Which three factors does the FortiSIEM rules engine use to determine the count when it evaluates the aggregate condition COUNT (Matched Events) on a specific subpattern? (Choose three answers)
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
The FortiSIEM rules engine evaluates subpatterns to detect complex attack behaviors. When a rule uses an aggregate condition likeCOUNT (Matched Events), the engine calculates this value based on specific architectural parameters:
Group By attributes (A):The engine maintains a separate counter for each unique combination of "Group By" attributes defined in the subpattern. For example, if you group by "Source IP," the engine tracks the count of events foreachunique IP address independently.
Time window (C):The count is relative to a specific time duration (e.g., 5 minutes). The engine only counts events that fall within this sliding or fixed window. Once an event falls outside this window, it is no longer included in the aggregate count.
Search filter (D):Only events that satisfy the specific "Search Filter" criteria (e.g., Event Type = "Failed Login") are considered "Matched Events." The filter defines the scope of the data that the rules engine processes before applying the count.
Why other options are incorrect:
Data source (B):While the data source determines where the logs come from, the rules engine itself uses the parsed attributes (defined in the search filter) rather than the raw data source to determine the count. Multiple data sources might contribute to the same filter and count.
Incident action (E):Incident actions (such as sending an email or triggering a SOAR playbook) are theresultof a rule firing. They do not influence the internal logic or calculation of the event count during the evaluation phase.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit