Exact Extract: Study Guide p.58: Log View search results can be downloaded, and raw/text filtering helps with exact field syntax.

Technical Deep Dive: The correct answers are A and D. FortiAnalyzer Log View allows administrators to download filtered logs as text or CSV, so the displayed search results can be exported to a file. The exhibit also indicates a text-mode search/filter rather than a purely GUI-built filter. Option B would be true for formatted log tables in general, but the question asks what can be concluded from the displayed search results. Option C is not supported; whether FortiView can analyze related data depends on whether the logs are analytics logs, not merely on the search display.

Exact Extract: Study Guide p.82: Contained means the risk source is isolated; antivirus quarantine is the example.

Technical Deep Dive: The correct answer is A. An AV log with action=quarantine indicates the detected file or object has been isolated, so FortiAnalyzer classifies the event status as Contained. An IPS action=pass is Unhandled because the risk was not stopped. WebFilter dropped and AppControl blocked are enforcement outcomes, so they align with Mitigated rather than Contained. The distinction matters in SOC triage because Contained still deserves review, but the immediate source/object has already been isolated.

Exact Extract: Study Guide p.187: troubleshoot slow reports by reviewing diagnostics and enabling auto-cache to reduce generation time.

Technical Deep Dive: The correct answers are B and D. When reports take too long, Fortinet recommends checking report diagnostics and hcache timing, log rates, insert/receive rate, and log insert lag. Enabling auto-cache is also a documented way to improve report generation performance. Option A is not a recommended troubleshooting step in the study guide; removing old hcache blindly can make reports slower because hcache must be rebuilt. Option C is not the relevant control for report generation time in this scenario.

Exact Extract: Study Guide p.175: Chart Builder automatically builds a dataset and chart from filtered Log View search results.

Technical Deep Dive: The correct answer is D. Chart Builder is a shortcut for turning a useful filtered log search into reusable reporting content. The analyst first filters Log View to the desired data, then uses Chart Builder to create the dataset and chart automatically. Option A is wrong because it is not based on a fixed top-100 list. Option B is incomplete because the feature creates chart/dataset objects rather than merely adding a chart to a generated report. Option C incorrectly places the output under FortiView instead of reporting libraries.

Exact Extract: Study Guide p.202: FortiOS connector actions appear only after enabling an automation rule using the Incoming Webhook Call trigger on FortiGate.

Technical Deep Dive: The correct answer is D. A FortiAnalyzer playbook can list a FortiOS connector after FortiGate is added, but the available FortiOS actions depend on FortiGate-side automation rules. FortiGate must expose an Incoming Webhook trigger so FortiAnalyzer can call the automation stitch. A FortiAnalyzer Event Handler is used on FortiAnalyzer to generate events, not to expose FortiOS connector actions. Fabric Connector events and FortiOS Event Log triggers do not provide the FortiAnalyzer-to-FortiGate action handoff tested here.

Exact Extract: Study Guide p.173: macros represent dataset queries in abbreviated form, and macros are ADOM-specific.

Technical Deep Dive: The correct answer is C. FortiAnalyzer macros are not Excel-generation shortcuts and are not fixed templates. A macro is an abbreviated way to insert data extracted by a dataset query into a report without using a chart. Because reports, libraries, and related definitions are separated by ADOM, macros are ADOM-specific. Option A is wrong because custom macros can be created. Option B invents an Excel-specific behavior not described by the guide. Option D is too restrictive because macros are not limited only to FortiGate ADOMs.

Exact Extract: Study Guide p.139: one log message can consist of multiple logs in LZ4 format, explaining the log-rate/message-rate difference.

Technical Deep Dive: The correct answer is A. In the diagnostic output, the message rate being lower than the log rate is normal because FortiAnalyzer can receive a compressed log message that contains multiple individual logs. The log rate counts logs, while the message rate counts received log messages. Option B is not supported because the output does not prove indexing is almost finished. Option C cannot be inferred unless the command output breaks down traffic versus event log counts. Option D is wrong because these fortilogd rate commands are general logging statistics rather than an ADOM-specific view.

Exact Extract: Study Guide p.188: diagnose sql status sqlreportd checks SQL query connections and hcache status for reports.

Technical Deep Dive: The correct answer is C. The sqlreportd diagnostic is a report troubleshooting command focused on SQL query connections and hcache status. It is useful when reports are slow because report generation depends heavily on hcache and SQL query execution. Option A is handled by scheduled report listing commands. Option B maps to diagnose sql process list. Option D maps more closely to sqlplugind insertion status, not sqlreportd.

Exact Extract: Study Guide p.172: templates include only Editor-tab details and do not include report settings or advanced settings.

Technical Deep Dive: The correct answer is C. Templates define the report layout: text, charts, and macros. They do not carry report settings such as the report time range, selected devices, scheduling, filters, output profile, or advanced settings. Reports include those operational settings. Option A is wrong because templates can include macros. Option B is wrong because both reports and templates can be cloned. Option D is imprecise: reports/charts can be imported/exported between same-type ADOMs, while templates are not exported directly, but the tested difference is settings.

Exact Extract: Study Guide p.210: after creating a new playbook, FortiAnalyzer needs a few minutes to parse it.

Technical Deep Dive: The correct answer is A. FortiAnalyzer must parse the newly created playbook before it can execute reliably. Parsing checks the playbook definition and prepares it for execution by the automation engine. Option B is wrong because FortiAnalyzer is not automatically debugging the playbook; debugging happens after a failed or problematic run. Option C is unrelated to playbook creation. Option D is wrong because FortiAnalyzer can track multiple jobs; the wait is about playbook parsing, not waiting for all other playbooks to stop.