Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Fortinet_FCP_FSM_AN-7.2/page_17_img_1.jpg Which two conditions will match this rule and subpatterns? (Choose two.)

A user using RDP over SSL VPN fails to log in to an application five times.

Question 1 - Fortinet FCP_FSM_AN-7.2 Real Exam Questions [Jan 2026 Update]

Q: 1

Refer to the exhibit.

Which two conditions will match this rule and subpatterns? (Choose two.)

Options

Correct Answer:

A, B

Explanation

The FortiSIEM correlation rule shown is designed to detect a brute-force attack against RDP. The rule is triggered by Windows Security Event ID 4625, which signifies a failed logon. The rule specifically filters for Logon Type 10, which corresponds to a RemoteInteractive logon (RDP).

The logic requires an initial failed logon event (Subpattern 1) followed by four more identical events (Subpattern 2) for the same user (subpattern1.user = subpattern2.user) within a 60-second window. This totals five failed RDP logon attempts for a single user in under a minute. Both a user failing to log in five times via RDP and a brute-force password cracker tool would generate this exact pattern of events.

Why Incorrect

C. This option describes only two failed logins, which is below the threshold of five required to trigger the correlation rule.

D. Connecting to an incorrect IP address results in a network-level connection failure. This action does not generate a logon failure event (Event ID 4625) on the intended target server.

References

1. FortiSIEM - Rule Writing Guide Version 7.2.0

Chapter: Rules > Correlation Rules

p. 111. This guide explains the structure of correlation rules

including the use of sub-patterns

conditions (COUNT)

and time windows to detect sequences of events. The configuration in the exhibit directly maps to the examples of building a multi-event correlation rule.

2. Microsoft Corporation

Official Security Documentation

"4625(F): An account failed to log on." This official documentation defines Windows Security Event ID 4625. It also specifies the meaning of the Logon Type field

confirming that Logon Type: 10 corresponds to a RemoteInteractive session

which is used for Terminal Services

Remote Assistance

and Remote Desktop connections.

3. FortiSIEM - Concepts Guide Version 7.2.0

Chapter: Real-time

In-memory Event Correlation

p. 16. This guide describes the purpose of the correlation engine

which is to link discrete events occurring over time into a meaningful incident pattern

such as a brute-force attack. The rule in the exhibit is a practical implementation of this concept.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE