Question 5 - FCP_FAZ_AN-7.4 discussion

In FortiOS and FortiAnalyzer logging systems, when an event has a status of 'Mitigated' in the Event Status column, it typically indicates that the system took action to address the identified threat. In this case, the Web Filter blocked the web request to a suspicious destination, and the event status 'Mitigated' confirms that the action was successfully implemented to neutralize or block the security risk.

Let's review the answer options:

Option A: The risk source is isolated.

This is incorrect because 'isolated' would imply that FortiGate took further steps to prevent the source device from communicating with the network. There is no indication of isolation in this event status.

Option B: The security risk was blocked or dropped.

This is correct. The 'Mitigated' status, along with the Web Filter event type and the accompanying description, implies that the FortiGate or FortiAnalyzer successfully blocked or dropped the suspicious web request, which corresponds to the term 'mitigated.'

Option C: The security event risk is considered open.

This is incorrect because an open status would indicate that no action was taken, or the threat is still present. The 'Mitigated' status indicates that the threat has been addressed.

Option D: An incident was created from this event.

This option is not correct or evident based on the given display. Although FortiAnalyzer or FortiGate could escalate certain events to incidents, this is not indicated here.

The FortiOS 7.4.1 and FortiAnalyzer 7.4.1 documentation specify that 'Mitigated' status in logs means the identified threat was handled, usually by blocking or dropping the action associated with the event, particularly with Web Filter and Security Policy logs.