14/2/24, 16:43 NSE5_FAZ-7.

2 Exam – Free Actual Q&As, Page 1 | ExamTopics

- Expert Verified, Online, Free.

 Custom View Settings

Topic 1 - Exam A

Question #1 Topic 1

Which two statements are correct regarding the export and import of playbooks? (Choose two.)

A. You can import a playbook even if there is another one with the same name in the destination.

B. Playbooks can be exported and imported only within the same FortiAnalyzer device.

C. You can export only one playbook at a time.

D. A playbook that was disabled when it was exported will be disabled when it is imported.

Correct Answer: AD

Community vote distribution

AD (100%)

  5fd6f75 2 weeks, 4 days ago

A and D
upvoted 1 times

  DaniSerb 3 months, 1 week ago

Selected Answer: AD

A: If the imported playbook has the same name as an existing playbook, to avoid conflicts, FortiAnalyzer will create a new name that includes a
timestamp

D: Playbooks are imported with the same status they had (enabled or disabled) when they were exported.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 2 times

  x58 3 months, 2 weeks ago

Selected Answer: AD

A D Correct
upvoted 2 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 1/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 1

A playbook contains five tasks in total. An administrator runs the playbook and four out of five tasks finish successfully, but one task fails.

What will be the status of the playbook after it is run?

A. Running

B. Failed

C. Upstream_failed

D. Success

Correct Answer: B

Community vote distribution

B (100%)

  DaniSerb 3 months, 1 week ago

Selected Answer: B

Playbook jobs that include one or more failed tasks are labeled as Failed in Playbook Monitor. A failed status, however, does not mean that all tasks
failed. Some individual actions may have completed successfully.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 2 times

  x58 3 months, 2 weeks ago

Selected Answer: B

B correct
upvoted 1 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 2/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3 Topic 1

Which statement about the FortiSIEM management extension is correct?

A. Allows you to manage the entire life cycle of a threat or breach.

B. Its use of the available disk space is capped at 50%.

C. It requires a licensed FortiSIEM supervisor.

D. It can be installed as a dedicated VM.

Correct Answer: C

Community vote distribution

C (100%)

  Khalil85 2 months, 2 weeks ago

C correct / Fortisiem must be registred on a licensed Fortisiem Supervisor
upvoted 1 times

  DaniSerb 3 months, 1 week ago

Selected Answer: C

C seems to be correct according to - FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

FortiSIEM: SIEM collector functionality only. Must be registered on a licensed FortiSIEM

Supervisor
upvoted 1 times

  x58 3 months, 2 weeks ago

Selected Answer: C

C correct
upvoted 1 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 3/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4 Topic 1

Which two statements are true regarding the outbreak detection service? (Choose two.)

A. New alerts are received by email.

B. Outbreak alerts are available on the root ADOM only.

C. An additional license is required.

D. It automatically downloads new event handlers and reports.

Correct Answer: CD

Community vote distribution

CD (100%)

  LAFNELL 1 month, 1 week ago

Selected Answer: CD

C & D are correct

Study Guide p130
upvoted 1 times

  DaniSerb 3 months, 1 week ago

Selected Answer: CD

The FortiAnalyzer Outbreak Detection Service is a licensed feature that allows FortiAnalyzer administrators to
receive and view outbreak alerts, and automatically download related event handlers and reports from
FortiGuard.

Reference - FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 2 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 4/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5 Topic 1

What must you consider when using log fetching? (Choose two.)

