Exact Extract: Study Guide p.43 and p.58: Log View uses normalized format, and the GUI can toggle between formatted and raw log views.

Technical Deep Dive: The correct answers are A and D. The exhibit shows a raw key/value style log display, so it is in raw log format. However, in FortiAnalyzer Log View, received device logs are parsed and normalized for consistent fields, even when the analyst toggles into raw display. Option B is wrong because formatted view would appear as structured table columns. Option C is not the best conclusion because the displayed raw view is not necessarily the untouched original FortiGate message; it is the raw display of FortiAnalyzer’s stored/normalized log data.

Exact Extract: Study Guide p.130: the IOC service uses FortiGuard and analyzes web filtering, DNS, and traffic logs for breach detection.

Technical Deep Dive: The correct answers are B and D. To view compromised hosts, FortiAnalyzer needs relevant logs that expose suspicious destinations or web activity, and it needs current FortiGuard IOC intelligence. Web filtering logs are especially important because they contain URL/domain activity that can be compared with FortiGuard threat intelligence. The FortiGuard subscription keeps the threat database current. Option A may help identify devices in some FortiGate workflows, but it is not the core IOC requirement described in the Analyst guide. Option C is wrong because FortiAnalyzer does not need direct reachability to every endpoint; it evaluates logs received from FortiGate.

Exact Extract: Study Guide p.216: Playbook Monitor provides detailed logs, and failed jobs may include successful individual tasks.

Technical Deep Dive: The correct answers are B and D. Playbook Monitor is the troubleshooting location for playbook execution, and View Log shows task-level detail for the job. A failed playbook job does not mean every task failed; the guide explicitly notes some individual actions may complete successfully. Option A is wrong because FortiAnalyzer does not roll back all completed external or local actions just because a later task failed. Option C is not described as a default debugging playbook workflow in the guide.

Exact Extract: Study Guide p.25-p.26: the supervisor displays member logs, can aggregate report data, and shows events generated on members.

Technical Deep Dive: The correct answers are C, D, and E. FortiAnalyzer Fabric supervisor visibility includes logs collected on members, events generated by member event handlers, and reports that fetch and aggregate data from multiple members. Playbooks are not available as a supervisor-to-member execution module; the guide states supervisors cannot run automation playbooks on members. Indicators are not listed in the Fabric supervisor modules described for member analysis in the study guide.

Exact Extract: Study Guide p.182: auto-cache reduces report generation time and updates hcache automatically when new logs arrive.

Technical Deep Dive: The correct answers are A and B. Auto-cache improves report performance by maintaining the report hard-cache data so FortiAnalyzer does not have to build it from scratch at report-generation time. The guide explicitly states that enabling auto-cache updates hcache when new logs arrive and new log tables are generated. Option C is inaccurate because hcache stores precompiled SQL data, not the generated report files themselves. Option D is wrong because auto-cache improves processing time, not the final report size.

Exact Extract: Study Guide p.22-p.24: analyzer is the default mode; collector mode forwards logs, including to syslog/CEF, and mixed deployments improve scale.

Technical Deep Dive: The correct answers are A and D. In collector mode, FortiAnalyzer collects logs and forwards them to another analyzer, syslog server, or CEF server depending on forwarding mode. A topology using both collectors and analyzers can improve performance and regional scalability by offloading collection and keeping analysis/reporting on analyzer devices. Option B is wrong because analyzer mode is the default, not collector mode. Option C is wrong because collector mode has fewer features and does not provide reporting or event-management capabilities.

Exact Extract: Study Guide p.21-p.24: HA is not supported on supervisors; members provide analyzer features and supervisor visibility does not require log forwarding to supervisor storage.

Technical Deep Dive: The correct answers are B and C. Fabric members must retain analyzer capabilities such as events and reports; collector mode lacks Incidents and Events and reporting, so member devices operate with analyzer functionality. The supervisor provides centralized visibility into logs collected on members rather than requiring members to forward all logs into supervisor storage. Option A is false because HA is not available for the supervisor. Option D is false because the guide states members do not have to share the supervisor time zone.

Exact Extract: Study Guide p.217-p.218: exported playbooks preserve enabled/disabled status, and name conflicts are handled on import.

Technical Deep Dive: The correct answers are A and C. A playbook imported into another ADOM or FortiAnalyzer retains the enabled or disabled status it had when exported, which is why automatic playbooks should be exported disabled. If an imported playbook name already exists, FortiAnalyzer creates a new name with a timestamp to avoid conflicts, so importing with the same name is allowed. Option B is wrong because connectors can be included in the export. Option D is wrong because multiple playbooks can be exported at once.