NSE5_FSM-6.3 Fortinet NSE 5 - FortiSIEM 6.3 Question and Answers

ï‚· Syslog Reception Verification: To verify whether syslog messages are being received from a network device, a network packet capture tool can be used.

ï‚· tcpdump Command:tcpdumpis a powerful command-line packet analyzer tool available in Unix-like operating systems. It allows administrators to capture and analyze network traffic.

Usage: By usingtcpdumpwith the appropriate filters (e.g., port 514 for syslog), administrators can monitor the incoming syslog messages in real-time to verify if they are being received.

Example Command:tcpdump -i port 514captures the syslog messages on the specified network interface.

ï‚· References: FortiSIEM 6.3 User Guide, CLI Commands section, which details the usage oftcpdumpfor network traffic analysis and verification of syslog reception.

ï‚· Grouping Attributes in Reports: When creating reports in FortiSIEM, certain attributes can be grouped to summarize and organize the data.

ï‚· Unique Attributes: Attributes that are unique for each event cannot be grouped because they do not provide a meaningful aggregation or summary.

ï‚· Red Highlighting Explanation: The red highlighting in the exhibit indicates attributes that cannot be grouped together due to their unique nature. These unique attributes includeEvent Receive Time,Reporting IP,Event Type,Raw Event Log, andCOUNT(Matched Events).

ï‚· Attribute Characteristics:

Event Receive Timeis unique for each event.

Reporting IPandEvent Typecan vary greatly, making grouping them impractical in this context.

Raw Event Logrepresents the unprocessed log data, which is also unique.

COUNT(Matched Events)is a calculated field, not suitable for grouping.

ï‚· References: FortiSIEM 6.3 User Guide, Reporting section, explains the constraints on grouping attributes in reports.

ï‚· Device Status in FortiSIEM: FortiSIEM assigns different statuses to devices based on their operational state and performance metrics.

ï‚· Packet Loss Impact: The reported packet loss percentage directly influences the status assigned to a device. Packet loss between 50% and 98% indicates significant network issues that affect the device's performance.

ï‚· Degraded Status: When packet loss is between 50% and 98%, FortiSIEM assigns a "Degraded" status to the device. This status indicates that the device is experiencing substantial packet loss, which impairs its performance but does not render it completely non-functional.

ï‚· Reasoning: The "Degraded" status helps administrators identify devices with serious performance issues that need attention but are not entirely down.

ï‚· References: FortiSIEM 6.3 User Guide, Device Availability and Status section, explains the criteria for assigning different statuses based on performance metrics such as packet loss.

ï‚· FortiSIEM Architecture: The FortiSIEM architecture includes several components such as Supervisors, Workers, Collectors, and Agents, each playing a distinct role in the SIEM ecosystem.

ï‚· Real-Time Event Correlation: Real-time event correlation is a critical function that involves analyzing and correlating incoming events to detect patterns indicative of security incidents or operational issues.

ï‚· Role of Supervisor and Worker:

Supervisor: The Supervisor oversees the entire FortiSIEM system, coordinating the processing and analysis of events.

Worker: Workers are responsible for processing and correlating the events received from Collectors and Agents.

ï‚· Collaboration for Correlation: Together, the Supervisor and Worker components perform real-time event correlation by distributing the load and ensuring efficient processing of events to identify incidents in real-time.

ï‚· References: FortiSIEM 6.3 User Guide, Event Correlation and Processing section, details how the Supervisor and Worker components collaborate for real-time event correlation.

ï‚· Incident Status Values: Incident statuses in FortiSIEM help administrators track and manage the lifecycle of incidents from detection to resolution.

ï‚· Four Possible Status Values:

Active: Indicates that the incident is currently ongoing and needs attention.

Closed: Indicates that the incident has been resolved or addressed.

Cleared: Indicates that the incident has been resolved automatically based on predefined conditions.

Open: Indicates that the incident is acknowledged and under investigation but not yet resolved.

ï‚· Usage: These statuses help in prioritizing and tracking incidents effectively, ensuring that all incidents are appropriately managed.

ï‚· References: FortiSIEM 6.3 User Guide, Incident Management section, which details the different status values and their meanings.

ï‚· Grouping Events in FortiSIEM: Grouping events by specific attributes allows for the aggregation of similar events, providing clearer insights and reducing clutter.

ï‚· Grouping Criteria: For this question, events are grouped by "User," "Source IP," and "Application Category."

