FCP_FAZ_AN-7.4 Exam Dumps : FCP - FortiAnalyzer 7.4 Analyst

In the exhibit, the playbook configuration shows the analyst working with the "Attach Data" action within a playbook. Here’s a breakdown of key aspects:

Incident ID: This field is linked to the "Playbook Starter," which indicates that the playbook will attach data to an existing incident.

Attachment: The analyst is configuring an attachment by selecting Run_REPORT with a placeholder ID for report_uuid. This suggests that the report’s UUID will dynamically populate as part of the playbook execution.

Analysis of Options:

Option A - Creating a Trigger Variable:

A trigger variable would typically be set up in the playbook starter or initiation configuration, not within the "Attach Data" action. The setup here does not indicate a trigger, as it’s focusing on data attachment.

Conclusion: Incorrect.

Option B - Creating an Output Variable:

The field Attachment with a report_uuid placeholder suggests that the analyst is defining an output variable that will store the report data or ID, allowing it to be attached to the incident. This variable can then be referenced or passed within the playbook for further actions or reporting.

Conclusion: Correct.

Option C - Creating a Report in the Playbook:

While Run_REPORT is selected, it appears to be an attachment action rather than a report generation task. The purpose here is to attach an existing or dynamically generated report to an incident, not to create the report itself.

Conclusion: Incorrect.

Option D - Creating a SOC Report:

Similarly, this configuration is focused on attaching data, not specifically generating a SOC report. SOC reports are generally predefined and generated outside the playbook.

Conclusion: Incorrect.

Conclusion:

Correct Answer: B. The analyst is trying to create an output variable to be used in the playbook.

The setup allows the playbook to dynamically assign the report_uuid as an output variable, which can then be used in further actions within the playbook.

References:

FortiAnalyzer 7.4.1 documentation on playbook configurations, output variables, and data attachment functionalities.

In FortiAnalyzer, archive logs refer to logs that have been compressed and stored to save space. This process involves compressing the raw log files into the .gz format, which is a common compression format used in Fortinet systems for archived data. Archiving is essential in FortiAnalyzer to optimize storage and manage long-term retention of logs without impacting performance.

Let’s examine each option for clarity:

Option A: Logs that are indexed and stored in the SQL database

This is incorrect. While some logs are indexed and stored in an SQL database for quick access and searchability, these are not classified as archive logs. Archived logs are typically moved out of the database and compressed.

Option B: Logs a FortiAnalyzer administrator can access in FortiView

This is incorrect because FortiView primarily accesses logs that are active and indexed, not archived logs. Archived logs are stored for long-term retention but are not readily available for immediate analysis in FortiView.

Option C: Logs compressed and saved in files with the .gz extension

This is correct. Archive logs on FortiAnalyzer are stored in compressed .gz files to reduce space usage. This archived format is used for logs that are no longer immediately needed in the SQL database but are retained for historical or compliance purposes.

Option D: Logs previously collected from devices that are offline

This is incorrect. Although archived logs may include data from devices that are no longer online, this is not a defining characteristic of archive logs.

References: FortiAnalyzer 7.4.1 documentation and configuration guides outline that archived logs are stored in compressed files with the .gz extension to conserve storage space, ensuring FortiAnalyzer can handle a larger volume of logs over extended periods​.