When a generated report does not include the expected information despite the logs being present, there are several factors to check to ensure accurate datarepresentation in the report.

Option A - Check the Time Frame Covered by the Report:

Reports are generated based on a specified time frame. If the time frame does not encompass the period when the relevant logs were collected, those logs will not appear in the report. Ensuring the time frame is correctly set to cover the intended logs is crucial for accurate report content.

Conclusion:Correct.

Option B - Disable Auto-Cache:

Auto-cache is a feature in FortiAnalyzer that helps optimize report generation by using cached data for frequently used datasets. Disabling auto-cache is generally not necessary unless there is an issue with outdated data being used. In most cases, it does not directly impact whether certain logs are included in a report.

Conclusion:Incorrect.

Option C - Increase the Report Utilization Quota:

The report utilization quota controls the resource limits for generating reports. While insufficient quota might prevent a report from generating or completing, it does not typically cause specific log entries to be missing. Therefore, this option is not directly relevant to missing data within the report.

Conclusion:Incorrect.

Option D - Test the Dataset:

Datasets in FortiAnalyzer define which logs and fields are pulled into the report. If a dataset is misconfigured, it could exclude certain logs. Testing the dataset helps verify that the correct data is being pulled and that all required logs are included in the report parameters.

Conclusion:Correct.

Conclusion:

Correct Answer:A. Check the time frame covered by the reportandD. Test the dataset.

These actions directly address the issues that could cause missing information in a report when logs are available but not displayed.

Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:

FortiAnalyzer event handlers support alerting when a rule match generates an event. The study guide states that, for an event handler,“You can select a notification profile to send alerts whenever an event is generated by the handler.”In FortiAnalyzer, notification profiles are the mechanism used to deliver alerts outward (for example, via an SNMP trap), which directly aligns with optionA.

In addition, FortiAnalyzer supports sending notifications to external platforms through integrations:“You can configure FortiAnalyzer to send a notification to external platforms using preconfigured Fabric connectors.”This validates the use ofFabric connectorsas a notification delivery method, aligning with optionC.

OptionBis not a notification delivery method for event-handler-generated alerts in the workflow described (FortiGuard is used for threat intelligence/enrichment rather than relaying alerts). OptionDis not presented in the study guide’s described notification mechanisms for event-handler alerting in the referenced sections.

Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:

The exhibit shows the log as a single-line key/value entry (not a columnar/table display), which aligns with FortiAnalyzer’sraw log formatview option. The study guide states:“You can toggle between viewing formatted and raw logs.”This directly supports observationD.

At the same time, what you are viewing in FortiAnalyzer Log View isnormalizeddata (FortiAnalyzer parses and maps device logs into standardized fields for consistent searching and analysis). The study guide explicitly states:“The log view allows you to view all log types received by FortiAnalyzer in normalized log format.”It also explains that FortiAnalyzer “uses predefined parsers to extract key fields from ingested logs and maps them to a consistent, standardized set of field names,” then stores them as normalized logs in the SIEM database. This supports observationA.

Finally, the study guide clarifies that even when you switch to raw log format in FortiAnalyzer, you are still observing the normalized-field representation produced by FortiAnalyzer’s parser/normalization process (rather than the untouched original device message). It notes that a FortiGate event log “has been normalized by FortiAnalyzer,” and when you switch “to raw log format,” you can observe the effect of normalization on common fields. This is whyCis not the best description for the exhibit.

FortiAnalyzer manages and stores various types of logs, including local logs, across different ADOMs (Administrative Domains). Each type of log servesspecific purposes, with some logs being ADOM-specific and others providing system-wide information.

Option A - Local Logs Not Supported in FortiView:

Local logs are indeed supported in FortiView. FortiView provides visibility and analytics for different log types across the system, including local logs, allowing users to view and analyze data efficiently.

Conclusion:Incorrect.

Option B - Playbook Logs for All ADOMs in the Root ADOM:

FortiAnalyzer allows centralized viewing of playbook logs across all ADOMs from the root ADOM. This feature provides an overarching view of playbook executions, facilitating easier monitoring and management for administrators.

Conclusion:Correct.

Option C - Event Logs vs. Application Logs:

Event Logsprovide information about system-wide events, such as login attempts, configuration changes, and other critical activities that impact the overall system. These logs apply across the FortiAnalyzer instance.

Application Logsare more specific to individual ADOMs, capturing details that pertain to ADOM-specific applications and configurations.

Conclusion:Correct.

Option D - Event Logs Only in Root ADOM:

Event logs are available across different ADOMs, not exclusively in the root ADOM. They capture system-wide events, but they can be accessed within specific ADOM contexts as needed.

Conclusion:Incorrect.

Conclusion:

Correct Answer:B. You can view playbook logs for all ADOMs in the root ADOMandC. Event logs show system-wide information, whereas application logs are ADOM specific.

These answers correctly describe the characteristics and visibility of local logs within FortiAnalyzer.

Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:

The study guide explicitly describes what content fromFabric membersis visible/usable on theFabric supervisor:

Logs:“In the FortiAnalyzer Fabric supervisor,Log View displays logs collected on all FortiAnalyzer Fabric members.”

Reports:“For reports, the FortiAnalyzer Fabric supervisorcan fetch and aggregate data from multiple membersin the FortiAnalyzer Fabric.”

Events:“Events generated by event handlers on the FortiAnalyzer Fabric members are visible on the supervisor.”

By contrast, the study guide lists a key limitation that rules outPlaybooksas a supervisor capability over members: “You are not able to perform configuration changes or torun automation playbooks from the Fabric supervisor to members.”

Therefore, the three modules available for analysis on the supervisor areLogs, Events, and Reports(C, D, E).

To viewCompromised Hostson FortiAnalyzer, certain configurations need to be in place on both FortiGate and FortiAnalyzer. Compromised Host data on FortiAnalyzer relies on log information from FortiGate to analyze threats and compromised activities effectively. Here’s why the selected answers are correct:

Option A: Enable device detection on the FortiGate devices that are sending logs to FortiAnalyzer

Enabling device detection on FortiGate allows it to recognize and log devices within the network, sending critical information about hosts that could be compromised. This is essential because FortiAnalyzer relies on these logs to determine which hosts may be at risk based on suspicious activities observed by FortiGate. This setting enables FortiGate to provide device-level insights, which FortiAnalyzer uses to populate the Compromised Hosts view.

Option B: Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer

Web filtering is crucial in identifying potentially compromised hosts since it logs any access to malicious sites or blocked categories. FortiAnalyzer uses these web filter logs to detect suspicious or malicious web activity, which can indicate compromised hosts. By ensuring that FortiGate sends these web filtering logs to FortiAnalyzer, the administrator enables FortiAnalyzer to analyze and identify hosts engaging in risky behavior.

Let’s review the otheroptions for clarity:

Option C: Make sure all endpoints are reachable by FortiAnalyzer

This is incorrect. FortiAnalyzer does not need direct access to all endpoints. Instead, it collects data indirectly from FortiGate logs. FortiGate devices are theones that interact with endpoints and then forward relevant logs to FortiAnalyzer for analysis.

Option D: Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date

Although subscribing to FortiGuard helps keep threat intelligence updated, it is not a requirement specifically to view compromised hosts. FortiAnalyzer primarily uses logs from FortiGate (such as web filtering and device detection) to detect compromised hosts.