Fortinet Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst FCP_FAZ_AN-7.6 Exam Dumps: Updated Questions & Answers (June 2026)

Exact Extract: Study Guide p.120: FortiAI can support incident investigation, response, threat hunting, impact analysis, and remediation recommendations.

Technical Deep Dive: The correct answers are B, C, and E. FortiAI in FortiAnalyzer is designed to assist SOC workflows: interpreting security events, generating incident summaries, identifying possible impacts, recommending remediation, generating queries, and supporting threat hunting. Site-to-site VPN and SD-WAN overlay configuration are FortiGate/FortiManager network configuration tasks, not the FortiAnalyzer FortiAI use cases described in the Analyst guide. The guide keeps FortiAI scoped to FortiAnalyzer security operations and analytics workflows.

Exact Extract: Official Fortinet 7.6 documentation: historical logs migrate from PSQL to ClickHouse, and real-time logs insert into ClickHouse.

Technical Deep Dive: The correct answer is A. FortiAnalyzer 7.6 uses ClickHouse as the backend log database for on-premises log analytics. This change supports faster analytical queries and scalable handling of large log datasets. MySQL and Elasticsearch are not the FortiAnalyzer 7.6 log database. PostgreSQL was used in previous versions for log tables, but Fortinet’s 7.6 documentation states that historical logs are migrated from PSQL to ClickHouse and new real-time logs are inserted into ClickHouse.

Exact Extract: Study Guide p.134-p.135: Outbreak Detection Service is licensed and downloads related event handlers and reports from FortiGuard.

Technical Deep Dive: The correct answers are A and B. The Outbreak Detection Service requires a license and allows FortiAnalyzer to receive outbreak alerts and automatically download related event handlers and reports created by Fortinet for emerging threats. Option C is wrong because outbreak alerts are available on all ADOMs, not root only. Option D is not the core mechanism described in the guide; the feature is FortiGuard-delivered content within FortiAnalyzer, not simply email-based alerting.

Exact Extract: Study Guide p.130-p.132: blacklisted IP or DGA matches produce an Infected verdict and appear under Compromised Hosts.

Technical Deep Dive: The correct answer is B. When IOC analysis finds web logs matching blacklisted IP addresses or domain-generation algorithm patterns, FortiAnalyzer treats that as a real breach and creates/updates an infected compromised-host entry for the endpoint. Option A describes suspicious-list behavior, where FortiAnalyzer flags the host for further analysis. Option C is wrong because blacklisted matches are classified as Infected, not merely Suspicious. Option D overstates the automatic endpoint response; quarantine is a separate response action, not the IOC engine classification itself.

Exact Extract: Study Guide p.43 and p.58: Log View uses normalized format, and the GUI can toggle between formatted and raw log views.

Technical Deep Dive: The correct answers are A and D. The exhibit shows a raw key/value style log display, so it is in raw log format. However, in FortiAnalyzer Log View, received device logs are parsed and normalized for consistent fields, even when the analyst toggles into raw display. Option B is wrong because formatted view would appear as structured table columns. Option C is not the best conclusion because the displayed raw view is not necessarily the untouched original FortiGate message; it is the raw display of FortiAnalyzer’s stored/normalized log data.

Exact Extract: Study Guide p.208: to run a report as a playbook task, the report must already exist and have auto-cache and extended log filtering enabled.

Technical Deep Dive: The correct answer is A. If the report is not visible as an available report task target, the usual reason is that it does not meet the report-task prerequisites. FortiAnalyzer requires the report to exist already and to have both auto-cache and extended log filtering enabled. Option B is irrelevant because a running playbook does not hide a report definition. Option C is wrong because the trigger starts the playbook, not the report listing. Option D is wrong because report results are not the prerequisite for listing the report as a task target.

Exact Extract: Study Guide p.189: for missing report data, check the report time frame and test the dataset.

Technical Deep Dive: The correct answers are A and D. If the logs exist but the generated report lacks expected information, the first checks are whether the report time frame includes those logs and whether the dataset query returns the expected rows. Reports are only as accurate as their time filter and SQL dataset. Disabling auto-cache is not the normal fix; cache improves performance and scheduled reports use it. Increasing a quota does not correct a wrong time range or broken SQL query unless the report fails for resource reasons, which is not the scenario described.

Exact Extract: Study Guide p.202-p.203: FortiOS connector actions require automation rules configured on FortiGate.

Technical Deep Dive: The correct answer is D. FortiAnalyzer lists the FortiOS connector after FortiGate is added, but the available actions depend on FortiGate automation configuration. Specifically, the FortiGate side must have automation rules using the Incoming Webhook Call trigger before actions become available to the connector. Option A is wrong because Fabric ADOMs do not automatically come with multiple usable external connectors. Options B and C misunderstand the local connector, which is available by default for local FortiAnalyzer actions.

Exact Extract: Study Guide p.102-p.106: incident charts and status tracking help analysts prioritize and manage incident lifecycle changes.

Technical Deep Dive: The correct answer is C. When an incident is closed as remediated, the incident dashboard and incident status views reflect the updated lifecycle state. FortiAnalyzer keeps incidents visible for tracking and audit unless an administrator deletes them separately. The corresponding event is not automatically rewritten as Mitigated simply because the incident is closed. Incident severity is not automatically lowered by changing status; severity and status are separate incident attributes.

Exact Extract: Study Guide p.58: Log View search results can be downloaded, and raw/text filtering helps with exact field syntax.

Technical Deep Dive: The correct answers are A and D. FortiAnalyzer Log View allows administrators to download filtered logs as text or CSV, so the displayed search results can be exported to a file. The exhibit also indicates a text-mode search/filter rather than a purely GUI-built filter. Option B would be true for formatted log tables in general, but the question asks what can be concluded from the displayed search results. Option C is not supported; whether FortiView can analyze related data depends on whether the logs are analytics logs, not merely on the search display.