Refer to the exhibit.

Why was this incident auto cleared?
A. Within five minutes the packet loss percentage dropped to a level where the reporting IP is the same as the host IP
B. The original rule did not trigger within five minutes
C. Within five minutes, the packet loss percentage dropped to a level where the reporting IP is same as the source IP
D. Within five minutes, the packet loss percentage dropped to a level where the host IP of the original rule matches the host IP of the clear condition pattern
Which three statements about collector communication with the FortiSIEM cluster are true? (Choose three.)
A. The only communication between the collector and the supervisor is during the registration process.
B. Collectors communicate periodically with the supervisor node.
C. The supervisor periodically checks the health of the collector.
D. The supervisor does not initiate any connections to the collector node.
E. Collectors upload event data to any node in the worker upload list, but report their health directly to the supervisor node.
Refer to the exhibit.

An administrator deploys a new collector for the first time, and notices that all the processes except the phMonitor are down. How can the administrator bring the processes up?
A. The administrator needs to run the command phtools --start all on the collector.
B. Rebooting the collector will bring up the processes.
C. The processes will come up after the collector is registered to the supervisor.
D. The collector was not deployed properly and must be redeployed.
Which of the following are two Tactics in the MITRE ATTandCK framework? (Choose two.)
A. Root kit
B. Reconnaissance
C. Discovery
D. BITS Jobs
E. Phishing
What is Tactic in the MITRE ATTandCK framework?
A. Tactic is how an attacker plans to execute the attack
B. Tactic is what an attacker hopes to achieve
C. Tactic is the tool that the attacker uses to compromise a system
D. Tactic is a specific implementation of the technique
What is the disadvantage of automatic remediation?
A. It can make a disruptive change to a user, block access to an application, or disconnect critical systems from the network.
B. It is equivalent to running an IPS in monitor-only mode -- watches but does not block.
C. External threats or attacks detected by FortiSIEM will need user interaction to take action on an already overworked SOC team.
D. Threat behaviors occurring during the night could take hours to respond to.
Refer to the exhibit.

Is the Windows agent delivering event logs correctly?
A. The logs are buffered by the agent and will be sent once the status changes to managed.
B. The agent is registered and it is sending logs correctly.
C. The agent is not sending logs because it did not receive a monitoring template.
D. Because the agent is unmanaged. the logs are dropped silently by the supervisor.
Which three processes are collector processes? (Choose three.)
A. phAgentManaqer
B. phParser
C. phRuleMaster
D. phReportM aster
E. phMonitorAgent
Refer to the exhibit.

Which statement about the rule filters events shown in the exhibit is true?
A. The rule filters events with an event type that belong to the Domain Account Locked CMDB group or a reporting IP that belong to the Domain Controller applications group.
B. The rule filters events with an event type that belong to the Domain Account Locked CMDB group and a reporting |P that belong to the Domain Controller applications group.
C. The rule filters events with an event type that belong to the Domain Account Locked CMDB group and a user that belongs to the Domain Controller applications group.
D. The rule filters events with an event type that equals Domain Account Locked and a reporting IP that equals Domain Controller applications.
Which three statements about phRuleMaster are true? (Choose three.)
A. phRuleMaster queues up the data being received from the phRuleWorkers into buckets.
B. phRuleMaster is present on the supervisor and workers.
C. phRuleMaster is present on the supervisor only
D. phRuleMaster wakes up to evaluate all the rule data in series, every 30 seconds.
E. phRuleMaster wakes up to evaluate all the rule data in parallel, even/ 30 seconds