NSE5_FSM-6.3 Questions and Answers

 Grouping Attributes in Reports: When creating reports in FortiSIEM, certain attributes can be grouped to summarize and organize the data.

 Unique Attributes: Attributes that are unique for each event cannot be grouped because they do not provide a meaningful aggregation or summary.

 Red Highlighting Explanation: The red highlighting in the exhibit indicates attributes that cannot be grouped together due to their unique nature. These unique attributes includeEvent Receive Time,Reporting IP,Event Type,Raw Event Log, andCOUNT(Matched Events).

 Attribute Characteristics:

Event Receive Timeis unique for each event.

Reporting IPandEvent Typecan vary greatly, making grouping them impractical in this context.

Raw Event Logrepresents the unprocessed log data, which is also unique.

COUNT(Matched Events)is a calculated field, not suitable for grouping.

 References: FortiSIEM 6.3 User Guide, Reporting section, explains the constraints on grouping attributes in reports.

 Incident Management in FortiSIEM: FortiSIEM tracks incidents and their occurrences to help administrators manage and respond to recurring issues.

 Performance Rule Triggering: When a performance rule, such as one for high CPU usage, is repeatedly triggered, FortiSIEM updates the corresponding incident rather than creating a new one each time.

 Incident Table Updates:

Incident Count: The Incident Count value increases each time the rule is triggered, indicating how many times the incident has occurred.

First Seen and Last Seen Times: These timestamps are updated to reflect the first occurrence and the most recent occurrence of the incident.

 References: FortiSIEM 6.3 User Guide, Incident Management section, explains how FortiSIEM handles recurring incidents and updates the incident table accordingly.

 Incident Creation in FortiSIEM: Incidents in FortiSIEM are created based on specific patterns and conditions defined within the system.

 Group By Function: The "Group By" section in the "Edit SubPattern" window specifies how the data should be grouped for analysis and incident creation.

 Impact of Grouping: The way data is grouped affects the number of incidents generated. Each unique combination of the grouped attributes results in a separate incident.

 Exhibit Analysis: In the provided exhibit, the "Group By" section lists "Reporting Device," "Reporting IP," and "User." This means incidents will be created for each unique combination of these attributes.

 References: FortiSIEM 6.3 User Guide, Rule and Pattern Creation section, which details how grouping impacts incident generation.

 License Renewal Process: When renewing a FortiSIEM license, it is essential to provide the system ID, which uniquely identifies the FortiSIEM instance.

 Commands to Retrieve System ID:

phgetHWID: This command retrieves the hardware ID of the FortiSIEM appliance.

Usage: Run the commandphgetHWIDin the CLI to obtain the hardware ID.

phgetUUID: This command retrieves the universally unique identifier (UUID) for the FortiSIEM system.

Usage: Run the commandphgetUUIDin the CLI to obtain the UUID.

 Verification: BothphgetHWIDandphgetUUIDare valid commands for retrieving the necessary system IDs required for license renewal.

 References: FortiSIEM 6.3 Administration Guide, Licensing section details the commands and procedures for obtaining system identification information necessary for license renewal.

 Event Collection Overview: The exhibits show three events collected over a 10-minute period from two servers, Server A and Server B.

 Rule Subpattern Settings: The rule subpattern specifies two conditions:

AVG(CPU Util) > DeviceToCMDBAttr(Host IP : Server CPU Util Critical Threshold): This checks if the average CPU utilization exceeds the critical threshold defined for each server.

COUNT(Matched Events) >= 2: This requires at least two matching events within the specified period.

 Server A Analysis:

Events: Three events (CPU=90, CPU=90, CPU=95).

Average CPU Utilization: (90+90+95)/3 = 91.67, which exceeds the critical threshold of 90.

Matched Events Count: 3, which meets the condition of being greater than or equal to 2.

Incident Generation: Server A meets both conditions, so it generates one incident.