A. The fetch client can retrieve logs from devices that are not added to its local Device Manager.

B. You can use filters to include only logs from a single device.

C. The fetching profile must include a user with the Super_User profile.

D. The archive logs retrieved from the server become archive logs in the client.

Correct Answer: AB

Community vote distribution

AB (50%) BC (25%) BD (25%)

  rac_sp 1 month, 2 weeks ago

Selected Answer: AB

A & B correct
upvoted 1 times

  Thomas_2020 1 month, 3 weeks ago

Selected Answer: BC

B & C, Page 168 , FAZ_7.0

upvoted 1 times

  Thomas_2020 1 month, 3 weeks ago

B & C, Page 168 , FAZ_7.0
upvoted 1 times

  r_jordan 2 months ago

Selected Answer: BD

- retrieve archive logs from another FAZ and run queries or reports on those archived logs
- you can do the log fetching but you won't be able to see the logs if you do not add the FAZ to the Device Manager (pages 77-78)

So I think B and D are more accurate answers.

upvoted 1 times

  DaniSerb 3 months, 1 week ago

Selected Answer: AB

A: Using FortiAnalyzer, you can enable log fetching. This allows FortiAnalyzer to fetch the archived logs of specified devices from another
FortiAnalyzer
B: During the request, you can choose filters to include:
- Logs from a specific device
- Logs of specific types and values
- Logs from a specific time frame

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 1 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 5/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6 Topic 1

Which statement describes a dataset in FortiAnalyzer?

A. They determine what data is retrieved from the database.

B. They provide the layout used for reports.

C. They are used to set the data included in templates.

D. They define the chart types to be used in reports.

Correct Answer: A

Community vote distribution

A (100%)

  DaniSerb 3 months, 1 week ago

Selected Answer: A

A dataset is an SQL SELECT query. The result from that query—the specific data polled from the database— is what populates a chart.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 2 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 6/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7 Topic 1

Refer to the exhibits.

How many events will be added to the incident created after running this playbook?

A. Thirteen events will be added.

B. Five events will be added.

C. No events will be added.

D. Ten events will be added.

Correct Answer: D

Community vote distribution

D (100%)

  r_jordan 2 months ago

Selected Answer: D

D is correct
upvoted 2 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 7/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8 Topic 1

Refer to the exhibit.

What does the data point at 12:20 indicate?

A. The performance of FortiAnalyzer is below the baseline.

B. FortiAnalyzer is using its cache to avoid dropping logs.

C. The log insert lag time is increasing.

D. The sqlplugind service is caught up with new logs.

Correct Answer: C

Community vote distribution

C (100%)

  DaniSerb 3 months, 1 week ago

Selected Answer: C

Insert Rate vs. Receive Rate is a graph that shows the rate at which raw logs reach the FortiAnalyzer (receive rate) and the rate at which they are
indexed (insert rate) by the SQL database and the sqlplugind daemon. At minimum, the difference between these parameters should be generally
consistent.

Log Insert Lag Time shows the amount of time between when a log was received and when it was indexed. Ideally, this parameter should be as
small as possible with the occasional spikes according to the network activity being logged. A good baseline should be created to allow for the
identification of possible performance issues.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 2 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 8/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9 Topic 1

You created a playbook on FortiAnalyzer that uses a FortiOS connector.

When configuring the FortiGate side, which type of trigger must be used so that the actions in an automation stitch are available in the FortiOS

connector?

A. FortiAnalyzer Event Handler

B. Incoming webhook

C. Fabric Connector event

D. FortiOS Event Log

Correct Answer: B

Community vote distribution

B (80%) C (20%)

  sandfred 1 month, 3 weeks ago

Selected Answer: B

B. Incoming Webhook

FortiAnalyzer Analyst 7.2 Study Guide 184

1. Traffic flows through the FortiGate

2. FortiGate sends logs to FortiAnalyzer
3. FortiAnalyzer detects some suspicious traffic and generates an event
4. The event triggers the execution of a playbook in FortiAnalyzer, which sends a webhook call to
FortiGate so that it runs an automation stitch
5. FortiGate runs the automation stitch with the corrective or preventive actions
upvoted 2 times

  andreadg88 2 months, 1 week ago

Selected Answer: B

you must enable an automation rule using the Incoming Webhook Call trigger on the FortiGate side
upvoted 1 times

  DaniSerb 3 months, 1 week ago

Selected Answer: B

FortiOS connector will be listed as soon as the first FortiGate is added to FortiAnalyzer.
However, in order to see the actions related to that FortiOS connector, you must enable an automation rule using the Incoming Webhook Call
trigger on the FortiGate side.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 1 times

  DaniSerb 3 months, 1 week ago

Selected Answer: C

FortiOS connector will be listed as soon as the first FortiGate is added to FortiAnalyzer.
However, in order to see the actions related to that FortiOS connector, you must enable an automation rule using the Incoming Webhook Call
trigger on the FortiGate side.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 1 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 9/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10 Topic 1

Which FortiAnalyzer feature allows you to use a proactive approach when managing your network security?

A. Outbreak alert services

B. FortiView Monitor

C. Threat hunting

D. Incidents dashboard

Correct Answer: C

Community vote distribution

C (100%)

  DaniSerb 3 months, 1 week ago

Selected Answer: C

Threat hunting consists of proactively searching for suspicious or potentially risky network activity in your environment. The proactive approach will
help the analyst find any threats that might have eluded detection by the current security solutions or configurations.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 3 times

Question #11 Topic 1

Which log will generate an event with the status Contained?

A. An IPS log with action=pass.

B. AWebFilter log with action=dropped.

C. An AV log with action=quarantine.

D. An AppControl log with action=blocked.

Correct Answer: C

Community vote distribution

C (100%)

  DaniSerb 3 months, 1 week ago

Selected Answer: C

Contained: The risk source is isolated.

For example, an AV log with action=quarantine will have the event status Contained.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 3 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 10/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12 Topic 1

What is the purpose of trigger variables?

A. To display statistics about the playbook runtime

B. To use information from the trigger to filter the action in a task

C. To provide the trigger information to make the playbook start running

D. To store the start times of playbooks with On_Schedule triggers

Correct Answer: B

Community vote distribution

B (100%)

  myrmidon3 3 weeks, 6 days ago

Selected Answer: B

FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2 page 198

upvoted 1 times

  DaniSerb 3 months, 1 week ago

Selected Answer: B

Trigger variables allow you to use information from the trigger of a playbook when it has been configured with an incident or event trigger. For
example, a single playbook can be triggered by more than one device. A Run Report action can include a filter for the endpoint IP address from the
event that triggered the playbook.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 3 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 11/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13 Topic 1

Refer to the exhibit.

What is the purpose of using the Chart Builder feature on FortiAnalyzer?

A. To add a new chart under FortiView to be used in new reports

B. To build a dataset and chart automatically, based on the filtered search results

C. To add charts directly to generate reports in the current ADOM

D. To build a chart automatically based on the top 100 log entries

Correct Answer: B

Community vote distribution

B (100%)

  Thomas_2020 1 month, 3 weeks ago

Selected Answer: B

B is true
upvoted 1 times

  r_jordan 2 months ago

Selected Answer: B

it is B
upvoted 1 times

  DaniSerb 3 months ago

Selected Answer: B

A quick way to build a custom dataset and chart is to use the chart builder tool. This tool is located in LogView, and allows you to build a dataset
and chart automatically, based on your filtered search results. In LogView, set filters to return the logs you want.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 2 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 12/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14 Topic 1

What are two effects of enabling auto-cache in a FortiAnalyzer report? (Choose two.)

A. The size of newly generated reports is optimized to conserve disk space.

B. FortiAnalyzer local cache is used to store generated reports.

C. When new logs are received, the hard-cache data is updated automatically.

D. The generation time for reports is decreased.

Correct Answer: CD

Community vote distribution

CD (90%) 10%

  DaniSerb Highly Voted  3 months ago

Selected Answer: CD

To boost the report performance and reduce report generation time, you can enable auto-cache in the settings of the report. In this case, the
hcache is automatically updated when new logs come in and new log tables are generated.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 5 times

  myrmidon3 Most Recent  4 weeks, 1 day ago

Selected Answer: CD

To boost the report performance and reduce report generation time, you can enable auto-cache in the settings of the report. In this case, the
hcache is automatically updated when new logs come in and new log tables are generated.
FAZ Analyst 7.2 Study Guide page 166
upvoted 1 times

  rac_sp 1 month, 2 weeks ago

Selected Answer: CD

Data is stored in the cache

upvoted 1 times

  Thomas_2020 1 month, 3 weeks ago

Selected Answer: CD

CyD is Correct
upvoted 2 times

  r_jordan 2 months ago

Reports are not stored in the cache. Data stored in cache. C and D
upvoted 2 times

  shinichi18 3 months, 1 week ago

Selected Answer: BD

B y D....
upvoted 1 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 13/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15 Topic 1

Which statement about sending notifications with incident updates is true?

