NSE5_FSM-6.3 Fortinet NSE 5 - FortiSIEM 6.3 Questions and Answers

 Component Roles in FortiSIEM: Different components in FortiSIEM have specific roles and responsibilities, which contribute to the overall performance and functionality of the system.

 Query Worker: The query worker component is specifically designed to handle and optimize search queries within FortiSIEM.

Function: It processes search requests and executes analytic searches efficiently, handling large volumes of data to provide quick results.

Optimization: By improving the efficiency of query execution, the query worker can significantly speed up long, ad hoc analytic searches, addressing performance issues.

 Performance Impact: Utilizing the query worker ensures that searches are handled by a component optimized for such tasks, reducing the load on other components and improving overall system performance.

 References: FortiSIEM 6.3 User Guide, System Components section, which describes the roles of different workers, including the query worker, and their impact on system performance.

 Search Filters in FortiSIEM: When searching for events, the correct use of filters and logical operators is crucial to obtain accurate results.

 Issue Analysis:

Selected Filters: The exhibit shows filters for two different Reporting IP addresses.

Logical Operators: The use of "AND" between the two Reporting IP addresses implies that an event must match both IP addresses simultaneously, which is not possible for a single event.

 Correct Usage: To search for events from either of the two IP addresses, parentheses should be used to group conditions logically.

Corrected Filter:(Reporting IP = 192.168.1.1 OR Reporting IP = 172.16.10.3)would return events from either IP address.

 References: FortiSIEM 6.3 User Guide, Search and Filters section, which explains the use of logical operators and the importance of parentheses in constructing effective search queries.

 Syslog Ports: Syslog messages can be sent over different ports using TCP or UDP protocols.

 Common Ports for Syslog:

UDP 514: This is the default port for sending syslog messages over UDP.

TCP 514: This is the default port for sending syslog messages over TCP, providing a more reliable transmission.

TCP 1470: This port is often used for secure or alternative syslog transmission.

 Usage in FortiSIEM: FortiSIEM can be configured to receive syslog messages on these ports to ensure the logs are collected from various network devices.

 References: FortiSIEM 6.3 User Guide, Syslog Integration section, which details the supported ports for syslog transmission.

 Incident Categories in FortiSIEM: Incidents in FortiSIEM are categorized to help administrators quickly identify and prioritize the type of issue.

 Four Main Categories:

Performance: Incidents related to the performance of devices and applications, such as high CPU usage or memory utilization.

Availability: Incidents affecting the availability of services or devices, such as downtime or connectivity issues.

Security: Incidents related to security events, such as failed login attempts, malware detection, or unauthorized access.

Change: Incidents triggered by changes in the configuration or state of devices, such as new software installations or configuration modifications.

 Importance of Categorization: These categories help in the efficient management and response to different types of incidents, allowing for better resource allocation and quicker resolution.

 References: FortiSIEM 6.3 User Guide, Incident Management section, which details the different categories of incidents and their significance.

 Device Discovery Information: Information about discovered devices, including their configurations and statuses, is stored in a specific database.

 CMDB: The Configuration Management Database (CMDB) is used to store detailed information about the devices discovered by FortiSIEM.

Function: It maintains comprehensive details about device configurations, relationships, and other metadata essential for managing the IT infrastructure.

 Significance: Storing discovery information in the CMDB ensures that the FortiSIEM system has a centralized repository of device information, facilitating efficient management and monitoring.

 References: FortiSIEM 6.3 User Guide, Configuration Management Database (CMDB) section, which details the storage and usage of device discovery information.

 Incident Creation in FortiSIEM: Incidents in FortiSIEM are created based on specific patterns and conditions defined within the system.

 Group By Function: The "Group By" section in the "Edit SubPattern" window specifies how the data should be grouped for analysis and incident creation.

 Impact of Grouping: The way data is grouped affects the number of incidents generated. Each unique combination of the grouped attributes results in a separate incident.

 Exhibit Analysis: In the provided exhibit, the "Group By" section lists "Reporting Device," "Reporting IP," and "User." This means incidents will be created for each unique combination of these attributes.

 References: FortiSIEM 6.3 User Guide, Rule and Pattern Creation section, which details how grouping impacts incident generation.