ï‚· Unique Combinations Analysis:

Ryan, 1.1.1.1, Web App(appears multiple times but is one unique combination)

John, 5.5.5.5, DB

Paul, 3.3.2.1, Web App

Ryan, 1.1.1.15, DB

Wendy, 1.1.1.6, DB

ï‚· Result Calculation: There are five unique combinations in the provided data based on the specified grouping attributes.

ï‚· References: FortiSIEM 6.3 User Guide, Event Management and Reporting sections, which explain how to group events by various attributes for analysis and reporting purposes.

ï‚· Anomaly Baseline Data: Anomaly baseline data refers to the statistical profiles and baselines calculated for various parameters to detect deviations indicative of potential security incidents.

ï‚· Profile DB: The Profile DB is specifically designed to store such baseline data in FortiSIEM.

Purpose: It maintains statistical profiles for different monitored parameters to facilitate anomaly detection.

Usage: This data is used by FortiSIEM to compare real-time metrics against the established baselines to identify anomalies.

ï‚· References: FortiSIEM 6.3 User Guide, Database Architecture section, which describes the different databases used in FortiSIEM and their purposes, including the Profile DB for storing anomaly baseline data.

ï‚· Device Discovery Information: Information about discovered devices, including their configurations and statuses, is stored in a specific database.

ï‚· CMDB: The Configuration Management Database (CMDB) is used to store detailed information about the devices discovered by FortiSIEM.

Function: It maintains comprehensive details about device configurations, relationships, and other metadata essential for managing the IT infrastructure.

ï‚· Significance: Storing discovery information in the CMDB ensures that the FortiSIEM system has a centralized repository of device information, facilitating efficient management and monitoring.

ï‚· References: FortiSIEM 6.3 User Guide, Configuration Management Database (CMDB) section, which details the storage and usage of device discovery information.

ï‚· Expression Builder in FortiSIEM: The Expression Builder is used to create expressions for analyzing event data.

ï‚· Correct Syntax: The correct syntax for counting matched events isCOUNT(Matched Events).

Function:COUNTis a function that takes a parameter, in this case, "Matched Events," to count the number of occurrences.

ï‚· Common Errors: Incorrect syntax, such as reversing the order or using parentheses improperly, can lead to invalid expressions.

ï‚· References: FortiSIEM 6.3 User Guide, Expression Builder section, which explains the correct syntax and usage for creating valid expressions for event analysis.

ï‚· Performance and Availability Monitoring: Various components in FortiSIEM are responsible for monitoring the performance and availability of devices and services.

ï‚· Components:

Supervisor: Oversees the entire FortiSIEM infrastructure and coordinates the activities of other components.

Worker: Processes and analyzes the collected data, including performance and availability metrics.

Collector: Gathers performance and availability data from devices in the network.

ï‚· Collaborative Functioning: These components work together to ensure comprehensive monitoring of the network's performance and availability.

ï‚· References: FortiSIEM 6.3 User Guide, Performance and Availability Monitoring section, which explains the roles of the supervisor, worker, and collector in monitoring tasks.

ï‚· FortiSIEM Linux Agent: The FortiSIEM Linux agent is used to collect logs and performance metrics from Linux servers and send them to the FortiSIEM system.

ï‚· Prerequisite for Installation: Theauditdservice, which is the Linux Audit Daemon, must be installed and running on the Linux server to capture and log security-related events.

auditd Service: This service collects and logs security events on Linux systems, which are essential for monitoring and analysis by FortiSIEM.

ï‚· Importance of auditd: Without the auditd service, the FortiSIEM Linux agent will not be able to collect the necessary event data from the Linux server.

ï‚· References: FortiSIEM 6.3 User Guide, Linux Agent Installation section, which lists the prerequisites and steps for installing the FortiSIEM Linux agent.

ï‚· Event Type Population: In FortiSIEM, the Event Type field is populated based on specific identifiers within the raw message or event log.

ï‚· Raw Message Analysis: The exhibit shows a raw message with various components, includingPH_DEV_MON_SYS_DISK_UTIL,PHL_INFO,phPerfJob, anddiskUtil.

ï‚· Primary Event Identifier: ThePH_DEV_MON_SYS_DISK_UTILat the beginning of the raw message is the primary identifier for the event type. It categorizes the type of event, in this case, a system disk utilization monitoring event.

ï‚· Event Type Field: FortiSIEM uses this primary identifier to populate the Event Type field, providing a clear categorization of the event.

ï‚· References: FortiSIEM 6.3 User Guide, Event Processing and Event Types section, details how event types are identified and populated in the system.