NSE5_FSM-6.3 Fortinet NSE 5 - FortiSIEM 6.3 Questions and Answers

 Expression Builder in FortiSIEM: The Expression Builder is used to create expressions for analyzing event data.

 Correct Syntax: The correct syntax for counting matched events isCOUNT(Matched Events).

Function:COUNTis a function that takes a parameter, in this case, "Matched Events," to count the number of occurrences.

 Common Errors: Incorrect syntax, such as reversing the order or using parentheses improperly, can lead to invalid expressions.

 References: FortiSIEM 6.3 User Guide, Expression Builder section, which explains the correct syntax and usage for creating valid expressions for event analysis.

 Threshold Management: FortiSIEM uses thresholds to generate alerts and incidents based on performance and security metrics.

 Global Thresholds: These are default thresholds applied to all devices and metrics across the system, providing a baseline for alerts.

 Per Device Thresholds: These thresholds can be customized for individual devices, allowing for more granular control and tailored monitoring based on specific device characteristics and requirements.

 Usage in Performance Metrics: Both global and per device thresholds are used for performance metrics to ensure comprehensive and precise monitoring.

 References: FortiSIEM 6.3 User Guide, Thresholds and Alerts section, details the application of global and per device thresholds for performance and security metrics.

 FortiSIEM Architecture: In FortiSIEM, collectors gather data from various sources and send this data to supervisors and workers within the FortiSIEM architecture.

 Communication Requirements: For collectors to effectively send data to the FortiSIEM system, specific communication channels must be open.

 Port Usage: The primary port used for secure communication between the collectors and the FortiSIEM infrastructure is HTTPS (port 443).

 Network Configuration: When configuring collectors in geographically separated sites, the HTTPS port must be open for the collectors to communicate with both the supervisor and the worker upload settings addresses. This ensures that the collected data can be securely transmitted to the appropriate processing and analysis components.

 References: FortiSIEM 6.3 Administration Guide, Network Ports section details the necessary ports for communication within the FortiSIEM architecture.

 Search Filters in FortiSIEM: When searching for specific events, administrators can use various attributes to filter the results.

 Attribute for Agent Events: To view events received specifically from Linux and Windows agents, the attributeExternal Event Receive Agentsshould be used.

Function: This attribute filters events that are received from agents, distinguishing them from events received through other protocols or sources.

 Search Efficiency: Using this attribute helps the administrator focus on events collected by FortiSIEM agents, making the search results more relevant and targeted.

 References: FortiSIEM 6.3 User Guide, Event Search and Filters section, which describes the available attributes and their usage for filtering search results.

 WMI Method: Windows Management Instrumentation (WMI) is a set of specifications from Microsoft for consolidating the management of devices and applications in a network.

 Log Collection: WMI is used to collect various types of logs from Windows devices.

Security Logs: Contains records of security-related events such as login attempts and resource access.

Application Logs: Contains logs generated by applications running on the system.

System Logs: Contains logs related to the operating system and its components.

 Comprehensive Data Collection: By using WMI, FortiSIEM can gather a wide range of event logs that are crucial for monitoring and analyzing the security and performance of Windows devices.

 References: FortiSIEM 6.3 User Guide, Data Collection Methods section, which details the use of WMI for collecting event logs from Windows devices.

 Feature Overview: FortiSIEM provides several tools for querying and reporting on device information within an environment.

 Inventory Tab: The Inventory tab is specifically designed to display detailed information about devices, including their firmware versions.

 Query Functionality: Within the Inventory tab, you can run queries to filter and display devices based on specific attributes, such as the firmware version for FortiGate devices.

 Report Generation: By running a query in the Inventory tab, you can produce a report that lists the FortiGate devices and their corresponding firmware versions.

 References: FortiSIEM 6.3 User Guide, Inventory Management section, explains how to use the Inventory tab to query and report on device attributes.

 Performance and Availability Monitoring: Various components in FortiSIEM are responsible for monitoring the performance and availability of devices and services.

 Components:

Supervisor: Oversees the entire FortiSIEM infrastructure and coordinates the activities of other components.

Worker: Processes and analyzes the collected data, including performance and availability metrics.

