Fortinet NSE5_FSM-6.3 Questions Answers

 Event Collection Overview: The exhibits show three events collected over a 10-minute period from two servers, Server A and Server B.

 Rule Subpattern Settings: The rule subpattern specifies two conditions:

AVG(CPU Util) > DeviceToCMDBAttr(Host IP : Server CPU Util Critical Threshold): This checks if the average CPU utilization exceeds the critical threshold defined for each server.

COUNT(Matched Events) >= 2: This requires at least two matching events within the specified period.

 Server A Analysis:

Events: Three events (CPU=90, CPU=90, CPU=95).

Average CPU Utilization: (90+90+95)/3 = 91.67, which exceeds the critical threshold of 90.

Matched Events Count: 3, which meets the condition of being greater than or equal to 2.

Incident Generation: Server A meets both conditions, so it generates one incident.

 Server B Analysis:

Events: Three events (CPU=70, CPU=50, CPU=60).

Average CPU Utilization: (70+50+60)/3 = 60, which does not exceed the critical threshold of 90.

Matched Events Count: 3, but since the average CPU utilization condition is not met, no incident is generated.

 Conclusion: Based on the rule subpattern, Server A will generate one incident, and Server B will not generate any incidents.

 References: FortiSIEM 6.3 User Guide, Event Correlation Rules and Incident Management sections, which explain how incidents are generated based on rule subpatterns and event conditions.

 Expression Builder in FortiSIEM: The Expression Builder is used to create expressions for analyzing event data.

 Correct Syntax: The correct syntax for counting matched events isCOUNT(Matched Events).

Function:COUNTis a function that takes a parameter, in this case, "Matched Events," to count the number of occurrences.

 Common Errors: Incorrect syntax, such as reversing the order or using parentheses improperly, can lead to invalid expressions.

 References: FortiSIEM 6.3 User Guide, Expression Builder section, which explains the correct syntax and usage for creating valid expressions for event analysis.

 Linux Agent in FortiSIEM: The FortiSIEM Linux agent is responsible for collecting logs and metrics from Linux devices and forwarding them to the FortiSIEM system.

 Command for Checking Status: The correct command to check the status of the FortiSIEM Linux agent isservice fortisiem-linux-agent status.

Explanation: This command queries the status of the FortiSIEM Linux agent service, showing whether it is running, stopped, or encountering issues.

 Usage: Properly checking the agent status helps ensure that data collection from Linux devices is functioning as expected.

 References: FortiSIEM 6.3 User Guide, Linux Agent Installation and Management section, which includes commands for managing the Linux agent.

 Incident Status Values: Incident statuses in FortiSIEM help administrators track and manage the lifecycle of incidents from detection to resolution.

 Four Possible Status Values:

Active: Indicates that the incident is currently ongoing and needs attention.

Closed: Indicates that the incident has been resolved or addressed.

Cleared: Indicates that the incident has been resolved automatically based on predefined conditions.

Open: Indicates that the incident is acknowledged and under investigation but not yet resolved.

 Usage: These statuses help in prioritizing and tracking incidents effectively, ensuring that all incidents are appropriately managed.

 References: FortiSIEM 6.3 User Guide, Incident Management section, which details the different status values and their meanings.