 Server B Analysis:

Events: Three events (CPU=70, CPU=50, CPU=60).

Average CPU Utilization: (70+50+60)/3 = 60, which does not exceed the critical threshold of 90.

Matched Events Count: 3, but since the average CPU utilization condition is not met, no incident is generated.

 Conclusion: Based on the rule subpattern, Server A will generate one incident, and Server B will not generate any incidents.

 References: FortiSIEM 6.3 User Guide, Event Correlation Rules and Incident Management sections, which explain how incidents are generated based on rule subpatterns and event conditions.

 Advanced Analytical Rules Engine: FortiSIEM's rules engine allows for complex event correlation using multiple subpatterns.

 Operations for Referencing Subpatterns:

FOLLOWED_BY: This operation is used to indicate that one event follows another within a specified time window.

OR: This logical operation allows for the inclusion of multiple subpatterns, where the rule triggers if any of the subpatterns match.

AND: This logical operation requires all referenced subpatterns to match for the rule to trigger.

 Usage: These operations allow for detailed and precise event correlation, helping to detect complex patterns and incidents.

 References: FortiSIEM 6.3 User Guide, Advanced Analytics Rules Engine section, which explains the use of different operations to reference subpatterns in rules.

 Device Status in FortiSIEM: FortiSIEM assigns different statuses to devices based on their operational state and performance metrics.

 Packet Loss Impact: The reported packet loss percentage directly influences the status assigned to a device. Packet loss between 50% and 98% indicates significant network issues that affect the device's performance.

 Degraded Status: When packet loss is between 50% and 98%, FortiSIEM assigns a "Degraded" status to the device. This status indicates that the device is experiencing substantial packet loss, which impairs its performance but does not render it completely non-functional.

 Reasoning: The "Degraded" status helps administrators identify devices with serious performance issues that need attention but are not entirely down.

 References: FortiSIEM 6.3 User Guide, Device Availability and Status section, explains the criteria for assigning different statuses based on performance metrics such as packet loss.

 Device Discovery Information: Information about discovered devices, including their configurations and statuses, is stored in a specific database.

 CMDB: The Configuration Management Database (CMDB) is used to store detailed information about the devices discovered by FortiSIEM.

Function: It maintains comprehensive details about device configurations, relationships, and other metadata essential for managing the IT infrastructure.

 Significance: Storing discovery information in the CMDB ensures that the FortiSIEM system has a centralized repository of device information, facilitating efficient management and monitoring.

 References: FortiSIEM 6.3 User Guide, Configuration Management Database (CMDB) section, which details the storage and usage of device discovery information.

 Discovery Methods in FortiSIEM: FortiSIEM can discover devices using various methods, including syslog, SNMP, and others.

 Syslog Discovery: The exhibit shows that the FortiGate device is discovered by FortiSIEM using syslog.

Syslog Parsing: The syslog messages sent by the FortiGate device are parsed by FortiSIEM to extract relevant information.

CMDB Entry: Based on the parsed information, an entry is populated in the Configuration Management Database (CMDB) for the device.

 Evidence in Exhibit: The exhibit shows the syslog flow from the FortiGate Firewall to the parsing and discovery process, resulting in the device being listed in the CMDB with the status "Pending."

 References: FortiSIEM 6.3 User Guide, Device Discovery section, which explains how syslog discovery works and how devices are added to the CMDB based on syslog data.

 Syslog Ports: Syslog messages can be sent over different ports using TCP or UDP protocols.

 Common Ports for Syslog:

UDP 514: This is the default port for sending syslog messages over UDP.

TCP 514: This is the default port for sending syslog messages over TCP, providing a more reliable transmission.

TCP 1470: This port is often used for secure or alternative syslog transmission.

 Usage in FortiSIEM: FortiSIEM can be configured to receive syslog messages on these ports to ensure the logs are collected from various network devices.

 References: FortiSIEM 6.3 User Guide, Syslog Integration section, which details the supported ports for syslog transmission.