NSE5_FSM-6.3 Fortinet NSE 5 - FortiSIEM 6.3 Questions and Answers

 Device Discovery in FortiSIEM : Device discovery is the process by which FortiSIEM identifies and adds devices to its management scope.

 Role of Collectors : Collectors are responsible for gathering data from network devices, including discovering new devices in the network.

Functionality : Collectors use protocols such as SNMP, WMI, and others to discover devices and gather their details.

 Capability : While agents (Windows and Linux) primarily gather data from their host systems, the collectors actively discover devices across the network.

 References : FortiSIEM 6.3 User Guide, Device Discovery section, which details the role of collectors in discovering network devices.

 Disaster Recovery Mode : FortiSIEM's disaster recovery (DR) mode ensures that there is a backup system ready to take over in case the primary system fails.

 Manual Tasks for DR Operation : In the event of a disaster, certain tasks must be performed manually to ensure a smooth transition to the secondary system.

 Promoting the Secondary Supervisor :

Use the command phSecondary2primary to promote the secondary supervisor to the primary role. This command reconfigures the secondary supervisor to take over as the primary supervisor, ensuring continuity in management and coordination.

 Changing DNS Configuration :

Update the DNS configuration to direct all users, devices, and collectors to the secondary FortiSIEM instance. This ensures that all components in the environment can communicate with the newly promoted primary supervisor without manual reconfiguration of individual devices.

 References : FortiSIEM 6.3 Administration Guide, Disaster Recovery section, provides detailed steps on promoting the secondary supervisor and updating DNS configurations during a disaster recovery operation.

 Feature Overview : FortiSIEM provides several tools for querying and reporting on device information within an environment.

 Inventory Tab : The Inventory tab is specifically designed to display detailed information about devices, including their firmware versions.

 Query Functionality : Within the Inventory tab, you can run queries to filter and display devices based on specific attributes, such as the firmware version for FortiGate devices.

 Report Generation : By running a query in the Inventory tab, you can produce a report that lists the FortiGate devices and their corresponding firmware versions.

 References : FortiSIEM 6.3 User Guide, Inventory Management section, explains how to use the Inventory tab to query and report on device attributes.

 Grouping Events in FortiSIEM : Grouping events by specific attributes allows administrators to aggregate and analyze data more efficiently.

 Grouping Criteria : In this case, the events are grouped by "Event Type" and "User" attributes.

 Unique Combinations : To determine the number of results displayed, identify the unique combinations of the "Event Type" and "User" attributes in the provided data.

Failed Logon by Ryan (appears multiple times but is one unique combination)

Failed Logon by John

Failed Logon by Paul

Failed Logon by Wendy

 Unique Groupings : There are four unique groupings based on the given data: "Failed Logon" by "Ryan", "John", "Paul", and "Wendy".

 References : FortiSIEM 6.3 User Guide, Event Management and Reporting sections, which explain how events are grouped and reported based on selected attributes.

 FortiSIEM Architecture : The FortiSIEM architecture includes several components such as Supervisors, Workers, Collectors, and Agents, each playing a distinct role in the SIEM ecosystem.

 Real-Time Event Correlation : Real-time event correlation is a critical function that involves analyzing and correlating incoming events to detect patterns indicative of security incidents or operational issues.

 Role of Supervisor and Worker :

Supervisor : The Supervisor oversees the entire FortiSIEM system, coordinating the processing and analysis of events.

Worker : Workers are responsible for processing and correlating the events received from Collectors and Agents.

 Collaboration for Correlation : Together, the Supervisor and Worker components perform real-time event correlation by distributing the load and ensuring efficient processing of events to identify incidents in real-time.

 References : FortiSIEM 6.3 User Guide, Event Correlation and Processing section, details how the Supervisor and Worker components collaborate for real-time event correlation.

 Event Collection Overview : The exhibits show three events collected over a 10-minute period from two servers, Server A and Server B.

 Rule Subpattern Settings : The rule subpattern specifies two conditions:

AVG(CPU Util) > DeviceToCMDBAttr(Host IP : Server CPU Util Critical Threshold) : This checks if the average CPU utilization exceeds the critical threshold defined for each server.

COUNT(Matched Events) > = 2 : This requires at least two matching events within the specified period.

 Server A Analysis :

Events : Three events (CPU=90, CPU=90, CPU=95).

Average CPU Utilization : (90+90+95)/3 = 91.67, which exceeds the critical threshold of 90.

Matched Events Count : 3, which meets the condition of being greater than or equal to 2.

Incident Generation : Server A meets both conditions, so it generates one incident.

 Server B Analysis :

Events : Three events (CPU=70, CPU=50, CPU=60).

Average CPU Utilization : (70+50+60)/3 = 60, which does not exceed the critical threshold of 90.

Matched Events Count : 3, but since the average CPU utilization condition is not met, no incident is generated.

 Conclusion : Based on the rule subpattern, Server A will generate one incident, and Server B will not generate any incidents.

 References : FortiSIEM 6.3 User Guide, Event Correlation Rules and Incident Management sections, which explain how incidents are generated based on rule subpatterns and event conditions.

 Anomaly Baseline Data : Anomaly baseline data refers to the statistical profiles and baselines calculated for various parameters to detect deviations indicative of potential security incidents.

