntax is COUNT(Matched Events) - with proper capitalization and spacing - to generate a
total count of matched events. The error in the exhibit likely stems from a formatting issue (e.g.,
lowercase count() or incorrect spacing), not the logical structure of the expression.