Fortinet FCSS_ADA_AR-6.7 - FCSS Advanced Analytics 6.7 Architect

The exhibit shows the directory listings forthree different workers(worker1,worker2, andworker3) under the/querywkr/active/13127*path, which indicatesactive query tasksassigned to each worker.

1.Worker1 (worker1)

The output doesnotshow any subdirectories or task files (13127t0,13127t1, etc.), meaningWorker1 is not assigned any tasks.

2.Worker2 (worker2)

The output showsone task (13127t1)under/querywkr/active/13127*.

The workerhas only one assigned task, not two, so optionsC and D are incorrect.

3.Worker3 (worker3)

The output showstwo tasks (13127t0and13127t1), indicating that Worker3 is processingtwo tasksfor query ID 13127.

In FortiSIEM, some incidents may be triggered due to temporary threshold breaches, especially in availability or performance-related monitoring. These temporary anomalies do not necessarily indicate a persistent issue or security threat.

By automatically clearing such incidents, FortiSIEM prevents unnecessary manual intervention and reduces noise in incident management.

Atmidnight, thedaily database valuesmerge into theprofile database. The new values forHour 9are calculated as follows:

●Minimum CPU Utilization:The new minimum is the lower of the existing (32.31) and new (33.50) values →32.31

●Maximum CPU Utilization:The new maximum is the higher of the existing (32.31) and new (33.50) values →33.50

●Average CPU Utilization:

● The previous average was32.31(from one point).

● The new value from the daily database is33.50(one additional point).

● The new average is calculated as:

Thus, after merging, the updated profile database values forHour 9are:

●Min CPU Util = 32.31

●Max CPU Util = 33.50

●Avg CPU Util = 32.67

When aUser and Entity Behavior Analytics (UEBA) agentisoff-net, meaning it is disconnected from the network and cannot reach the FortiSIEM collector, ittemporarily stores (caches) events locallyuntil it can re-establish a connection.

● This caching mechanismprevents data lossby ensuring events are retained even when the agent is offline.

● Once the connection to theFortiSIEM collector is restored, the agentuploads the cached events.

● This ensurescontinuity in user behavior monitoring, even when users are disconnected.

phRuleMaster runs on both the supervisor and worker nodes, allowing distributed event processing. It receives filtered data from phRuleWorkers and organizes it into buckets before evaluation. Every 30 seconds, it processes the rule data in parallel, ensuring efficient rule execution. The incorrect options suggest that phRuleMaster runs only on the supervisor or evaluates rules sequentially, both of which are inaccurate.

The rule is tracking asudden increase in WMI response timesover a30-minute window. The key detail here is the increase factor.

● The term1.50 times increasemeans the new value is150%of the previous baseline.

● A1.50x increasecorresponds to a150% increase, since the new value isoriginal + 150% of original.

These three processes are essential for aFortiSIEM collector, as they handle event parsing, agent communication, and system monitoring.

●phParseris responsible forparsing and processing collected logsbefore forwarding them.

●phAgentManagermanages agent communication, ensuring logs are received and forwarded correctly.

●phMonitorAgentmonitors the health of the collector itself, reporting system status to the FortiSIEM supervisor.

phReportMasterandphRuleMasterdo not run on collectors. They are supervisor/worker processes handling reporting and rule evaluation, respectively.

When a FortiSIEM collector is deployed for the first time, most of its processes remain down until it is successfully registered with the supervisor.

The phMonitor process is running because it monitors system health, but other services remain inactive until the collector establishes communication with the supervisor.

Once the collector registers to the supervisor, it receives configurations and policies, and its processes will start automatically.

phRuleWorker processes events in 60-second intervals (buckets). This means that events within a one-minute window are evaluated together for rule conditions, helping detect patterns, correlations, and triggers.

phRuleWorker runs both on the supervisor and worker nodes to distribute event processing. The supervisor primarily orchestrates rule evaluation, while workers handle distributed event processing.