 Expression Builder in FortiSIEM : The Expression Builder is used to create expressions for analyzing event data.

 Correct Syntax : The correct syntax for counting matched events is COUNT(Matched Events) .

Function : COUNT is a function that takes a parameter, in this case, "Matched Events," to count the number of occurrences.

 Common Errors : Incorrect syntax, such as reversing the order or using parentheses improperly, can lead to invalid expressions.

 References : FortiSIEM 6.3 User Guide, Expression Builder section, which explains the correct syntax and usage for creating valid expressions for event analysis.

 Case Sensitivity in Searches : In FortiSIEM, search queries, including those for raw event logs, are case sensitive. This means that keywords must be entered exactly as they appear in the logs.

 Keyword Mismatch : The exhibit shows the keyword "TCP" in the Value field. If the actual events use "tcp" (lowercase), the search will return no results because of the case mismatch.

 Correct Keyword : To match the keyword correctly, the administrator should enter "tcp" in the Value field.

 References : FortiSIEM 6.3 User Guide, Search and Filtering section, which discusses the importance of case sensitivity in search queries.

 Syslog Configuration in FortiSIEM : For FortiSIEM to receive syslog messages from network devices, those devices need to be properly configured to send syslog data to FortiSIEM.

 Manual Configuration Requirement : FortiSIEM does not automatically configure network devices to send syslog messages. Instead, this configuration must be performed manually by the network administrator.

 Process Overview : The network administrator must access each device and set up the syslog parameters to direct log data to the FortiSIEM collector's IP address.

 Discovery Process : While FortiSIEM can discover network devices using SNMP, WMI, and other protocols, the configuration of syslog on these devices is beyond its scope and requires manual intervention.

 References : FortiSIEM 6.3 User Guide, Device Configuration and Syslog Integration sections, which explain the requirements and steps for setting up syslog forwarding on network devices.

 Component Roles in FortiSIEM : Different components in FortiSIEM have specific roles and responsibilities, which contribute to the overall performance and functionality of the system.

 Query Worker : The query worker component is specifically designed to handle and optimize search queries within FortiSIEM.

Function : It processes search requests and executes analytic searches efficiently, handling large volumes of data to provide quick results.

Optimization : By improving the efficiency of query execution, the query worker can significantly speed up long, ad hoc analytic searches, addressing performance issues.

 Performance Impact : Utilizing the query worker ensures that searches are handled by a component optimized for such tasks, reducing the load on other components and improving overall system performance.

 References : FortiSIEM 6.3 User Guide, System Components section, which describes the roles of different workers, including the query worker, and their impact on system performance.

 Incident Categories in FortiSIEM : Incidents in FortiSIEM are categorized to help administrators quickly identify and prioritize the type of issue.

 Four Main Categories :

Performance : Incidents related to the performance of devices and applications, such as high CPU usage or memory utilization.

Availability : Incidents affecting the availability of services or devices, such as downtime or connectivity issues.

Security : Incidents related to security events, such as failed login attempts, malware detection, or unauthorized access.

Change : Incidents triggered by changes in the configuration or state of devices, such as new software installations or configuration modifications.

 Importance of Categorization : These categories help in the efficient management and response to different types of incidents, allowing for better resource allocation and quicker resolution.

 References : FortiSIEM 6.3 User Guide, Incident Management section, which details the different categories of incidents and their significance.

 Performance and Availability Monitoring : Various components in FortiSIEM are responsible for monitoring the performance and availability of devices and services.

 Components :

Supervisor : Oversees the entire FortiSIEM infrastructure and coordinates the activities of other components.

Worker : Processes and analyzes the collected data, including performance and availability metrics.

Collector : Gathers performance and availability data from devices in the network.

 Collaborative Functioning : These components work together to ensure comprehensive monitoring of the network's performance and availability.

 References : FortiSIEM 6.3 User Guide, Performance and Availability Monitoring section, which explains the roles of the supervisor, worker, and collector in monitoring tasks.

 Raw Log Data : When devices send logs to FortiSIEM, the data arrives in a raw, unstructured format.

 Data Parsing Process : The process that converts this raw log data into a structured format is known as data parsing.

Data Parsing : This involves extracting relevant fields from the raw log entries and organizing them into a structured format, making the data usable for analysis, reporting, and correlation.

 Significance of Structured Data : Structured data is essential for effective event correlation, alerting, and generating meaningful reports.

 References : FortiSIEM 6.3 User Guide, Data Parsing section, which details how raw log data is transformed into structured data through parsing.

 Device Status in FortiSIEM : FortiSIEM assigns different statuses to devices based on their operational state and performance metrics.

 Packet Loss Impact : The reported packet loss percentage directly influences the status assigned to a device. Packet loss between 50% and 98% indicates significant network issues that affect the device's performance.

 Degraded Status : When packet loss is between 50% and 98%, FortiSIEM assigns a "Degraded" status to the device. This status indicates that the device is experiencing substantial packet loss, which impairs its performance but does not render it completely non-functional.

 Reasoning : The "Degraded" status helps administrators identify devices with serious performance issues that need attention but are not entirely down.

 References : FortiSIEM 6.3 User Guide, Device Availability and Status section, explains the criteria for assigning different statuses based on performance metrics such as packet loss.

 Search Filters in FortiSIEM : When searching for specific events, administrators can use various attributes to filter the results.

 Attribute for Agent Events : To view events received specifically from Linux and Windows agents, the attribute External Event Receive Agents should be used.

Function : This attribute filters events that are received from agents, distinguishing them from events received through other protocols or sources.

 Search Efficiency : Using this attribute helps the administrator focus on events collected by FortiSIEM agents, making the search results more relevant and targeted.

 References : FortiSIEM 6.3 User Guide, Event Search and Filters section, which describes the available attributes and their usage for filtering search results.