In FortiSIEM, collectors must know where to upload event data. During registration, the supervisor provides the collector with the worker upload address.

The worker upload address tells the collector where to send logs after collection. If no worker upload address is set, the collector has no destination for its data, preventing proper registration.

The Windows agent (fortibank_dc.fortibank.net) is in an " Unmanaged " state, which indicates that it has not received a monitoring template from FortiSIEM. Without a template, the agent does not know what logs to collect or forward, meaning it is not sending logs to the supervisor .

The agent is registered , meaning it has completed the installation and connection process. Since it is unmanaged , it is not actively monitored or configured to send logs. To resolve this, the administrator must assign a monitoring template to enable proper log forwarding.

From the Filters section in the exhibit, we see:

1. Event Type IN EventTypes: Domain Account Locked

This means the rule will match events where the event type is classified under the Domain Account Locked category.

2. Reporting IP IN Applications: Domain Controller

This means the rule is filtering for events where the reporting IP is classified under the Domain Controller applications group .

3. Logical Operator: AND

The filters are combined using AND , meaning both conditions must be met for an event to match.

Since both conditions must be true, the rule is effectively filtering events where:

● The event type belongs to the Domain Account Locked CMDB group

● The reporting IP belongs to the Domain Controller applications group

The license file located at /etc/opsd/.fortisiem4x0 is critical for the collector ' s operation , as it verifies the collector ' s registration with the supervisor and enables proper functionality.

If this license file is removed , the collector:

● Will lose its registration with the supervisor.

● Will stop receiving updates and configurations from the FortiSIEM supervisor.

● Will require re-registration with the supervisor to obtain a new license file.

phRuleWorker processes events in 60-second intervals (buckets). This means that events within a one-minute window are evaluated together for rule conditions, helping detect patterns, correlations, and triggers.

phRuleWorker runs both on the supervisor and worker nodes to distribute event processing. The supervisor primarily orchestrates rule evaluation, while workers handle distributed event processing.

Group By automatically applies a COUNT aggregation.

When using Group By in FortiSIEM structured queries, it automatically applies a COUNT(*) function unless a different aggregation (such as SUM, AVG, or MAX) is specified. This helps summarize data by counting occurrences of grouped attributes.

Group By is applied to real-time and historical searches.

Grouping functions work in both real-time (live event monitoring) and historical (past event analysis) searches, making it useful for trend analysis, anomaly detection, and correlation.

The LookupTableGet function is designed to enrich event data by referencing a lookup table. However, it cannot be used directly in analytic queries for filtering data before processing. Instead, it is meant to be applied as a display filter to enhance results after retrieval.

In the given query, LookupTableGet(MalwareIPList : Source IP : Confidence) > = 87 is being used in a filter condition , which leads to an error because the function is not valid in this context. It should be applied after the data is retrieved, not as a pre-processing filter.

FortiSIEM ' s rule engine queries the profile database to analyze historical behavior and detect anomalies. The profile database stores statistical baselines, which include:

● Statistical average (mean values over time)

● Standard deviation (variability from the mean)

These values help the rule engine determine whether an observed metric (such as logins, failed attempts, network traffic, or system performance) deviates significantly from the normal pattern for the same hour of the day.

In FortiSIEM, an agent’s status of " Running Inactive " indicates that the agent is installed and running but not actively sending data or has encountered a misconfiguration. The following reasons can cause this status:

1. The agent was registered incorrectly

If an agent was not registered properly, it might not establish a proper connection with the FortiSIEM system, resulting in an inactive status.

2. The agent is temporarily down

If the agent goes offline (e.g., due to system shutdown, network issues, or agent crash), it will show as inactive.

3. The template was not assigned

Agents require a template to function correctly. If no template is assigned, the agent cannot collect or process events, leading to an inactive state.

In a FortiSIEM deployment , device discovery is handled by the Supervisor , even when a Collector is present.

● The Supervisor initiates active scans using protocols such as SNMP, WMI, SSH, and API queries to discover devices in the network.

● Collectors do not perform discovery ; they primarily collect and forward logs from designated devices to the Supervisor.

● Workers handle event processing , not discovery.