NSE5_FSM-6.3 Fortinet NSE 5 - FortiSIEM 6.3 Questions and Answers

 Anomaly Baseline Data: Anomaly baseline data refers to the statistical profiles and baselines calculated for various parameters to detect deviations indicative of potential security incidents.

 Profile DB: The Profile DB is specifically designed to store such baseline data in FortiSIEM.

Purpose: It maintains statistical profiles for different monitored parameters to facilitate anomaly detection.

Usage: This data is used by FortiSIEM to compare real-time metrics against the established baselines to identify anomalies.

 References: FortiSIEM 6.3 User Guide, Database Architecture section, which describes the different databases used in FortiSIEM and their purposes, including the Profile DB for storing anomaly baseline data.

 Search Filters in FortiSIEM: When searching for specific events, administrators can use various attributes to filter the results.

 Attribute for Agent Events: To view events received specifically from Linux and Windows agents, the attributeExternal Event Receive Agentsshould be used.

Function: This attribute filters events that are received from agents, distinguishing them from events received through other protocols or sources.

 Search Efficiency: Using this attribute helps the administrator focus on events collected by FortiSIEM agents, making the search results more relevant and targeted.

 References: FortiSIEM 6.3 User Guide, Event Search and Filters section, which describes the available attributes and their usage for filtering search results.

 Rules Engine in FortiSIEM: The rules engine evaluates incoming events based on defined conditions to detect incidents and anomalies.

 Aggregation Condition: The aggregation condition instructs FortiSIEM to summarize and count the matching evaluated data.

Function: Aggregation is used to group events based on specified criteria and then perform operations such as counting the number of occurrences within a defined time window.

 Purpose: This allows for the detection of patterns and anomalies, such as a high number of failed login attempts within a short period.

 References: FortiSIEM 6.3 User Guide, Rules Engine section, which explains how aggregation is used to summarize and count matching data.

 Rule Subpattern Definition: In FortiSIEM, a subpattern within a rule is used to define specific conditions and criteria that must be met for the rule to trigger an incident or alert.

 Components of a Subpattern: The subpattern includes the following elements:

Filters: Criteria to filter the events that the rule will evaluate.

Aggregation: Conditions that define how events should be aggregated or grouped for analysis.

Time Window Definitions: Specifies the time frame over which the events will be evaluated to determine if the rule conditions are met.

 Explanation: Together, these components allow the system to efficiently and accurately detect patterns of interest within the event data.

 References: FortiSIEM 6.3 User Guide, Rules and Patterns section, which explains the structure and configuration of rule subpatterns, including the use of filters, aggregation, and time window definitions.

 Advanced Analytical Rules Engine: FortiSIEM's rules engine allows for complex event correlation using multiple subpatterns.

 Operations for Referencing Subpatterns:

FOLLOWED_BY: This operation is used to indicate that one event follows another within a specified time window.

OR: This logical operation allows for the inclusion of multiple subpatterns, where the rule triggers if any of the subpatterns match.

AND: This logical operation requires all referenced subpatterns to match for the rule to trigger.

 Usage: These operations allow for detailed and precise event correlation, helping to detect complex patterns and incidents.

 References: FortiSIEM 6.3 User Guide, Advanced Analytics Rules Engine section, which explains the use of different operations to reference subpatterns in rules.

 Grouping Attributes in Reports: When creating reports in FortiSIEM, certain attributes can be grouped to summarize and organize the data.

 Unique Attributes: Attributes that are unique for each event cannot be grouped because they do not provide a meaningful aggregation or summary.

 Red Highlighting Explanation: The red highlighting in the exhibit indicates attributes that cannot be grouped together due to their unique nature. These unique attributes includeEvent Receive Time,Reporting IP,Event Type,Raw Event Log, andCOUNT(Matched Events).

 Attribute Characteristics:

Event Receive Timeis unique for each event.

Reporting IPandEvent Typecan vary greatly, making grouping them impractical in this context.

Raw Event Logrepresents the unprocessed log data, which is also unique.

COUNT(Matched Events)is a calculated field, not suitable for grouping.

 References: FortiSIEM 6.3 User Guide, Reporting section, explains the constraints on grouping attributes in reports.

 Data Collection Status: FortiSIEM displays various icons to indicate the status of data collection for different devices.

