NSE5_FSM-6.3 Fortinet NSE 5 - FortiSIEM 6.3 Questions and Answers

 Rule Notifications and Automated Remediation: In FortiSIEM, notifications and automated remediation actions can be configured to respond to specific incidents or alerts generated by rules.

 Notification Policy: This is the section where administrators configure the settings for notifications and specify the actions to be taken when a rule triggers an alert.

Configuration Options: Includes defining the recipients of notifications, the type of notifications (e.g., email, SMS), and any automated remediation actions that should be executed.

 Importance: Proper configuration of notification policies ensures timely alerts and automated responses to incidents, enhancing the effectiveness of the SIEM system.

 References: FortiSIEM 6.3 User Guide, Notifications and Automated Remediation section, which details how to configure notification policies for rule-triggered actions and responses.

 Syslog Configuration in FortiSIEM: For FortiSIEM to receive syslog messages from network devices, those devices need to be properly configured to send syslog data to FortiSIEM.

 Manual Configuration Requirement: FortiSIEM does not automatically configure network devices to send syslog messages. Instead, this configuration must be performed manually by the network administrator.

 Process Overview: The network administrator must access each device and set up the syslog parameters to direct log data to the FortiSIEM collector's IP address.

 Discovery Process: While FortiSIEM can discover network devices using SNMP, WMI, and other protocols, the configuration of syslog on these devices is beyond its scope and requires manual intervention.

 References: FortiSIEM 6.3 User Guide, Device Configuration and Syslog Integration sections, which explain the requirements and steps for setting up syslog forwarding on network devices.

 Process Monitoring in FortiSIEM: FortiSIEM can monitor critical processes on managed devices, such as an SMTP process on a Linux server.

 Event Generation: When a critical process stops, FortiSIEM generates an event to alert administrators.

 Event Types: Specific event types correspond to different monitored conditions. For a stopped process, the event typePH_DEV_MON_PROC_STOPis used.

 Reasoning: The namePH_DEV_MON_PROC_STOP(Device Monitoring Process Stop) is a generic event type used by FortiSIEM to indicate that any monitored process, including SMTP, has stopped.

 References: FortiSIEM 6.3 User Guide, Event Types section, explains the predefined event types and their usage in different monitoring scenarios.

 Device Discovery in FortiSIEM: Device discovery is the process by which FortiSIEM identifies and adds devices to its management scope.

 Role of Collectors: Collectors are responsible for gathering data from network devices, including discovering new devices in the network.

Functionality: Collectors use protocols such as SNMP, WMI, and others to discover devices and gather their details.

 Capability: While agents (Windows and Linux) primarily gather data from their host systems, the collectors actively discover devices across the network.

 References: FortiSIEM 6.3 User Guide, Device Discovery section, which details the role of collectors in discovering network devices.

 Feature Overview: FortiSIEM provides several tools for querying and reporting on device information within an environment.

 Inventory Tab: The Inventory tab is specifically designed to display detailed information about devices, including their firmware versions.

 Query Functionality: Within the Inventory tab, you can run queries to filter and display devices based on specific attributes, such as the firmware version for FortiGate devices.

 Report Generation: By running a query in the Inventory tab, you can produce a report that lists the FortiGate devices and their corresponding firmware versions.

 References: FortiSIEM 6.3 User Guide, Inventory Management section, explains how to use the Inventory tab to query and report on device attributes.

 Grouping Attributes in Reports: When creating reports in FortiSIEM, certain attributes can be grouped to summarize and organize the data.

 Unique Attributes: Attributes that are unique for each event cannot be grouped because they do not provide a meaningful aggregation or summary.

 Red Highlighting Explanation: The red highlighting in the exhibit indicates attributes that cannot be grouped together due to their unique nature. These unique attributes includeEvent Receive Time,Reporting IP,Event Type,Raw Event Log, andCOUNT(Matched Events).

 Attribute Characteristics:

Event Receive Timeis unique for each event.

Reporting IPandEvent Typecan vary greatly, making grouping them impractical in this context.

Raw Event Logrepresents the unprocessed log data, which is also unique.

