A SOC analyst at a financial services company is investigating a high-severity event related to multiple failed login attempts from a suspicious IP address. The analyst needs to quickly gather all associated traffic logs, endpoint logs, and application control logs related to this IP for the last 24 hours. Which FortiAnalyzer feature provides the most efficient, integrated view for this type of cross-log-type investigation?
A security analyst is building a custom event handler to detect potential data exfiltration. The goal is to trigger an event if any single user uploads more than 100MB of data to any cloud storage application within a 5-minute window. Which three settings are required in the event handler configuration to achieve this specific logic? (Choose three.)
A SOC manager wants to create a weekly 'Top 10 Riskiest Users' report. This report should be based on a custom risk score calculated from the number of high-severity security events (IPS, Antivirus, Web Filter) associated with each user. To implement this, an analyst must first create a custom dataset. Which SQL query function is essential for counting the events associated with each user?
True or False: When a playbook is triggered by an event handler, it can only use log fields from the single log that initiated the event.
A SOC analyst has created a playbook to automatically create a ServiceNow ticket when a 'Compromised Host' event is generated. After deploying the playbook, new 'Compromised Host' events are visible in FortiAnalyzer, but no tickets are being created in ServiceNow. The Playbook Monitor shows the playbook is not being triggered. What is the most likely cause of this issue?
When creating a new ADOM in FortiAnalyzer 7.2, an administrator notices the 'ADOM Mode' option. What is the primary purpose of setting the ADOM Mode to 'Advanced'?
An analyst is reviewing the 'Compromised Hosts' list in the FortiView dashboard. They notice a host with a high threat score and several Indicators of Compromise (IOCs) listed. What is the primary source of the IOC data used by FortiAnalyzer to identify these compromised hosts?
A new SOC analyst is tasked with creating a playbook that performs the following actions upon detecting a high-severity IPS event: 1. Retrieve the source IP address from the event log. 2. Query a third-party threat intelligence service (via API) to check the IP's reputation. 3. If the reputation is 'malicious', add the IP to a specific address group on the edge FortiGate to block it. Which two playbook components are essential for this workflow? (Choose two.)
An administrator is configuring log fetching for a remote FortiGate. They want to ensure that if the connection between the FortiGate and FortiAnalyzer is interrupted, logs are buffered on the FortiGate and sent later when the connection is restored. Which FortiGate setting is required to enable this behavior?
A SOC analyst is debugging a playbook that is failing at a specific task. The task is supposed to extract a username from a log field and use it in a subsequent API call. The Playbook Monitor shows an error at the API call task. How can the analyst verify the value of the username variable as it was extracted in the preceding task?