C The rule groups events by Reporting IP, Reporting Device, and User. Let's analyze the five events: Events Received: 1. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: John 2. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: Craig 3. Reporting IP: 1.1.1.2, Reporting Device: Server109, User: Mary 4. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: Craig (Duplicate of #2) 5. Reporting IP: 1.1.1.1, Reporting Device: Server101, User: John (Duplicate of #1) Grouping Based on: ● Reporting IP ● Reporting Device ● User Count unique groups: 1. (1.1.1.1, Server101, John) → 2 occurrences (counted as one group) 2. (1.1.1.1, Server101, Craig) → 2 occurrences (counted as one group) 3. (1.1.1.2, Server109, Mary) → 1 occurrence (counted as one group) Since we need at least one matching event (count >= 1) per group, incidents are created for each unique group. Total unique groups (incidents created) = 2 ● John on Server101 (1.1.1.1) ● Craig on Server101 (1.1.1.1)

A The license file located at /etc/opsd/.fortisiem4x0 is critical for the collector's operation, as it verifies the collector's registration with the supervisor and enables proper functionality. If this license file is removed, the collector: ● Will lose its registration with the supervisor. ● Will stop receiving updates and configurations from the FortiSIEM supervisor. ● Will require re-registration with the supervisor to obtain a new license file.

D In FortiSIEM, when an agent is uninstalled from a Windows device, the device remains in the CMDB (Configuration Management Database) until it is manually removed. ● Uninstalling the agent does not automatically remove the device from the CMDB. ● CMDB maintains discovered devices even if they no longer report logs, ensuring historical tracking. ● Administrators must manually delete the device from the CMDB > Devices section.

B Total EPS License Purchased: 500 EPS Allocated EPS: ● Customer A: 100 EPS ● Customer B: 200 EPS Remaining EPS Pool: 500 − (100 + 200) = 200 EPS

A, B Group By automatically applies a COUNT aggregation. When using Group By in FortiSIEM structured queries, it automatically applies a COUNT(*) function unless a different aggregation (such as SUM, AVG, or MAX) is specified. This helps summarize data by counting occurrences of grouped attributes. Group By is applied to real-time and historical searches. Grouping functions work in both real-time (live event monitoring) and historical (past event analysis) searches, making it useful for trend analysis, anomaly detection, and correlation.

A In FortiSIEM, an integration policy can be invoked through Notification Policy settings. This allows automated responses such as: ● Sending alerts to external systems (e.g., SIEMs, ticketing systems, SOAR platforms). ● Triggering actions based on specific incident rules. ● Integrating with third-party solutions for remediation, escalation, or logging.

A In FortiSIEM, SQLite databases used for baselining are stored in the /opt/phoenix/cache directory. This location is used for temporary storage and caching of profile data that is essential for anomaly detection and trend analysis. ● Baselining involves analyzing historical data to determine expected behavior patterns. ● SQLite databases store aggregated statistics, which are referenced during rule evaluations. ● The cache directory allows quick access to these values without querying the main database repeatedly.

A, D FortiSIEM enforces a device limit based on licensing and system-wide constraints to ensure proper resource allocation and performance management. The device limit is determined by the purchased license. ● FortiSIEM licensing includes limits on the number of devices that can be monitored. ● The license type (e.g., Enterprise vs. Service Provider) defines the maximum number of devices supported. For Service Provider editions, the device limit applies system-wide and is shared across all customers. ● In an MSSP (Managed Security Service Provider) setup, the total device limit applies across all customers, rather than being allocated individually. ● This allows flexible resource allocation based on customer needs.

D Guaranteed Allocation: 50 + 100 + 150 = 300 EPS Actual (Incoming) Usage: 25 + 50 + 75 = 150 EPS → Unused from guarantees = 300 − 150 = 150 EPS Burst Capacity (Licensed minus Guaranteed): 520 − 300 = 220 EPS Total Unused Capacity: 150 + 220 = 370 EPS As a Percentage of Licensed EPS: 370/520 ≈ 71.15% → reported (after conversion/rounding) as ~71.460

D In FortiSIEM, collectors need to upload event logs to a worker node for processing. However, if there is no dedicated worker, the supervisor can function as the worker to receive data. ● The error message suggests that a worker upload address must be defined before adding a collector. ● Since there is no dedicated worker, the administrator can set the Supervisor IP as the upload destination to enable log collection.