A. Notifications can be sent only when an incident is created or deleted.

B. You must configure an output profile to send notifications by email.

C. Each incident can send notifications to a single external platform.

D. Each connector used can have different notification settings.

Correct Answer: D

Community vote distribution

D (100%)

  r_jordan 2 months ago

Selected Answer: D

D is correct
upvoted 1 times

  DaniSerb 3 months ago

Selected Answer: D

Incidents will usually go through several stages during the analysis process. In most cases, it is important to make sure all parties involved are
notified when the incident status is updated.

You can add more than one fabric connector, each with the same or different notification settings. The receiving side of the connector must be
configured for the notifications to be sent successfully.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 3 times

Question #16 Topic 1

Why must you wait for several minutes before you run a playbook that you just created?

A. FortiAnalyzer needs that time to parse the new playbook.

B. FortiAnalyzer needs that time to back up the current playbooks.

C. FortiAnalyzer needs that time to ensure there are no other playbooks running.

D. FortiAnalyzer needs that time to debug the new playbook.

Correct Answer: A

Community vote distribution

A (100%)

  DaniSerb 3 months ago

Selected Answer: A

Also keep in mind that after a new playbook is created, FortiAnalyzer will need a few minutes to parse it. For example, if you try to run a newly
created playbook configured with an ON_DEMAND trigger before that time, you will get an error, like the one shown on the slide, telling you why
the playbook failed to run.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 4 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 14/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17 Topic 1

Refer to the exhibit.

Based on the partial outputs displayed, which devices can be members of a FortiAnalyzer Fabric?

A. FortiAnalyzer1 and FortiAnalyzer3

B. FortiAnalyzer1 and FortiAnalyzer2

C. All devices listed can be members

D. FortiAnalyzer2 and FortiAnalyzer3

Correct Answer: B

Community vote distribution

C (90%) 10%

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 15/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

  emershow 3 weeks, 2 days ago

The display of this question is incorrect, exam topics please check.
upvoted 1 times

  hugoescorcia82 1 month, 1 week ago

Selected Answer: C

In the guide only talks about the same time

upvoted 1 times

  mordechayd 2 months, 1 week ago

Selected Answer: C

C. all Forti analyzers with the same timezone and in the analyzer operation mode ( not collector) can be part of fortianalyzer fabric
upvoted 4 times

  DaniSerb 3 months ago

Selected Answer: C

Members are devices in the FortiAnalyzer Fabric that send information to the supervisor for centralized viewing. When configured as a member,
FortiAnalyzer devices continue to have access to the FortiAnalyzer features identified in the FortiAnalyzer Administration Guide. Incidents and
events are created or raised from each member.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 4 times

  shinichi18 3 months, 1 week ago

Selected Answer: B

estaria correcta la B si es debido a la linea max-running-reports

upvoted 1 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 16/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18 Topic 1

An administrator has configured the following settings:

config system fortiview setting

set resolve-ip enable

end

What is the significance of running this command?

