Pass the Fortinet NSE 5 Network Security Analyst NSE5_FSM-6.3 Questions and answers with CertsForce

 Incident Status in FortiSIEM: The status of an incident indicates its current state and helps administrators track and manage incidents effectively.

 Cleared Status: When an incident’s status is "Cleared," it means that a specific condition set to clear the incident has been satisfied.

Clear Condition: This is typically a predefined condition that indicates the issue causing the incident has been resolved or no longer exists.

 Automatic vs. Manual Clearance: While some incidents may be cleared automatically based on clear conditions, others might be manually cleared by an operator.

 References: FortiSIEM 6.3 User Guide, Incident Management section, detailing the various incident statuses and the conditions that lead to an incident being marked as "Cleared."

 FortiSIEM Architecture: The FortiSIEM architecture includes several components such as Supervisors, Workers, Collectors, and Agents, each playing a distinct role in the SIEM ecosystem.

 Real-Time Event Correlation: Real-time event correlation is a critical function that involves analyzing and correlating incoming events to detect patterns indicative of security incidents or operational issues.

 Role of Supervisor and Worker:

Supervisor: The Supervisor oversees the entire FortiSIEM system, coordinating the processing and analysis of events.

Worker: Workers are responsible for processing and correlating the events received from Collectors and Agents.

 Collaboration for Correlation: Together, the Supervisor and Worker components perform real-time event correlation by distributing the load and ensuring efficient processing of events to identify incidents in real-time.

 References: FortiSIEM 6.3 User Guide, Event Correlation and Processing section, details how the Supervisor and Worker components collaborate for real-time event correlation.

 Rule Evaluation in FortiSIEM: Rules in FortiSIEM are evaluated periodically to check if the defined conditions or subpatterns are met.

 Frequency Field: The Frequency field in a rule determines the interval at which the rule's subpattern will be evaluated.

Evaluation Interval: This defines how often the system will check the incoming events against the rule's subpattern to determine if an incident should be triggered.

Impact on Performance: Setting an appropriate frequency is crucial to balance between timely detection of incidents and system performance.

 Examples:

If the Frequency is set to 5 minutes, the rule will evaluate the subpattern every 5 minutes.

This means that every 5 minutes, the system will check if the conditions defined in the subpattern are met by the incoming events.

 References: FortiSIEM 6.3 User Guide, Rules and Incidents section, which explains the Frequency field and how it impacts the evaluation of subpatterns in rules.

 Advanced Analytical Rules Engine: FortiSIEM's rules engine allows for complex event correlation using multiple subpatterns.

 Operations for Referencing Subpatterns:

FOLLOWED_BY: This operation is used to indicate that one event follows another within a specified time window.

OR: This logical operation allows for the inclusion of multiple subpatterns, where the rule triggers if any of the subpatterns match.

AND: This logical operation requires all referenced subpatterns to match for the rule to trigger.

 Usage: These operations allow for detailed and precise event correlation, helping to detect complex patterns and incidents.

 References: FortiSIEM 6.3 User Guide, Advanced Analytics Rules Engine section, which explains the use of different operations to reference subpatterns in rules.

 Grouping Attributes in Reports: When creating reports in FortiSIEM, certain attributes can be grouped to summarize and organize the data.

 Unique Attributes: Attributes that are unique for each event cannot be grouped because they do not provide a meaningful aggregation or summary.

 Red Highlighting Explanation: The red highlighting in the exhibit indicates attributes that cannot be grouped together due to their unique nature. These unique attributes includeEvent Receive Time,Reporting IP,Event Type,Raw Event Log, andCOUNT(Matched Events).

 Attribute Characteristics:

Event Receive Timeis unique for each event.

Reporting IPandEvent Typecan vary greatly, making grouping them impractical in this context.

Raw Event Logrepresents the unprocessed log data, which is also unique.

COUNT(Matched Events)is a calculated field, not suitable for grouping.

 References: FortiSIEM 6.3 User Guide, Reporting section, explains the constraints on grouping attributes in reports.

 Incident Creation in FortiSIEM: Incidents in FortiSIEM are created based on specific patterns and conditions defined within the system.

 Group By Function: The "Group By" section in the "Edit SubPattern" window specifies how the data should be grouped for analysis and incident creation.

 Impact of Grouping: The way data is grouped affects the number of incidents generated. Each unique combination of the grouped attributes results in a separate incident.

 Exhibit Analysis: In the provided exhibit, the "Group By" section lists "Reporting Device," "Reporting IP," and "User." This means incidents will be created for each unique combination of these attributes.

 References: FortiSIEM 6.3 User Guide, Rule and Pattern Creation section, which details how grouping impacts incident generation.

 Threshold Management: FortiSIEM uses thresholds to generate alerts and incidents based on performance and security metrics.

 Global Thresholds: These are default thresholds applied to all devices and metrics across the system, providing a baseline for alerts.

 Per Device Thresholds: These thresholds can be customized for individual devices, allowing for more granular control and tailored monitoring based on specific device characteristics and requirements.

 Usage in Performance Metrics: Both global and per device thresholds are used for performance metrics to ensure comprehensive and precise monitoring.

 References: FortiSIEM 6.3 User Guide, Thresholds and Alerts section, details the application of global and per device thresholds for performance and security metrics.

 Event Collection Overview: The exhibits show three events collected over a 10-minute period from two servers, Server A and Server B.

 Rule Subpattern Settings: The rule subpattern specifies two conditions:

AVG(CPU Util) > DeviceToCMDBAttr(Host IP : Server CPU Util Critical Threshold): This checks if the average CPU utilization exceeds the critical threshold defined for each server.

COUNT(Matched Events) >= 2: This requires at least two matching events within the specified period.

 Server A Analysis:

Events: Three events (CPU=90, CPU=90, CPU=95).

Average CPU Utilization: (90+90+95)/3 = 91.67, which exceeds the critical threshold of 90.

Matched Events Count: 3, which meets the condition of being greater than or equal to 2.

Incident Generation: Server A meets both conditions, so it generates one incident.

 Server B Analysis:

Events: Three events (CPU=70, CPU=50, CPU=60).

Average CPU Utilization: (70+50+60)/3 = 60, which does not exceed the critical threshold of 90.

Matched Events Count: 3, but since the average CPU utilization condition is not met, no incident is generated.

 Conclusion: Based on the rule subpattern, Server A will generate one incident, and Server B will not generate any incidents.

 References: FortiSIEM 6.3 User Guide, Event Correlation Rules and Incident Management sections, which explain how incidents are generated based on rule subpatterns and event conditions.