Fortinet NSE5_FSM-6.3 Practice Test - Questions Answers, Page 5

Case Sensitivity in Searches: In FortiSIEM, search queries, including those for raw event logs, are case sensitive. This means that keywords must be entered exactly as they appear in the logs.

Keyword Mismatch: The exhibit shows the keyword 'TCP' in the Value field. If the actual events use 'tcp' (lowercase), the search will return no results because of the case mismatch.

Correct Keyword: To match the keyword correctly, the administrator should enter 'tcp' in the Value field.

Reference: FortiSIEM 6.3 User Guide, Search and Filtering section, which discusses the importance of case sensitivity in search queries.

Device Discovery in FortiSIEM: Device discovery is the process by which FortiSIEM identifies and adds devices to its management scope.

Role of Collectors: Collectors are responsible for gathering data from network devices, including discovering new devices in the network.

Functionality: Collectors use protocols such as SNMP, WMI, and others to discover devices and gather their details.

Capability: While agents (Windows and Linux) primarily gather data from their host systems, the collectors actively discover devices across the network.

Reference: FortiSIEM 6.3 User Guide, Device Discovery section, which details the role of collectors in discovering network devices.

Discovery Scan Types: FortiSIEM uses various scan types to discover devices on a network.

Layer 2 (L2) Scan: An L2 scan discovers devices based on ARP tables and MAC address information from adjacent devices.

Limitation: If a device is quiet (not actively communicating) and its entry is not present in the ARP table of adjacent devices, the L2 scan may miss it.

Other Scan Types:

CMDB Scan: Based on the existing Configuration Management Database (CMDB) entries.

Range Scan: Scans a specified IP range for devices.

Smart Scan: Uses a combination of methods to discover devices.

Reference: FortiSIEM 6.3 User Guide, Device Discovery section, which explains the different types of discovery scans and their characteristics.

Incident Status Values: Incident statuses in FortiSIEM help administrators track and manage the lifecycle of incidents from detection to resolution.

Four Possible Status Values:

Active: Indicates that the incident is currently ongoing and needs attention.

Closed: Indicates that the incident has been resolved or addressed.

Cleared: Indicates that the incident has been resolved automatically based on predefined conditions.

Open: Indicates that the incident is acknowledged and under investigation but not yet resolved.

Usage: These statuses help in prioritizing and tracking incidents effectively, ensuring that all incidents are appropriately managed.

Reference: FortiSIEM 6.3 User Guide, Incident Management section, which details the different status values and their meanings.

Monitor Column Indicators: In FortiSIEM, the Monitor column displays the status of various metrics applied during the discovery process.

Yellow Star Meaning: A yellow star next to a metric indicates that the metric was successfully applied during discovery and data has been collected for that metric.

Successful Data Collection: This visual indicator helps administrators quickly identify which metrics are active and have data available for analysis.

Reference: FortiSIEM 6.3 User Guide, Device Monitoring section, which explains the significance of different icons and indicators in the Monitor column.

Collecting SIEM and PAM Events: To collect both SIEM event logs and Performance and Availability Monitoring (PAM) events from a Microsoft Windows server, a suitable protocol must be selected.

WMI Protocol: Windows Management Instrumentation (WMI) is the appropriate protocol for this task.

SIEM Event Logs: WMI can collect security, application, and system logs from Windows devices.

PAM Events: WMI can also gather performance metrics, such as CPU usage, memory utilization, and disk activity.

Comprehensive Data Collection: Using WMI ensures that both types of data are collected efficiently from the Windows server.

Reference: FortiSIEM 6.3 User Guide, Data Collection Methods section, which details the use of WMI for collecting various types of logs and performance metrics.

Anomaly Data Storage: Anomaly data, including running averages and standard deviation values for different parameters such as traffic and device resource usage, is stored in a specific database.

Profile DB: The Profile DB is used to store this type of anomaly data.

Function: It maintains statistical profiles and baselines for monitored parameters, which are used to detect anomalies and deviations from normal behavior.

Significance: Storing anomaly data in the Profile DB allows FortiSIEM to perform advanced analytics and alerting based on deviations from established baselines.

Reference: FortiSIEM 6.3 User Guide, Database Architecture section, which describes the purpose and contents of the Profile DB in storing anomaly and baseline data.

FortiSIEM Linux Agent: The FortiSIEM Linux agent is used to collect logs and performance metrics from Linux servers and send them to the FortiSIEM system.

Prerequisite for Installation: The auditd service, which is the Linux Audit Daemon, must be installed and running on the Linux server to capture and log security-related events.

auditd Service: This service collects and logs security events on Linux systems, which are essential for monitoring and analysis by FortiSIEM.

Importance of auditd: Without the auditd service, the FortiSIEM Linux agent will not be able to collect the necessary event data from the Linux server.

Reference: FortiSIEM 6.3 User Guide, Linux Agent Installation section, which lists the prerequisites and steps for installing the FortiSIEM Linux agent.

Component Roles in FortiSIEM: Different components in FortiSIEM have specific roles and responsibilities, which contribute to the overall performance and functionality of the system.

Query Worker: The query worker component is specifically designed to handle and optimize search queries within FortiSIEM.

Function: It processes search requests and executes analytic searches efficiently, handling large volumes of data to provide quick results.

Optimization: By improving the efficiency of query execution, the query worker can significantly speed up long, ad hoc analytic searches, addressing performance issues.

Performance Impact: Utilizing the query worker ensures that searches are handled by a component optimized for such tasks, reducing the load on other components and improving overall system performance.

Reference: FortiSIEM 6.3 User Guide, System Components section, which describes the roles of different workers, including the query worker, and their impact on system performance.