Fortinet Exam FCSS_SOC_AN-7.4 Topic 3 Question 8 Discussion

Actual exam question for Fortinet's FCSS_SOC_AN-7.4 exam

Question #: 8
Topic #: 3

Refer to the exhibits.

You configured a spearphishing event handler and the associated rule. However. FortiAnalyzer did not generate an event.

When you check the FortiAnalyzer log viewer, you confirm that FortiSandbox forwarded the appropriate logs, as shown in the raw log exhibit.

What configuration must you change on FortiAnalyzer in order for FortiAnalyzer to generate an event?

AIn the Log Type field, change the selection to AntiVirus Log(malware).

BConfigure a FortiSandbox data selector and add it tothe event handler.

CIn the Log Filter by Text field, type the value: .5 ub t ype ma Iwa re..

DChange trigger condition by selecting. Within a group, the log field Malware Kame (mname> has 2 or more unique values.

Show Suggested Answer

Suggested Answer: B, D, E

Overview of Indicators of Compromise (IoCs): Indicators of Compromise (IoCs) are pieces of evidence that suggest a system may have been compromised. These can include unusual network traffic patterns, the presence of known malicious files, or other suspicious activities.

FortiAnalyzer's Role: FortiAnalyzer aggregates logs from various Fortinet devices to provide comprehensive visibility and analysis of network events. It uses these logs to identify potential IoCs and compromised hosts.

Relevant Log Types:

DNS Filter Logs:

DNS requests are a common vector for malware communication. Analyzing DNS filter logs helps in identifying suspicious domain queries, which can indicate malware attempting to communicate with command and control (C2) servers.

IPS Logs:

Intrusion Prevention System (IPS) logs detect and block exploit attempts and malicious activities. These logs are critical for identifying compromised hosts based on detected intrusion attempts or behaviors matching known attack patterns.

Web Filter Logs:

Web filtering logs monitor and control access to web content. These logs can reveal access to malicious websites, download of malware, or other web-based threats, indicating a compromised host.

Why Not Other Log Types:

Email Filter Logs:

While important for detecting phishing and email-based threats, they are not as directly indicative of compromised hosts as DNS, IPS, and Web filter logs.

Application Filter Logs:

These logs control application usage but are less likely to directly indicate compromised hosts compared to the selected logs.

Detailed Process:

Step 1: FortiAnalyzer collects logs from FortiGate and other Fortinet devices.

Step 2: DNS filter logs are analyzed to detect unusual or malicious domain queries.

Step 3: IPS logs are reviewed for any intrusion attempts or suspicious activities.

Step 4: Web filter logs are checked for access to malicious websites or downloads.

Step 5: FortiAnalyzer correlates the information from these logs to identify potential IoCs and compromised hosts.

Fortinet Documentation: FortiOS DNS Filter, IPS, and Web Filter administration guides.

FortiAnalyzer Administration Guide: Details on log analysis and IoC identification.

By using DNS filter logs, IPS logs, and Web filter logs, FortiAnalyzer effectively identifies possible compromised hosts, providing critical insights for threat detection and response.

by Linn at Jan 28, 2025, 04:02 PM

Limited Time Offer

25%

Off

Get Premium FCSS_SOC_AN-7.4 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Darnell

22 days ago

Haha, 'Within a group, the log field Malware Kame (mname> has 2 or more unique values'? Sounds like someone had a little too much fun with the question wording. I'll stick with option B, thanks.

upvoted 0 times

Dominga

1 days ago

I agree, that wording is a bit confusing. Option B seems like the most straightforward choice.

upvoted 0 times

...

2 months ago

I think the answer is B) Configure a FortiSandbox data selector and add it to the event handler.

upvoted 0 times

...