Fortinet NSE5_FSM-6.3 - Fortinet NSE 5 - FortiSIEM 6.3

ï‚· Rule Evaluation in FortiSIEM: Rules in FortiSIEM are evaluated periodically to check if the defined conditions or subpatterns are met.

ï‚· Frequency Field: The Frequency field in a rule determines the interval at which the rule's subpattern will be evaluated.

Evaluation Interval: This defines how often the system will check the incoming events against the rule's subpattern to determine if an incident should be triggered.

Impact on Performance: Setting an appropriate frequency is crucial to balance between timely detection of incidents and system performance.

ï‚· Examples:

If the Frequency is set to 5 minutes, the rule will evaluate the subpattern every 5 minutes.

This means that every 5 minutes, the system will check if the conditions defined in the subpattern are met by the incoming events.

ï‚· References: FortiSIEM 6.3 User Guide, Rules and Incidents section, which explains the Frequency field and how it impacts the evaluation of subpatterns in rules.

ï‚· Search Filters in FortiSIEM: When searching for events, the correct use of filters and logical operators is crucial to obtain accurate results.

ï‚· Issue Analysis:

Selected Filters: The exhibit shows filters for two different Reporting IP addresses.

Logical Operators: The use of "AND" between the two Reporting IP addresses implies that an event must match both IP addresses simultaneously, which is not possible for a single event.

ï‚· Correct Usage: To search for events from either of the two IP addresses, parentheses should be used to group conditions logically.

Corrected Filter:(Reporting IP = 192.168.1.1 OR Reporting IP = 172.16.10.3)would return events from either IP address.

ï‚· References: FortiSIEM 6.3 User Guide, Search and Filters section, which explains the use of logical operators and the importance of parentheses in constructing effective search queries.

ï‚· Rules Engine in FortiSIEM: The rules engine evaluates incoming events based on defined conditions to detect incidents and anomalies.

ï‚· Aggregation Condition: The aggregation condition instructs FortiSIEM to summarize and count the matching evaluated data.

Function: Aggregation is used to group events based on specified criteria and then perform operations such as counting the number of occurrences within a defined time window.

ï‚· Purpose: This allows for the detection of patterns and anomalies, such as a high number of failed login attempts within a short period.

ï‚· References: FortiSIEM 6.3 User Guide, Rules Engine section, which explains how aggregation is used to summarize and count matching data.

ï‚· Monitor Column Indicators: In FortiSIEM, the Monitor column displays the status of various metrics applied during the discovery process.

ï‚· Yellow Star Meaning: A yellow star next to a metric indicates that the metric was successfully applied during discovery and data has been collected for that metric.

ï‚· Successful Data Collection: This visual indicator helps administrators quickly identify which metrics are active and have data available for analysis.

ï‚· References: FortiSIEM 6.3 User Guide, Device Monitoring section, which explains the significance of different icons and indicators in the Monitor column.

ï‚· Event Type Population: In FortiSIEM, the Event Type field is populated based on specific identifiers within the raw message or event log.

ï‚· Raw Message Analysis: The exhibit shows a raw message with various components, includingPH_DEV_MON_SYS_DISK_UTIL,PHL_INFO,phPerfJob, anddiskUtil.

ï‚· Primary Event Identifier: ThePH_DEV_MON_SYS_DISK_UTILat the beginning of the raw message is the primary identifier for the event type. It categorizes the type of event, in this case, a system disk utilization monitoring event.

ï‚· Event Type Field: FortiSIEM uses this primary identifier to populate the Event Type field, providing a clear categorization of the event.

ï‚· References: FortiSIEM 6.3 User Guide, Event Processing and Event Types section, details how event types are identified and populated in the system.

ï‚· Case Sensitivity in Searches: In FortiSIEM, search queries, including those for raw event logs, are case sensitive. This means that keywords must be entered exactly as they appear in the logs.

ï‚· Keyword Mismatch: The exhibit shows the keyword "TCP" in the Value field. If the actual events use "tcp" (lowercase), the search will return no results because of the case mismatch.

ï‚· Correct Keyword: To match the keyword correctly, the administrator should enter "tcp" in the Value field.

ï‚· References: FortiSIEM 6.3 User Guide, Search and Filtering section, which discusses the importance of case sensitivity in search queries.

ï‚· Syslog Ports: Syslog messages can be sent over different ports using TCP or UDP protocols.

ï‚· Common Ports for Syslog:

UDP 514: This is the default port for sending syslog messages over UDP.

TCP 514: This is the default port for sending syslog messages over TCP, providing a more reliable transmission.

TCP 1470: This port is often used for secure or alternative syslog transmission.

ï‚· Usage in FortiSIEM: FortiSIEM can be configured to receive syslog messages on these ports to ensure the logs are collected from various network devices.

ï‚· References: FortiSIEM 6.3 User Guide, Syslog Integration section, which details the supported ports for syslog transmission.