COUNT(Matched Events)is a calculated field, not suitable for grouping.

 References: FortiSIEM 6.3 User Guide, Reporting section, explains the constraints on grouping attributes in reports.

 Component Roles in FortiSIEM: Different components in FortiSIEM have specific roles and responsibilities, which contribute to the overall performance and functionality of the system.

 Query Worker: The query worker component is specifically designed to handle and optimize search queries within FortiSIEM.

Function: It processes search requests and executes analytic searches efficiently, handling large volumes of data to provide quick results.

Optimization: By improving the efficiency of query execution, the query worker can significantly speed up long, ad hoc analytic searches, addressing performance issues.

 Performance Impact: Utilizing the query worker ensures that searches are handled by a component optimized for such tasks, reducing the load on other components and improving overall system performance.

 References: FortiSIEM 6.3 User Guide, System Components section, which describes the roles of different workers, including the query worker, and their impact on system performance.

 Advanced Analytical Rules Engine: FortiSIEM's rules engine allows for complex event correlation using multiple subpatterns.

 Operations for Referencing Subpatterns:

FOLLOWED_BY: This operation is used to indicate that one event follows another within a specified time window.

OR: This logical operation allows for the inclusion of multiple subpatterns, where the rule triggers if any of the subpatterns match.

AND: This logical operation requires all referenced subpatterns to match for the rule to trigger.

 Usage: These operations allow for detailed and precise event correlation, helping to detect complex patterns and incidents.

 References: FortiSIEM 6.3 User Guide, Advanced Analytics Rules Engine section, which explains the use of different operations to reference subpatterns in rules.

 Offline Licensing in FortiSIEM: FortiSIEM provides mechanisms for offline licensing to accommodate environments without direct internet access.

 License Tool Command: The command./phLicenseTool --collect license_req.datis used to collect license information necessary for offline registration.

 Procedure Analysis: The exhibit shows the output of this command, which indicates the collection of license information to a file namedlicense_req.dat.

 Offline License Registration: This collected data file is then typically uploaded to the FortiSIEM support portal or provided to the FortiSIEM support team for processing and generating a license file.

 References: FortiSIEM 6.3 Administration Guide, Licensing section, details the procedures for both online and offline license registration, including the use of thephLicenseToolfor offline scenarios.

 Anomaly Baseline Data: Anomaly baseline data refers to the statistical profiles and baselines calculated for various parameters to detect deviations indicative of potential security incidents.

 Profile DB: The Profile DB is specifically designed to store such baseline data in FortiSIEM.

Purpose: It maintains statistical profiles for different monitored parameters to facilitate anomaly detection.

Usage: This data is used by FortiSIEM to compare real-time metrics against the established baselines to identify anomalies.

 References: FortiSIEM 6.3 User Guide, Database Architecture section, which describes the different databases used in FortiSIEM and their purposes, including the Profile DB for storing anomaly baseline data.

 Performance and Availability Monitoring: Various components in FortiSIEM are responsible for monitoring the performance and availability of devices and services.

 Components:

Supervisor: Oversees the entire FortiSIEM infrastructure and coordinates the activities of other components.

Worker: Processes and analyzes the collected data, including performance and availability metrics.

Collector: Gathers performance and availability data from devices in the network.

 Collaborative Functioning: These components work together to ensure comprehensive monitoring of the network's performance and availability.

 References: FortiSIEM 6.3 User Guide, Performance and Availability Monitoring section, which explains the roles of the supervisor, worker, and collector in monitoring tasks.

 Syslog Ports: Syslog messages can be sent over different ports using TCP or UDP protocols.

 Common Ports for Syslog:

UDP 514: This is the default port for sending syslog messages over UDP.

TCP 514: This is the default port for sending syslog messages over TCP, providing a more reliable transmission.

TCP 1470: This port is often used for secure or alternative syslog transmission.

 Usage in FortiSIEM: FortiSIEM can be configured to receive syslog messages on these ports to ensure the logs are collected from various network devices.

 References: FortiSIEM 6.3 User Guide, Syslog Integration section, which details the supported ports for syslog transmission.