 Syslog Configuration in FortiSIEM: For FortiSIEM to receive syslog messages from network devices, those devices need to be properly configured to send syslog data to FortiSIEM.

 Manual Configuration Requirement: FortiSIEM does not automatically configure network devices to send syslog messages. Instead, this configuration must be performed manually by the network administrator.

 Process Overview: The network administrator must access each device and set up the syslog parameters to direct log data to the FortiSIEM collector's IP address.

 Discovery Process: While FortiSIEM can discover network devices using SNMP, WMI, and other protocols, the configuration of syslog on these devices is beyond its scope and requires manual intervention.

 References: FortiSIEM 6.3 User Guide, Device Configuration and Syslog Integration sections, which explain the requirements and steps for setting up syslog forwarding on network devices.

 Syslog Reception Verification: To verify whether syslog messages are being received from a network device, a network packet capture tool can be used.

 tcpdump Command:tcpdumpis a powerful command-line packet analyzer tool available in Unix-like operating systems. It allows administrators to capture and analyze network traffic.

Usage: By usingtcpdumpwith the appropriate filters (e.g., port 514 for syslog), administrators can monitor the incoming syslog messages in real-time to verify if they are being received.

Example Command:tcpdump -i port 514captures the syslog messages on the specified network interface.

 References: FortiSIEM 6.3 User Guide, CLI Commands section, which details the usage oftcpdumpfor network traffic analysis and verification of syslog reception.

 FortiSIEM Linux Agent: The FortiSIEM Linux agent is used to collect logs and performance metrics from Linux servers and send them to the FortiSIEM system.

 Prerequisite for Installation: Theauditdservice, which is the Linux Audit Daemon, must be installed and running on the Linux server to capture and log security-related events.

auditd Service: This service collects and logs security events on Linux systems, which are essential for monitoring and analysis by FortiSIEM.

 Importance of auditd: Without the auditd service, the FortiSIEM Linux agent will not be able to collect the necessary event data from the Linux server.

 References: FortiSIEM 6.3 User Guide, Linux Agent Installation section, which lists the prerequisites and steps for installing the FortiSIEM Linux agent.

 Raw Log Data: When devices send logs to FortiSIEM, the data arrives in a raw, unstructured format.

 Data Parsing Process: The process that converts this raw log data into a structured format is known as data parsing.

Data Parsing: This involves extracting relevant fields from the raw log entries and organizing them into a structured format, making the data usable for analysis, reporting, and correlation.

 Significance of Structured Data: Structured data is essential for effective event correlation, alerting, and generating meaningful reports.

 References: FortiSIEM 6.3 User Guide, Data Parsing section, which details how raw log data is transformed into structured data through parsing.

 Grouping Attributes in Reports: When creating reports in FortiSIEM, certain attributes can be grouped to summarize and organize the data.

 Unique Attributes: Attributes that are unique for each event cannot be grouped because they do not provide a meaningful aggregation or summary.

 Red Highlighting Explanation: The red highlighting in the exhibit indicates attributes that cannot be grouped together due to their unique nature. These unique attributes includeEvent Receive Time,Reporting IP,Event Type,Raw Event Log, andCOUNT(Matched Events).

 Attribute Characteristics:

Event Receive Timeis unique for each event.

Reporting IPandEvent Typecan vary greatly, making grouping them impractical in this context.

Raw Event Logrepresents the unprocessed log data, which is also unique.

COUNT(Matched Events)is a calculated field, not suitable for grouping.

 References: FortiSIEM 6.3 User Guide, Reporting section, explains the constraints on grouping attributes in reports.

 Case Sensitivity in Searches: In FortiSIEM, search queries, including those for raw event logs, are case sensitive. This means that keywords must be entered exactly as they appear in the logs.

 Keyword Mismatch: The exhibit shows the keyword "TCP" in the Value field. If the actual events use "tcp" (lowercase), the search will return no results because of the case mismatch.

 Correct Keyword: To match the keyword correctly, the administrator should enter "tcp" in the Value field.

 References: FortiSIEM 6.3 User Guide, Search and Filtering section, which discusses the importance of case sensitivity in search queries.