 Pause Icon: The pause icon specifically indicates that data collection is paused, but this can happen due to several reasons.

 Common Cause for Pausing: One common cause for pausing data collection is an issue such as a change of password, which prevents the system from authenticating and collecting data.

 Exhibit Analysis: In the provided exhibit, the presence of the pause icon next to the device suggests that data collection has encountered an issue that has caused it to pause.

 References: FortiSIEM 6.3 User Guide, Device Management and Data Collection Status Icons section, which explains the different icons and their meanings.

 Incident Status in FortiSIEM: The status of an incident indicates its current state and helps administrators track and manage incidents effectively.

 Cleared Status: When an incident’s status is "Cleared," it means that a specific condition set to clear the incident has been satisfied.

Clear Condition: This is typically a predefined condition that indicates the issue causing the incident has been resolved or no longer exists.

 Automatic vs. Manual Clearance: While some incidents may be cleared automatically based on clear conditions, others might be manually cleared by an operator.

 References: FortiSIEM 6.3 User Guide, Incident Management section, detailing the various incident statuses and the conditions that lead to an incident being marked as "Cleared."

 Case Sensitivity in Searches: In FortiSIEM, search queries, including those for raw event logs, are case sensitive. This means that keywords must be entered exactly as they appear in the logs.

 Keyword Mismatch: The exhibit shows the keyword "TCP" in the Value field. If the actual events use "tcp" (lowercase), the search will return no results because of the case mismatch.

 Correct Keyword: To match the keyword correctly, the administrator should enter "tcp" in the Value field.

 References: FortiSIEM 6.3 User Guide, Search and Filtering section, which discusses the importance of case sensitivity in search queries.

 Linux Agent in FortiSIEM: The FortiSIEM Linux agent is responsible for collecting logs and metrics from Linux devices and forwarding them to the FortiSIEM system.

 Command for Checking Status: The correct command to check the status of the FortiSIEM Linux agent isservice fortisiem-linux-agent status.

Explanation: This command queries the status of the FortiSIEM Linux agent service, showing whether it is running, stopped, or encountering issues.

 Usage: Properly checking the agent status helps ensure that data collection from Linux devices is functioning as expected.

 References: FortiSIEM 6.3 User Guide, Linux Agent Installation and Management section, which includes commands for managing the Linux agent.

 Event Collection Overview: The exhibits show three events collected over a 10-minute period from two servers, Server A and Server B.

 Rule Subpattern Settings: The rule subpattern specifies two conditions:

AVG(CPU Util) > DeviceToCMDBAttr(Host IP : Server CPU Util Critical Threshold): This checks if the average CPU utilization exceeds the critical threshold defined for each server.

COUNT(Matched Events) >= 2: This requires at least two matching events within the specified period.

 Server A Analysis:

Events: Three events (CPU=90, CPU=90, CPU=95).

Average CPU Utilization: (90+90+95)/3 = 91.67, which exceeds the critical threshold of 90.

Matched Events Count: 3, which meets the condition of being greater than or equal to 2.

Incident Generation: Server A meets both conditions, so it generates one incident.

 Server B Analysis:

Events: Three events (CPU=70, CPU=50, CPU=60).

Average CPU Utilization: (70+50+60)/3 = 60, which does not exceed the critical threshold of 90.

Matched Events Count: 3, but since the average CPU utilization condition is not met, no incident is generated.

 Conclusion: Based on the rule subpattern, Server A will generate one incident, and Server B will not generate any incidents.

 References: FortiSIEM 6.3 User Guide, Event Correlation Rules and Incident Management sections, which explain how incidents are generated based on rule subpatterns and event conditions.

 Threshold Management: FortiSIEM uses thresholds to generate alerts and incidents based on performance and security metrics.

 Global Thresholds: These are default thresholds applied to all devices and metrics across the system, providing a baseline for alerts.

 Per Device Thresholds: These thresholds can be customized for individual devices, allowing for more granular control and tailored monitoring based on specific device characteristics and requirements.

 Usage in Performance Metrics: Both global and per device thresholds are used for performance metrics to ensure comprehensive and precise monitoring.

 References: FortiSIEM 6.3 User Guide, Thresholds and Alerts section, details the application of global and per device thresholds for performance and security metrics.