A. Use this command only if the source IP addresses are not resolved on FortiGate.

B. It resolves the source and destination IP addresses to a hostname in FortiView on FortiAnalyzer.

C. It resolves the destination IP address to a hostname in FortiView on FortiAnalyzer.

D. You must configure local DNS servers on FortiGate for this command to resolve IP addresses on FortiAnalyzer.

Correct Answer: B

Community vote distribution

B (67%) C (33%)

  r_jordan 1 month, 2 weeks ago

Selected Answer: C

only Destination will be resolved

upvoted 1 times

  Thomas_2020 1 month, 3 weeks ago

Selected Answer: C

C, pag 167 Faz 7.0

upvoted 1 times

  DaniSerb 3 months ago

Selected Answer: B

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-How-to-configure-FortiGate-and-FortiAnalyzer-to/ta-p/223347
upvoted 4 times

  rac_sp 1 month, 2 weeks ago

Note that SOC/FortiView has its own settings which control if the destination IP addresses should be resolved or not, as this would use the
FortiAnalyzer side system DNS servers to resolve both source and destination.
upvoted 1 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 17/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19 Topic 1

Refer to the exhibit.

Laptop1 is used by several administrators to manage FortiAnalyzer. You want to configure a generic text filter that matches all login attempts to

the web interface generated by any user other than “admin”, and coming from Laptop1.

Which filter will achieve the desired result?

A. operation~login & dstip==10.1.1.210 & user!~admin

B. operation~login & srcip==10.1.1.100 & dstip==10.1.1.210 & user==admin

C. operation~login & performed_on=="GUI(10.1.1.210)" & user!=admin

D. operation~login & performed_on=="GUI(10.1.1.100)" & user!=admin

Correct Answer: D

Community vote distribution

D (100%)

  sandfred 1 month, 3 weeks ago

Selected Answer: D

Similar example from FortiAnalyzer 7.0 Lab Guide, page 85:

Edit the generic text filter with user==admin to match any login attempts with that user.
4. Add the text operation=="login failed" to match only failed login attempts.
If you don't include this condition, you will get more matches than what is required.
5. Add the text performed_on!~10.0.1.10.
This includes any attempts coming from devices with an IP address that is not the one configured on the
Local-Client computer.
You need this syntax because the requirements do not specify the method the
attacker uses to try to access FortiAnalyzer.
If you were looking only for attempts using a browser, you could use performed_
on!="GUI(10.0.1.10)" instead.
If you were looking only for attempts using SSH, you could use performed_
on!="ssh(10.0.1.10)" instead.
6. Combine the three conditions with a logical and.
operation=="login failed" & user==admin & performed_on!~10.0.1.10
upvoted 1 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 18/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20 Topic 1

Which two actions should an administrator take to view Compromised Hosts on FortiAnalyzer? (Choose two.)

A. Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer.

B. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date.

C. Make sure all endpoints are reachable by FortiAnalyzer.

D. Enable device detection on the FortiGate devices that are sending logs to FortiAnalyzer.

Correct Answer: AB

Community vote distribution

AB (100%)

  r_jordan 2 months ago

Selected Answer: AB

A and B
upvoted 1 times

  DaniSerb 3 months ago

Selected Answer: AB

A: FortiAnalyzer downloads threat intelligence FortiGuard package (TDS) every day

B: FortiAnalyzer runs real-time threat detection when it receives logs from the FortiGate web filter

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 3 times

Question #21 Topic 1

Which statement describes online logs on FortiAnalyzer?

A. Logs that reached a specific size and were rolled over

B. Logs that can be used to create reports

C. Logs that can be viewed using Log Browse

D. Logs that are saved to disk, compressed, and available in FortiView

Correct Answer: B

Community vote distribution

B (100%)

  r_jordan 2 months ago

Selected Answer: B

B is correct
upvoted 1 times

  DaniSerb 3 months ago

Selected Answer: B

The saved logs are simultaneously indexed in the SQL database to support analysis. Logs in the indexed phase are known as analytics logs. These
logs are considered online and offer immediate analytic support. You can view these logs using Log View, FortiView, FortiSoC, and Reports.
Analytics logs are purged from the SQL database as specified in the ADOM data policy

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 3 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 19/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22 Topic 1

How can you attach a report to an incident?

A. By attaching it to an event handler alert

B. By editing the settings of the desired report

C. From the properties of an existing incident

D. Saving it in JSON format, and then importing it

Correct Answer: C

Community vote distribution

C (100%)

  r_jordan 2 months ago

Selected Answer: C

No, correct only C. Answer B says on desired Report, hence not generated yet. Which is incorrect.
upvoted 2 times

  DaniSerb 3 months ago

B and C are both correct?

