Fortinet FCSS_ADA_AR-6.7 - FCSS Advanced Analytics 6.7 Architect

When a WAN link failure occurs between the collector and the supervisor in FortiSIEM:

● The collector does not discard events; instead, it buffers them until the connection is restored.

● The buffering limit is up to 1 GB after compression to optimize storage and prevent data loss.

● Once the WAN link is restored, buffered events are sent to the supervisor for processing.

Based on the provided exhibit, we can determine how long the UEBA agent has been operationally down by looking at the "First Occurred" and "Last Occurred" timestamps.

● First Occurred: Sep 13, 2021, at 01:10 PM

● Last Occurred: Sep 14, 2021, at 09:10 AM

From Sep 13, 01:10 PM to Sep 14, 01:10 AM → 12 hours

From Sep 14, 01:10 AM to Sep 14, 09:10 AM → 8 hours

Total downtime = 12 + 8 = 20 hours

InFortiSIEM,SQLite databasesused forbaseliningare stored in the/opt/phoenix/cachedirectory. This location is used fortemporary storage and caching of profile datathat is essential for anomaly detection and trend analysis.

●Baselininginvolves analyzing historical data to determine expected behavior patterns.

●SQLite databasesstore aggregated statistics, which are referenced during rule evaluations.

● Thecache directoryallows quick access to these values without querying the main database repeatedly.

The administrator is running an analytic search that groups results bySource IP, Reporting IP, and User, and filters only those with aCOUNT >= 3.

Looking at the data:

●Adminhas three failed attempts from thesame Source IP (203.0.113.4)andReporting IP (10.0.1.99).

●JanandSarahappear onlyonce or twicein the dataset.

●Tomhasmultiple entries, but they are fromdifferent Source IPs and Reporting IPs, meaning they are not counted as three under the same group.

Afterregistration, collectors maintaincontinuous communicationwith theSupervisorto ensure properevent processing, system health monitoring, and failover handling. The two key reasons collectors communicate with the Supervisor are:

1.To upload event data if a worker is down

If aworker node fails, thecollector can temporarily store event logsand then forward them to the Supervisor.

This ensuresevent continuityeven during infrastructure issues.

2.To report its own health status

Thecollector sends health reportsto theSupervisor, including resource usage, connectivity status, and operational logs.

This helps FortiSIEM trackcollector uptime and performance.

In aFortiSIEM deployment,device discoveryis handled by theSupervisor, even when aCollectoris present.

● TheSupervisor initiates active scansusing protocols such asSNMP, WMI, SSH, and API queriesto discover devices in the network.

●Collectors do not perform discovery; they primarilycollect and forward logsfrom designated devices to the Supervisor.

●Workers handle event processing, not discovery.

FortiSIEM does not allow CMDB queries to be nested within other CMDB queries. CMDB data is static information, and nesting would not add value or function properly in query execution.