NSE5_FSM-6.3 Exam Dumps - Fortinet NSE 5 - FortiSIEM 6.3

ï‚· Feature Overview: FortiSIEM provides several tools for querying and reporting on device information within an environment.

ï‚· Inventory Tab: The Inventory tab is specifically designed to display detailed information about devices, including their firmware versions.

ï‚· Query Functionality: Within the Inventory tab, you can run queries to filter and display devices based on specific attributes, such as the firmware version for FortiGate devices.

ï‚· Report Generation: By running a query in the Inventory tab, you can produce a report that lists the FortiGate devices and their corresponding firmware versions.

ï‚· References: FortiSIEM 6.3 User Guide, Inventory Management section, explains how to use the Inventory tab to query and report on device attributes.

ï‚· Anomaly Baseline Data: Anomaly baseline data refers to the statistical profiles and baselines calculated for various parameters to detect deviations indicative of potential security incidents.

ï‚· Profile DB: The Profile DB is specifically designed to store such baseline data in FortiSIEM.

Purpose: It maintains statistical profiles for different monitored parameters to facilitate anomaly detection.

Usage: This data is used by FortiSIEM to compare real-time metrics against the established baselines to identify anomalies.

ï‚· References: FortiSIEM 6.3 User Guide, Database Architecture section, which describes the different databases used in FortiSIEM and their purposes, including the Profile DB for storing anomaly baseline data.

ï‚· Device Discovery Information: Information about discovered devices, including their configurations and statuses, is stored in a specific database.

ï‚· CMDB: The Configuration Management Database (CMDB) is used to store detailed information about the devices discovered by FortiSIEM.

Function: It maintains comprehensive details about device configurations, relationships, and other metadata essential for managing the IT infrastructure.

ï‚· Significance: Storing discovery information in the CMDB ensures that the FortiSIEM system has a centralized repository of device information, facilitating efficient management and monitoring.

ï‚· References: FortiSIEM 6.3 User Guide, Configuration Management Database (CMDB) section, which details the storage and usage of device discovery information.

ï‚· Syslog Ports: Syslog messages can be sent over different ports using TCP or UDP protocols.

ï‚· Common Ports for Syslog:

UDP 514: This is the default port for sending syslog messages over UDP.

TCP 514: This is the default port for sending syslog messages over TCP, providing a more reliable transmission.

TCP 1470: This port is often used for secure or alternative syslog transmission.

ï‚· Usage in FortiSIEM: FortiSIEM can be configured to receive syslog messages on these ports to ensure the logs are collected from various network devices.

ï‚· References: FortiSIEM 6.3 User Guide, Syslog Integration section, which details the supported ports for syslog transmission.

ï‚· Rule Evaluation in FortiSIEM: Rules in FortiSIEM are evaluated periodically to check if the defined conditions or subpatterns are met.

ï‚· Frequency Field: The Frequency field in a rule determines the interval at which the rule's subpattern will be evaluated.

Evaluation Interval: This defines how often the system will check the incoming events against the rule's subpattern to determine if an incident should be triggered.

Impact on Performance: Setting an appropriate frequency is crucial to balance between timely detection of incidents and system performance.

ï‚· Examples:

If the Frequency is set to 5 minutes, the rule will evaluate the subpattern every 5 minutes.

This means that every 5 minutes, the system will check if the conditions defined in the subpattern are met by the incoming events.

ï‚· References: FortiSIEM 6.3 User Guide, Rules and Incidents section, which explains the Frequency field and how it impacts the evaluation of subpatterns in rules.

ï‚· Collecting SIEM and PAM Events: To collect both SIEM event logs and Performance and Availability Monitoring (PAM) events from a Microsoft Windows server, a suitable protocol must be selected.

ï‚· WMI Protocol: Windows Management Instrumentation (WMI) is the appropriate protocol for this task.

SIEM Event Logs: WMI can collect security, application, and system logs from Windows devices.

PAM Events: WMI can also gather performance metrics, such as CPU usage, memory utilization, and disk activity.

ï‚· Comprehensive Data Collection: Using WMI ensures that both types of data are collected efficiently from the Windows server.