The following are the three ways that you can attach a report:
• Manually, from an existing report.
• Manually, from an existing incident.
• Automatically, by automation playbooks.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 2 times

Question #23 Topic 1

Why run the command diagnose sql status sqlplugind?

A. To list the current SQL processes running

B. To check what is the database log insertion status

C. To display the SQL query connections and hcache status

D. To view the current hcache size

Correct Answer: B

Community vote distribution

B (100%)

  r_jordan 2 months ago

Selected Answer: B

B is correct
upvoted 1 times

  DaniSerb 3 months ago

Selected Answer: B

What is the SQL insertion status - Use CLI command "diagnose sql status sqlplugind"

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 3 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 20/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24 Topic 1

What are two benefits of using fabric connectors? (Choose two.)

A. They allow FortiAnalyzer to send logs in real-time to public cloud accounts.

B. You do not need an additional license to send logs to the cloud platform.

C. Fabric connectors allow you to improve redundancy.

D. Using fabric connectors is more efficient than using third-party polling with API.

Correct Answer: BD

  d3b8198 2 weeks, 3 days ago

Fabric Connectors are 3 types: Storage Pulic cloud accounts (MS Azure, Amazons AWS S3 and Google GCP) 2- ITSM and Webhook 3- FortiEMS,
FortiMail and Frotigate .. soFabric Connector allows FortiAnalyzer to send logs in real-time to a CSP Cloud storage account.
upvoted 1 times

Question #25 Topic 1

What happens when the IOC breach detection engine on FortiAnalyzer finds web logs that match a blocklisted IP address?

A. The endpoint is marked as Compromised and, optionally, can be put in quarantine.

B. FortiAnalyzer flags the associated host for further analysis.

C. A new Infected entry is added for the corresponding endpoint.

D. The detection engine classifies those logs as Suspicious.

Correct Answer: A

Community vote distribution

C (100%)

  LAFNELL 1 month, 1 week ago

Selected Answer: C

C is correct
upvoted 1 times

  Thomas_2020 1 month, 4 weeks ago

C correct
upvoted 1 times

  r_jordan 2 months ago

Selected Answer: C

C is correct
upvoted 2 times

  paytenj10 2 months ago

If a match is found in the blacklist, then FortiAnalyzer displays the endpoint in Compromised Hosts with a Verdict of Infected.

The answer is C
upvoted 1 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 21/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #26 Topic 1

After generating a report, you notice the information you were expecting to see is not included in it.

What are two possible reasons for this scenario? (Choose two.)

A. You enabled auto-cache with extended log filtering.

B. The logfiled service has not indexed all the expected logs.

C. The logs were overwritten by the data retention policy.

D. The time frame selected in the report is wrong.

Correct Answer: BD

Community vote distribution

CD (100%)

  Eylo 1 month ago

C and D are correct
upvoted 1 times

  r_jordan 2 months ago

Selected Answer: CD

C and D
upvoted 2 times

  Rewrock 2 months ago

Selected Answer: CD

According to study guide -page 176

upvoted 2 times

  mordechayd 2 months, 1 week ago

Selected Answer: CD

According to study guide -page 176

upvoted 3 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 22/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27 Topic 1

Which statement about the FortiSOAR management extension is correct?

A. It requires a FortiManager configured to manage FortiGate.

B. It requires a dedicated FortiSOAR device or VM.

C. It does not include a limited trial by default.

D. It runs as a docker container on FortiAnalyzer.

Correct Answer: D

Community vote distribution

D (100%)

  onki666 3 weeks, 5 days ago

D page 96 in FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2
upvoted 1 times

  r_jordan 1 month, 2 weeks ago

Selected Answer: D

SOAR includes limited trial by default. So D.

upvoted 1 times

  Thomas_2020 1 month, 3 weeks ago

C Is Correct, pag 188 Faz 7.0
upvoted 1 times

  DaniSerb 3 months ago

Selected Answer: D

Fortinet offers two dedicated products, FortiSOAR and FortiSIEM, that expand these capabilities and add many others. FortiSOAR is available as a
stand-alone product and as a management extension application that can be installed on FortiAnalyzer.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 2 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 23/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28 Topic 1

Which item must you configure on FortiAnalyzer to email generated reports automatically?

