 Rule Evaluation in FortiSIEM : Rules in FortiSIEM are evaluated periodically to check if the defined conditions or subpatterns are met.

 Frequency Field : The Frequency field in a rule determines the interval at which the rule's subpattern will be evaluated.

Evaluation Interval : This defines how often the system will check the incoming events against the rule's subpattern to determine if an incident should be triggered.

Impact on Performance : Setting an appropriate frequency is crucial to balance between timely detection of incidents and system performance.

 Examples :

If the Frequency is set to 5 minutes, the rule will evaluate the subpattern every 5 minutes.

This means that every 5 minutes, the system will check if the conditions defined in the subpattern are met by the incoming events.

 References : FortiSIEM 6.3 User Guide, Rules and Incidents section, which explains the Frequency field and how it impacts the evaluation of subpatterns in rules.

 Syslog Reception Verification : To verify whether syslog messages are being received from a network device, a network packet capture tool can be used.

 tcpdump Command : tcpdump is a powerful command-line packet analyzer tool available in Unix-like operating systems. It allows administrators to capture and analyze network traffic.

Usage : By using tcpdump with the appropriate filters (e.g., port 514 for syslog), administrators can monitor the incoming syslog messages in real-time to verify if they are being received.

Example Command : tcpdump -i < interface > port 514 captures the syslog messages on the specified network interface.

 References : FortiSIEM 6.3 User Guide, CLI Commands section, which details the usage of tcpdump for network traffic analysis and verification of syslog reception.

 Incident Status in FortiSIEM : The status of an incident indicates its current state and helps administrators track and manage incidents effectively.

 Cleared Status : When an incident’s status is "Cleared," it means that a specific condition set to clear the incident has been satisfied.

Clear Condition : This is typically a predefined condition that indicates the issue causing the incident has been resolved or no longer exists.

 Automatic vs. Manual Clearance : While some incidents may be cleared automatically based on clear conditions, others might be manually cleared by an operator.

 References : FortiSIEM 6.3 User Guide, Incident Management section, detailing the various incident statuses and the conditions that lead to an incident being marked as "Cleared."

 Data Collection Status : FortiSIEM displays various icons to indicate the status of data collection for different devices.

 Pause Icon : The pause icon specifically indicates that data collection is paused, but this can happen due to several reasons.

 Common Cause for Pausing : One common cause for pausing data collection is an issue such as a change of password, which prevents the system from authenticating and collecting data.

 Exhibit Analysis : In the provided exhibit, the presence of the pause icon next to the device suggests that data collection has encountered an issue that has caused it to pause.

 References : FortiSIEM 6.3 User Guide, Device Management and Data Collection Status Icons section, which explains the different icons and their meanings.

 Device Discovery in FortiSIEM : Device discovery is the process by which FortiSIEM identifies and adds devices to its management scope.

 Role of Collectors : Collectors are responsible for gathering data from network devices, including discovering new devices in the network.

Functionality : Collectors use protocols such as SNMP, WMI, and others to discover devices and gather their details.

 Capability : While agents (Windows and Linux) primarily gather data from their host systems, the collectors actively discover devices across the network.

 References : FortiSIEM 6.3 User Guide, Device Discovery section, which details the role of collectors in discovering network devices.

 Linux Agent in FortiSIEM : The FortiSIEM Linux agent is responsible for collecting logs and metrics from Linux devices and forwarding them to the FortiSIEM system.

 Command for Checking Status : The correct command to check the status of the FortiSIEM Linux agent is service fortisiem-linux-agent status .

Explanation : This command queries the status of the FortiSIEM Linux agent service, showing whether it is running, stopped, or encountering issues.

 Usage : Properly checking the agent status helps ensure that data collection from Linux devices is functioning as expected.

 References : FortiSIEM 6.3 User Guide, Linux Agent Installation and Management section, which includes commands for managing the Linux agent.

 Event Collection Overview : The exhibits show three events collected over a 10-minute period from two servers, Server A and Server B.

 Rule Subpattern Settings : The rule subpattern specifies two conditions:

AVG(CPU Util) > DeviceToCMDBAttr(Host IP : Server CPU Util Critical Threshold) : This checks if the average CPU utilization exceeds the critical threshold defined for each server.

COUNT(Matched Events) > = 2 : This requires at least two matching events within the specified period.

 Server A Analysis :

Events : Three events (CPU=90, CPU=90, CPU=95).

Average CPU Utilization : (90+90+95)/3 = 91.67, which exceeds the critical threshold of 90.

Matched Events Count : 3, which meets the condition of being greater than or equal to 2.

Incident Generation : Server A meets both conditions, so it generates one incident.

 Server B Analysis :

Events : Three events (CPU=70, CPU=50, CPU=60).

Average CPU Utilization : (70+50+60)/3 = 60, which does not exceed the critical threshold of 90.

Matched Events Count : 3, but since the average CPU utilization condition is not met, no incident is generated.

 Conclusion : Based on the rule subpattern, Server A will generate one incident, and Server B will not generate any incidents.

 References : FortiSIEM 6.3 User Guide, Event Correlation Rules and Incident Management sections, which explain how incidents are generated based on rule subpatterns and event conditions.

 Discovery Scan Types : FortiSIEM uses various scan types to discover devices on a network.

 Layer 2 (L2) Scan : An L2 scan discovers devices based on ARP tables and MAC address information from adjacent devices.

Limitation : If a device is quiet (not actively communicating) and its entry is not present in the ARP table of adjacent devices, the L2 scan may miss it.

 Other Scan Types :

CMDB Scan : Based on the existing Configuration Management Database (CMDB) entries.

Range Scan : Scans a specified IP range for devices.

Smart Scan : Uses a combination of methods to discover devices.

 References : FortiSIEM 6.3 User Guide, Device Discovery section, which explains the different types of discovery scans and their characteristics.