Collector: Gathers performance and availability data from devices in the network.

 Collaborative Functioning: These components work together to ensure comprehensive monitoring of the network's performance and availability.

 References: FortiSIEM 6.3 User Guide, Performance and Availability Monitoring section, which explains the roles of the supervisor, worker, and collector in monitoring tasks.

 Rule Subpattern Definition: In FortiSIEM, a subpattern within a rule is used to define specific conditions and criteria that must be met for the rule to trigger an incident or alert.

 Components of a Subpattern: The subpattern includes the following elements:

Filters: Criteria to filter the events that the rule will evaluate.

Aggregation: Conditions that define how events should be aggregated or grouped for analysis.

Time Window Definitions: Specifies the time frame over which the events will be evaluated to determine if the rule conditions are met.

 Explanation: Together, these components allow the system to efficiently and accurately detect patterns of interest within the event data.

 References: FortiSIEM 6.3 User Guide, Rules and Patterns section, which explains the structure and configuration of rule subpatterns, including the use of filters, aggregation, and time window definitions.

 Offline Licensing in FortiSIEM: FortiSIEM provides mechanisms for offline licensing to accommodate environments without direct internet access.

 License Tool Command: The command./phLicenseTool --collect license_req.datis used to collect license information necessary for offline registration.

 Procedure Analysis: The exhibit shows the output of this command, which indicates the collection of license information to a file namedlicense_req.dat.

 Offline License Registration: This collected data file is then typically uploaded to the FortiSIEM support portal or provided to the FortiSIEM support team for processing and generating a license file.

 References: FortiSIEM 6.3 Administration Guide, Licensing section, details the procedures for both online and offline license registration, including the use of thephLicenseToolfor offline scenarios.

 FortiSIEM Linux Agent: The FortiSIEM Linux agent is used to collect logs and performance metrics from Linux servers and send them to the FortiSIEM system.

 Prerequisite for Installation: Theauditdservice, which is the Linux Audit Daemon, must be installed and running on the Linux server to capture and log security-related events.

auditd Service: This service collects and logs security events on Linux systems, which are essential for monitoring and analysis by FortiSIEM.

 Importance of auditd: Without the auditd service, the FortiSIEM Linux agent will not be able to collect the necessary event data from the Linux server.

 References: FortiSIEM 6.3 User Guide, Linux Agent Installation section, which lists the prerequisites and steps for installing the FortiSIEM Linux agent.

 Incident Categories in FortiSIEM: Incidents in FortiSIEM are categorized to help administrators quickly identify and prioritize the type of issue.

 Four Main Categories:

Performance: Incidents related to the performance of devices and applications, such as high CPU usage or memory utilization.

Availability: Incidents affecting the availability of services or devices, such as downtime or connectivity issues.

Security: Incidents related to security events, such as failed login attempts, malware detection, or unauthorized access.

Change: Incidents triggered by changes in the configuration or state of devices, such as new software installations or configuration modifications.

 Importance of Categorization: These categories help in the efficient management and response to different types of incidents, allowing for better resource allocation and quicker resolution.

 References: FortiSIEM 6.3 User Guide, Incident Management section, which details the different categories of incidents and their significance.

 Disaster Recovery Mode: FortiSIEM's disaster recovery (DR) mode ensures that there is a backup system ready to take over in case the primary system fails.

 Manual Tasks for DR Operation: In the event of a disaster, certain tasks must be performed manually to ensure a smooth transition to the secondary system.

 Promoting the Secondary Supervisor:

Use the commandphSecondary2primaryto promote the secondary supervisor to the primary role. This command reconfigures the secondary supervisor to take over as the primary supervisor, ensuring continuity in management and coordination.

 Changing DNS Configuration:

Update the DNS configuration to direct all users, devices, and collectors to the secondary FortiSIEM instance. This ensures that all components in the environment cancommunicate with the newly promoted primary supervisor without manual reconfiguration of individual devices.

 References: FortiSIEM 6.3 Administration Guide, Disaster Recovery section, provides detailed steps on promoting the secondary supervisor and updating DNS configurations during a disaster recovery operation.