A. Output profile

B. Report scheduling

C. SFTP server

D. SNMP server

Correct Answer: A

Community vote distribution

A (100%)

  myrmidon3 3 weeks, 6 days ago

Selected Answer: A

FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2 page 165

upvoted 1 times

  DaniSerb 3 months ago

Selected Answer: A

The output profile specifies the following:

• The format of the report, such as PDF, HTML, XML, and CSV
• Whether to email generated reports or upload to a server. You can specify one option, both, or create multiple outlook profiles. Server options
include FTP, SFTP, and SCP.
• Whether to delete the report locally after uploading to the server

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 3 times

Question #29 Topic 1

What is the purpose of using prefilters when configuring event handlers?

A. They limit which logs are checked for matches by the other filters.

B. They can filter the logs before they are processed by FortiAnalyzer.

C. They download new filters to be used in event handlers.

D. They are common filters applied simultaneously to all event handlers.

Correct Answer: A

Community vote distribution

A (100%)

  DaniSerb 3 months ago

Selected Answer: A

You can also add a prefilter, which is a common filter that will be applied before all other ones configured. The conditions on the prefilter can then
be used to limit which logs will be checked for matches by the other filters. Because of that, they are also known as exclusion filters.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 3 times

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 24/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30 Topic 1

Refer to the exhibit.

Which statement is correct regarding the event displayed?

A. The security event risk is considered open.

B. The security risk was blocked or dropped.

C. The risk source is isolated.

D. An incident was created from this event.

Correct Answer: A -

Community vote distribution

A (100%)

  DaniSerb Highly Voted  3 months ago

Selected Answer: A

Unhandled: The security event risk is not mitigated or contained, so it is considered open.
For example, an IPS/AV log with action=pass will have the event status Unhandled.
Botnet and IoC events are also considered Unhandled.

Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2

upvoted 6 times

  Thomas_2020 Most Recent  1 month, 3 weeks ago

Selected Answer: A

A is Correct, Page 206 Faz 7.0

upvoted 2 times

Question #31 Topic 1

Refer to the exhibit.

Which statement is correct regarding the event displayed?

A. The security event risk is considered open.

B. The security risk was blocked or dropped.

C. The risk source is isolated.

D. An incident was created from this event.

Correct Answer: A

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 25/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32 Topic 1

What is the purpose of predefined report templates on FortiAnalyzer?

A. They can be customized to meet the needs of the intended audience.

B. They can be created by saving reports as templates.

C. They specify the layout used in reports.

D. They include the data used in reports charts.

Correct Answer: C

Question #33 Topic 1

Refer to the exhibit.

What does the data point at 21:20 indicate?

A. FortiAnalyzer has temporarily stopped receiving logs so older logs can be indexed.

B. FortiAnalyzer is dropping logs to catch up.

C. The fortilogd daemon is ahead in indexing by one log.

D. FortiAnalyzer is indexing logs faster than logs are being received.

Correct Answer: D

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 26/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34 Topic 1

What is the purpose of output variables?

A. To store playbook execution statistics

B. To save all the task settings when a playbook is exported

C. To display details of the connectors used by a playbook

D. To use the output of the previous task as the input of the current task

Correct Answer: D

Question #35 Topic 1

Which two methods can you use to send notifications when an event occurs that matches a configured event handier? (Choose two.)

A. Send Alert through Fabric Connectors

B. Send Alert through FortiSIEM MEA

C. Send SNMP trap

D. Send SMS notification

Correct Answer: AC

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 27/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36 Topic 1

Refer to the exhibit.

