Exact Extract: Study Guide p.130-p.132: blacklisted IP or DGA matches produce an Infected verdict and appear under Compromised Hosts.

Technical Deep Dive: The correct answer is B. When IOC analysis finds web logs matching blacklisted IP addresses or domain-generation algorithm patterns, FortiAnalyzer treats that as a real breach and creates/updates an infected compromised-host entry for the endpoint. Option A describes suspicious-list behavior, where FortiAnalyzer flags the host for further analysis. Option C is wrong because blacklisted matches are classified as Infected, not merely Suspicious. Option D overstates the automatic endpoint response; quarantine is a separate response action, not the IOC engine classification itself.

Exact Extract: Study Guide p.126: threat hunting is a proactive search for suspicious or risky network activity.

Technical Deep Dive: The correct answer is D. Threat hunting is FortiAnalyzer’s proactive investigation workflow. Instead of waiting for an event handler or incident to tell the SOC what happened, the analyst begins with a hypothesis and searches logs for suspicious patterns. FortiView is valuable for visibility but is not, by itself, the named proactive method. Outbreak alerts notify about emerging threats, and the Incidents dashboard manages known incidents. Threat hunting is the feature that best matches proactive network-security management.

Exact Extract: Study Guide p.78 and p.81: a data selector is a common filter applied before every rule in the event handler.

Technical Deep Dive: The correct answer is C. Data selectors prevent analysts from repeating the same filtering logic in each event-handler rule. They narrow the data evaluated by the handler using device, subnet, and log-field criteria before individual rules are processed. Option A is wrong because data selectors do not control what FortiAnalyzer accepts from registered devices. Option B is invented; they do not download filters. Option D is too broad because a data selector is applied to selected handlers, not automatically to all event handlers at the same time.

Exact Extract: Study Guide p.54: custom views save search filters, device, and time period for repeated Log View searches.

Technical Deep Dive: The correct answer is B. A custom view is designed for exactly this use case: an analyst repeatedly searches Log View with the same filters and wants to avoid rebuilding them every time. A custom dashboard shows widgets and summary data but does not preserve a Log View search workflow. A data selector is used mainly as a reusable filter for event handlers and related features. A macro is for report data extraction, not for reusing interactive log-search parameters.

Exact Extract: Study Guide p.202-p.203: FortiOS connector actions require automation rules configured on FortiGate.

Technical Deep Dive: The correct answer is D. FortiAnalyzer lists the FortiOS connector after FortiGate is added, but the available actions depend on FortiGate automation configuration. Specifically, the FortiGate side must have automation rules using the Incoming Webhook Call trigger before actions become available to the connector. Option A is wrong because Fabric ADOMs do not automatically come with multiple usable external connectors. Options B and C misunderstand the local connector, which is available by default for local FortiAnalyzer actions.

Exact Extract: Study Guide p.120: FortiAI can support incident investigation, response, threat hunting, impact analysis, and remediation recommendations.

Technical Deep Dive: The correct answers are B, C, and E. FortiAI in FortiAnalyzer is designed to assist SOC workflows: interpreting security events, generating incident summaries, identifying possible impacts, recommending remediation, generating queries, and supporting threat hunting. Site-to-site VPN and SD-WAN overlay configuration are FortiGate/FortiManager network configuration tasks, not the FortiAnalyzer FortiAI use cases described in the Analyst guide. The guide keeps FortiAI scoped to FortiAnalyzer security operations and analytics workflows.

Exact Extract: Study Guide p.39 and p.63: FortiView displays analytics logs, while archive logs are offline and data policy controls retention.

Technical Deep Dive: The correct answers are C and D. If a specific security log is not visible in FortiView, the analyst should verify whether the ADOM data policy has purged or moved analytics logs outside the available window and check the logs through the appropriate log-browsing/search interface. Option A is wrong because .gz archive logs are offline and are not directly opened in FortiView. Option B is too aggressive as a first troubleshooting step; rebuilding the SQL database is not the normal explanation when the issue may simply be retention or archive status.

Exact Extract: Study Guide p.78: event handlers can use notification profiles; p.107 describes external notifications through Fabric connectors.

Technical Deep Dive: The correct answers are A and C. When an event handler generates an event, FortiAnalyzer can use notification mechanisms such as SNMP traps through notification profiles. FortiAnalyzer also supports sending alerts to external platforms using configured Fabric connectors. FortiGuard is not an alert delivery server in this workflow; it supplies threat intelligence and outbreak content. SMS notification is not one of the event-handler notification methods described in the guide sections relevant to this question.

Exact Extract: Study Guide p.185: reports can be attached to incidents manually from an existing report, manually from an incident, or automatically through playbooks.

Technical Deep Dive: The correct answer is A. Incidents are containers for related security events, and attaching a report gives the analyst historical or contextual evidence in addition to real-time event data. Option B is wrong because incident status is managed independently from attached event status. Option C is not a FortiAnalyzer default rule from the guide; SLA response times are organization-specific. Option D is wrong because incidents can be opened and analyzed directly; acknowledgment is not a prerequisite to analysis.

Exact Extract: Study Guide p.83: generic text filters support field operators, including equality and inequality, for precise event-handler matching.

Technical Deep Dive: The correct answer is A. The required filter must match login operations to the GUI from Laptop1 and exclude the admin user. Option A includes the login operation, the correct GUI/IP value for Laptop1, and user!=admin. Option B uses the wrong IP address. Option C incorrectly matches user==admin, which is the opposite of the requirement. Option D lacks the correct performed_on GUI condition and has malformed inequality syntax. For event-handler filters, small syntax or field mistakes change the result completely.