ï‚· References: FortiSIEM 6.3 User Guide, Data Collection Methods section, which details the use of WMI for collecting various types of logs and performance metrics.

ï‚· Incident Creation in FortiSIEM: Incidents in FortiSIEM are created based on specific patterns and conditions defined within the system.

ï‚· Group By Function: The "Group By" section in the "Edit SubPattern" window specifies how the data should be grouped for analysis and incident creation.

ï‚· Impact of Grouping: The way data is grouped affects the number of incidents generated. Each unique combination of the grouped attributes results in a separate incident.

ï‚· Exhibit Analysis: In the provided exhibit, the "Group By" section lists "Reporting Device," "Reporting IP," and "User." This means incidents will be created for each unique combination of these attributes.

ï‚· References: FortiSIEM 6.3 User Guide, Rule and Pattern Creation section, which details how grouping impacts incident generation.

ï‚· Raw Log Data: When devices send logs to FortiSIEM, the data arrives in a raw, unstructured format.

ï‚· Data Parsing Process: The process that converts this raw log data into a structured format is known as data parsing.

Data Parsing: This involves extracting relevant fields from the raw log entries and organizing them into a structured format, making the data usable for analysis, reporting, and correlation.

ï‚· Significance of Structured Data: Structured data is essential for effective event correlation, alerting, and generating meaningful reports.

ï‚· References: FortiSIEM 6.3 User Guide, Data Parsing section, which details how raw log data is transformed into structured data through parsing.

ï‚· Syslog Configuration in FortiSIEM: For FortiSIEM to receive syslog messages from network devices, those devices need to be properly configured to send syslog data to FortiSIEM.

ï‚· Manual Configuration Requirement: FortiSIEM does not automatically configure network devices to send syslog messages. Instead, this configuration must be performed manually by the network administrator.

ï‚· Process Overview: The network administrator must access each device and set up the syslog parameters to direct log data to the FortiSIEM collector's IP address.

ï‚· Discovery Process: While FortiSIEM can discover network devices using SNMP, WMI, and other protocols, the configuration of syslog on these devices is beyond its scope and requires manual intervention.

ï‚· References: FortiSIEM 6.3 User Guide, Device Configuration and Syslog Integration sections, which explain the requirements and steps for setting up syslog forwarding on network devices.

ï‚· Syslog Reception Verification: To verify whether syslog messages are being received from a network device, a network packet capture tool can be used.

ï‚· tcpdump Command:tcpdumpis a powerful command-line packet analyzer tool available in Unix-like operating systems. It allows administrators to capture and analyze network traffic.

Usage: By usingtcpdumpwith the appropriate filters (e.g., port 514 for syslog), administrators can monitor the incoming syslog messages in real-time to verify if they are being received.

Example Command:tcpdump -i port 514captures the syslog messages on the specified network interface.

ï‚· References: FortiSIEM 6.3 User Guide, CLI Commands section, which details the usage oftcpdumpfor network traffic analysis and verification of syslog reception.

ï‚· Discovery Scan Types: FortiSIEM uses various scan types to discover devices on a network.

ï‚· Layer 2 (L2) Scan: An L2 scan discovers devices based on ARP tables and MAC address information from adjacent devices.

Limitation: If a device is quiet (not actively communicating) and its entry is not present in the ARP table of adjacent devices, the L2 scan may miss it.

ï‚· Other Scan Types:

CMDB Scan: Based on the existing Configuration Management Database (CMDB) entries.

Range Scan: Scans a specified IP range for devices.

Smart Scan: Uses a combination of methods to discover devices.

ï‚· References: FortiSIEM 6.3 User Guide, Device Discovery section, which explains the different types of discovery scans and their characteristics.

ï‚· Monitor Column Indicators: In FortiSIEM, the Monitor column displays the status of various metrics applied during the discovery process.

ï‚· Yellow Star Meaning: A yellow star next to a metric indicates that the metric was successfully applied during discovery and data has been collected for that metric.

ï‚· Successful Data Collection: This visual indicator helps administrators quickly identify which metrics are active and have data available for analysis.

ï‚· References: FortiSIEM 6.3 User Guide, Device Monitoring section, which explains the significance of different icons and indicators in the Monitor column.