Which FortiAnalyzer tool can refer to the Cyber Kill Chain stages and allows you to identify which Fortinet products can protect you against new

vulnerabilities?

A. Threat hunting SIEM table

B. Outbreak detection services

C. FortiSOC dashboards

D. FortiView Monitor top threats

Correct Answer: A

Question #37 Topic 1

Which two statements are true regarding log fetching on FortiAnalyzer? (Choose two.)

A. Log fetching allows the administrator to fetch analytics logs from another FortiAnalyzer for redundancy.

B. Log fetching allows the administrator to run queries and reports against historical data by retrieving archived logs from one FortiAnalyzer

device and sending them to another FortiAnalyzer device.

C. A FortiAnalyzer device can perform either the fetch server or client role, and it can perform two roles at the same time with the same

FortiAnalyzer devices at the other end.

D. Log fetching can be done only on two FortiAnalyzer devices that are running the same firmware version.

Correct Answer: CD

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 28/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38 Topic 1

Which SQL query is in the correct order to query the database in the FortiAnalyzer?

A. FROM $log WHERE 'user'='USER1' SELECT devid GROUP BY devid

B. SELECT devid FROM $log GROUP BY devid WHERE 'user'='USER1'

C. SELECT devid FROM $log WHERE 'user'='USER1' GROUP BY devid

D. SELECT devid WHERE 'user'='USER1' FROM $log GROUP BY devid

Correct Answer: C

Question #39 Topic 1

You are looking for a playbook that was exported by a junior administrator. You perform a search and find the files listed below.

Which file will perform an import operation?

A. Exported_playbook.json

B. Exported_playbook.csv

C. Exported_playbook.txt

D. Exported_playbook.sql

Correct Answer: A

Question #40 Topic 1

Which two statements about a FortiAnalyzer Fabric are true? (Choose two.)

A. Fabric members must be in the same time zone as the supervisor.

B. Fabric members and the supervisor support HA.

C. All fabric members must run in collector mode except the supervisor.

D. The supervisor can access the logs in the fabric members using an API.

Correct Answer: AD

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 29/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41 Topic 1

Which statement is true about sending notifications with incident updates?

A. If you use multiple fabric connectors, all connectors must have the same notification settings.

B. Notifications can be sent only by email.

C. Notifications can be sent only when an incident is updated or deleted.

D. You can send notifications to multiple external platforms.

Correct Answer: D

Question #42 Topic 1

Which statement describes archive logs on FortiAnalyzer?

A. Logs compressed and saved in files with the .gz extension

B. Logs a FortiAnalyzer administrator can access in FortiView

C. Logs that are indexed and stored in the SQL database

D. Logs previously collected from devices that are offline

Correct Answer: A

Question #43 Topic 1

Which statement correctly describes the management extensions available on FortiAnalyzer?

A. Management extensions allow FortiAnalyzer to act as a FortiSIEM supervisor.

B. Management extensions may require a minimum number of CPU cores to run.

C. Management extensions require a dedicated VM for best performance.

D. Management extensions do not require additional licenses.

Correct Answer: B

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 30/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44 Topic 1

Refer to the exhibit.

The image shows the details of a playbook after it finished running.

What is the status of the playbook?

A. Running

B. Success

C. Upstream_failed

D. Failed

Correct Answer: D

Question #45 Topic 1

What are two advantages of grouping similar reports? (Choose two.)

A. Reduces the number of hcache tables and improves auto-hcache completion time

B. Conserves disk space on FortiAnalyzer by grouping multiple similar reports

C. Improves report completion time

D. Provides a better summary of reports

Correct Answer: AC

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 31/32
14/2/24, 16:43 NSE5_FAZ-7.2 Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46 Topic 1

In Log View, you can use the Chart Builder feature to build a dataset and chart based on the filtered search results.

Similarly, which feature can you use for FortiView?

A. Export to Chart Library

B. Export to Custom Chart

C. Export to Chart Builder

D. Export to Report Chart

Correct Answer: D

https://www.examtopics.com/exams/fortinet/nse5-faz-7-2/custom-view/ 32/32