 Grouping Attributes in Reports: When creating reports in FortiSIEM, certain attributes can be

grouped to summarize and organize the data.

 Unique Attributes: Attributes that are unique for each event cannot be grouped because they do

not provide a meaningful aggregation or summary.

 Red Highlighting Explanation: The red highlighting in the exhibit indicates attributes that cannot be

grouped together due to their unique nature. These unique attributes include Event Receive Time,

Reporting IP, Event Type, Raw Event Log, and COUNT(Matched Events).

 Attribute Characteristics:

Event Receive Time is unique for each event.

Reporting IP and Event Type can vary greatly, making grouping them impractical in this context.

Raw Event Log represents the unprocessed log data, which is also unique.

COUNT(Matched Events) is a calculated field, not suitable for grouping.

 Reference: FortiSIEM 6.3 User Guide, Reporting section, explains the constraints on grouping

attributes in reports.

 Rule Evaluation in FortiSIEM: Rules in FortiSIEM are evaluated periodically to check if the defined

conditions or subpatterns are met.

 Frequency Field: The Frequency field in a rule determines the interval at which the rule's subpattern

will be evaluated.

Evaluation Interval: This defines how often the system will check the incoming events against the

rule's subpattern to determine if an incident should be triggered.

Impact on Performance: Setting an appropriate frequency is crucial to balance between timely

detection of incidents and system performance.

 Examples:

If the Frequency is set to 5 minutes, the rule will evaluate the subpattern every 5 minutes.

This means that every 5 minutes, the system will check if the conditions defined in the subpattern

are met by the incoming events.

 Reference: FortiSIEM 6.3 User Guide, Rules and Incidents section, which explains the Frequency

field and how it impacts the evaluation of subpatterns in rules.

 Rules Engine in FortiSIEM: The rules engine evaluates incoming events based on defined conditions

to detect incidents and anomalies.

 Aggregation Condition: The aggregation condition instructs FortiSIEM to summarize and count the

matching evaluated data.

Function: Aggregation is used to group events based on specified criteria and then perform

operations such as counting the number of occurrences within a defined time window.

 Purpose: This allows for the detection of patterns and anomalies, such as a high number of failed

login attempts within a short period.

 Reference: FortiSIEM 6.3 User Guide, Rules Engine section, which explains how aggregation is used

to summarize and count matching data.

 Advanced Analytical Rules Engine: FortiSIEM's rules engine allows for complex event correlation

using multiple subpatterns.

 Operations for Referencing Subpatterns:

FOLLOWED_BY: This operation is used to indicate that one event follows another within a specified

time window.

OR: This logical operation allows for the inclusion of multiple subpatterns, where the rule triggers if

any of the subpatterns match.

AND: This logical operation requires all referenced subpatterns to match for the rule to trigger.

 Usage: These operations allow for detailed and precise event correlation, helping to detect complex

patterns and incidents.

 Reference: FortiSIEM 6.3 User Guide, Advanced Analytics Rules Engine section, which explains the

use of different operations to reference subpatterns in rules.

:

:

 Feature Overview: FortiSIEM provides several tools for querying and reporting on device

information within an environment.

 Inventory Tab: The Inventory tab is specifically designed to display detailed information about

devices, including their firmware versions.

 Query Functionality: Within the Inventory tab, you can run queries to filter and display devices

based on specific attributes, such as the firmware version for FortiGate devices.

 Report Generation: By running a query in the Inventory tab, you can produce a report that lists the

FortiGate devices and their corresponding firmware versions.

 Reference: FortiSIEM 6.3 User Guide, Inventory Management section, explains how to use the

Inventory tab to query and report on device attributes.

 Component Roles in FortiSIEM: Different components in FortiSIEM have specific roles and

responsibilities, which contribute to the overall performance and functionality of the system.

 Query Worker: The query worker component is specifically designed to handle and optimize search

queries within FortiSIEM.

Function: It processes search requests and executes analytic searches efficiently, handling large

volumes of data to provide quick results.

Optimization: By improving the efficiency of query execution, the query worker can significantly

speed up long, ad hoc analytic searches, addressing performance issues.

 Performance Impact: Utilizing the query worker ensures that searches are handled by a component

optimized for such tasks, reducing the load on other components and improving overall system

performance.

 Reference: FortiSIEM 6.3 User Guide, System Components section, which describes the roles of

different workers, including the query worker, and their impact on system performance.

 Anomaly Baseline Data: Anomaly baseline data refers to the statistical profiles and baselines

calculated for various parameters to detect deviations indicative of potential security incidents.

 Profile DB: The Profile DB is specifically designed to store such baseline data in FortiSIEM.

Purpose: It maintains statistical profiles for different monitored parameters to facilitate anomaly

detection.

Usage: This data is used by FortiSIEM to compare real-time metrics against the established baselines

to identify anomalies.

 Reference: FortiSIEM 6.3 User Guide, Database Architecture section, which describes the different

databases used in FortiSIEM and their purposes, including the Profile DB for storing anomaly baseline

data.

 Incident Status Values: Incident statuses in FortiSIEM help administrators track and manage the

lifecycle of incidents from detection to resolution.

 Four Possible Status Values:

Active: Indicates that the incident is currently ongoing and needs attention.

Closed: Indicates that the incident has been resolved or addressed.

Cleared: Indicates that the incident has been resolved automatically based on predefined conditions.

Open: Indicates that the incident is acknowledged and under investigation but not yet resolved.

 Usage: These statuses help in prioritizing and tracking incidents effectively, ensuring that all

incidents are appropriately managed.

 Reference: FortiSIEM 6.3 User Guide, Incident Management section, which details the different

status values and their meanings.