 Profile DB : The Profile DB is specifically designed to store such baseline data in FortiSIEM.

Purpose : It maintains statistical profiles for different monitored parameters to facilitate anomaly detection.

Usage : This data is used by FortiSIEM to compare real-time metrics against the established baselines to identify anomalies.

 References : FortiSIEM 6.3 User Guide, Database Architecture section, which describes the different databases used in FortiSIEM and their purposes, including the Profile DB for storing anomaly baseline data.

 Monitor Column Indicators : In FortiSIEM, the Monitor column displays the status of various metrics applied during the discovery process.

 Yellow Star Meaning : A yellow star next to a metric indicates that the metric was successfully applied during discovery and data has been collected for that metric.

 Successful Data Collection : This visual indicator helps administrators quickly identify which metrics are active and have data available for analysis.

 References : FortiSIEM 6.3 User Guide, Device Monitoring section, which explains the significance of different icons and indicators in the Monitor column.

 Search Filters in FortiSIEM : When searching for specific events, administrators can use various attributes to filter the results.

 Attribute for Agent Events : To view events received specifically from Linux and Windows agents, the attribute External Event Receive Agents should be used.

Function : This attribute filters events that are received from agents, distinguishing them from events received through other protocols or sources.

 Search Efficiency : Using this attribute helps the administrator focus on events collected by FortiSIEM agents, making the search results more relevant and targeted.

 References : FortiSIEM 6.3 User Guide, Event Search and Filters section, which describes the available attributes and their usage for filtering search results.

 Grouping Events in FortiSIEM : Grouping events by specific attributes allows for the aggregation of similar events, providing clearer insights and reducing clutter.

 Grouping Criteria : For this question, events are grouped by "User," "Source IP," and "Application Category."

 Unique Combinations Analysis :

Ryan, 1.1.1.1, Web App (appears multiple times but is one unique combination)

John, 5.5.5.5, DB

Paul, 3.3.2.1, Web App

Ryan, 1.1.1.15, DB

Wendy, 1.1.1.6, DB

 Result Calculation : There are five unique combinations in the provided data based on the specified grouping attributes.

 References : FortiSIEM 6.3 User Guide, Event Management and Reporting sections, which explain how to group events by various attributes for analysis and reporting purposes.

 Rule Notifications and Automated Remediation : In FortiSIEM, notifications and automated remediation actions can be configured to respond to specific incidents or alerts generated by rules.

 Notification Policy : This is the section where administrators configure the settings for notifications and specify the actions to be taken when a rule triggers an alert.

Configuration Options : Includes defining the recipients of notifications, the type of notifications (e.g., email, SMS), and any automated remediation actions that should be executed.

 Importance : Proper configuration of notification policies ensures timely alerts and automated responses to incidents, enhancing the effectiveness of the SIEM system.

 References : FortiSIEM 6.3 User Guide, Notifications and Automated Remediation section, which details how to configure notification policies for rule-triggered actions and responses.

 License Renewal Process : When renewing a FortiSIEM license, it is essential to provide the system ID, which uniquely identifies the FortiSIEM instance.

 Commands to Retrieve System ID :

phgetHWID : This command retrieves the hardware ID of the FortiSIEM appliance.

Usage: Run the command phgetHWID in the CLI to obtain the hardware ID.

phgetUUID : This command retrieves the universally unique identifier (UUID) for the FortiSIEM system.

Usage: Run the command phgetUUID in the CLI to obtain the UUID.

 Verification : Both phgetHWID and phgetUUID are valid commands for retrieving the necessary system IDs required for license renewal.

 References : FortiSIEM 6.3 Administration Guide, Licensing section details the commands and procedures for obtaining system identification information necessary for license renewal.

 Component Roles in FortiSIEM : Different components in FortiSIEM have specific roles and responsibilities, which contribute to the overall performance and functionality of the system.

 Query Worker : The query worker component is specifically designed to handle and optimize search queries within FortiSIEM.

Function : It processes search requests and executes analytic searches efficiently, handling large volumes of data to provide quick results.

Optimization : By improving the efficiency of query execution, the query worker can significantly speed up long, ad hoc analytic searches, addressing performance issues.

 Performance Impact : Utilizing the query worker ensures that searches are handled by a component optimized for such tasks, reducing the load on other components and improving overall system performance.

 References : FortiSIEM 6.3 User Guide, System Components section, which describes the roles of different workers, including the query worker, and their impact on system performance.

 Enterprise Licensing Mode : In FortiSIEM enterprise licensing mode, collectors are deployed in remote sites to gather and forward data to the central FortiSIEM cluster located in the data center.

 Collector Functionality : Collectors are responsible for receiving logs, events (e.g., syslog), and performance metrics from devices.

 Link Down Scenario : When the link between the collector and the FortiSIEM cluster is down, the collector needs a mechanism to ensure no data is lost during the disconnection.

 Event Buffering : The collector buffers the events locally until the connection is restored, ensuring that no incoming events are lost. This buffered data is then forwarded to the FortiSIEM cluster once the link is re-established.

 References : FortiSIEM 6.3 User Guide, Data Collection and Buffering section, explains the behavior of collectors during network disruptions.