NSE5_FSM-6.3 Exam Dumps - Fortinet NSE 5 - FortiSIEM 6.3

ï‚· Collecting SIEM and PAM Events: To collect both SIEM event logs and Performance and Availability Monitoring (PAM) events from a Microsoft Windows server, a suitable protocol must be selected.

ï‚· WMI Protocol: Windows Management Instrumentation (WMI) is the appropriate protocol for this task.

SIEM Event Logs: WMI can collect security, application, and system logs from Windows devices.

PAM Events: WMI can also gather performance metrics, such as CPU usage, memory utilization, and disk activity.

ï‚· Comprehensive Data Collection: Using WMI ensures that both types of data are collected efficiently from the Windows server.

ï‚· References: FortiSIEM 6.3 User Guide, Data Collection Methods section, which details the use of WMI for collecting various types of logs and performance metrics.

ï‚· Incident Creation in FortiSIEM: Incidents in FortiSIEM are created based on specific patterns and conditions defined within the system.

ï‚· Group By Function: The "Group By" section in the "Edit SubPattern" window specifies how the data should be grouped for analysis and incident creation.

ï‚· Impact of Grouping: The way data is grouped affects the number of incidents generated. Each unique combination of the grouped attributes results in a separate incident.

ï‚· Exhibit Analysis: In the provided exhibit, the "Group By" section lists "Reporting Device," "Reporting IP," and "User." This means incidents will be created for each unique combination of these attributes.

ï‚· References: FortiSIEM 6.3 User Guide, Rule and Pattern Creation section, which details how grouping impacts incident generation.

ï‚· Raw Log Data: When devices send logs to FortiSIEM, the data arrives in a raw, unstructured format.

ï‚· Data Parsing Process: The process that converts this raw log data into a structured format is known as data parsing.

Data Parsing: This involves extracting relevant fields from the raw log entries and organizing them into a structured format, making the data usable for analysis, reporting, and correlation.

ï‚· Significance of Structured Data: Structured data is essential for effective event correlation, alerting, and generating meaningful reports.

ï‚· References: FortiSIEM 6.3 User Guide, Data Parsing section, which details how raw log data is transformed into structured data through parsing.

ï‚· Syslog Configuration in FortiSIEM: For FortiSIEM to receive syslog messages from network devices, those devices need to be properly configured to send syslog data to FortiSIEM.

ï‚· Manual Configuration Requirement: FortiSIEM does not automatically configure network devices to send syslog messages. Instead, this configuration must be performed manually by the network administrator.

ï‚· Process Overview: The network administrator must access each device and set up the syslog parameters to direct log data to the FortiSIEM collector's IP address.

ï‚· Discovery Process: While FortiSIEM can discover network devices using SNMP, WMI, and other protocols, the configuration of syslog on these devices is beyond its scope and requires manual intervention.

ï‚· References: FortiSIEM 6.3 User Guide, Device Configuration and Syslog Integration sections, which explain the requirements and steps for setting up syslog forwarding on network devices.

ï‚· Syslog Reception Verification: To verify whether syslog messages are being received from a network device, a network packet capture tool can be used.

ï‚· tcpdump Command:tcpdumpis a powerful command-line packet analyzer tool available in Unix-like operating systems. It allows administrators to capture and analyze network traffic.

Usage: By usingtcpdumpwith the appropriate filters (e.g., port 514 for syslog), administrators can monitor the incoming syslog messages in real-time to verify if they are being received.

Example Command:tcpdump -i port 514captures the syslog messages on the specified network interface.

ï‚· References: FortiSIEM 6.3 User Guide, CLI Commands section, which details the usage oftcpdumpfor network traffic analysis and verification of syslog reception.

ï‚· Discovery Scan Types: FortiSIEM uses various scan types to discover devices on a network.

ï‚· Layer 2 (L2) Scan: An L2 scan discovers devices based on ARP tables and MAC address information from adjacent devices.

Limitation: If a device is quiet (not actively communicating) and its entry is not present in the ARP table of adjacent devices, the L2 scan may miss it.

ï‚· Other Scan Types:

CMDB Scan: Based on the existing Configuration Management Database (CMDB) entries.

Range Scan: Scans a specified IP range for devices.

Smart Scan: Uses a combination of methods to discover devices.

ï‚· References: FortiSIEM 6.3 User Guide, Device Discovery section, which explains the different types of discovery scans and their characteristics.

ï‚· Monitor Column Indicators: In FortiSIEM, the Monitor column displays the status of various metrics applied during the discovery process.

ï‚· Yellow Star Meaning: A yellow star next to a metric indicates that the metric was successfully applied during discovery and data has been collected for that metric.

ï‚· Successful Data Collection: This visual indicator helps administrators quickly identify which metrics are active and have data available for analysis.

ï‚· References: FortiSIEM 6.3 User Guide, Device Monitoring section, which explains the significance of different icons and indicators in the Monitor column.