Fortinet Updated NSE5_FSM-6.3 Exam Questions and Answers by lea

 Expression Builder in FortiSIEM: The Expression Builder is used to create expressions for analyzing event data.

 Correct Syntax: The correct syntax for counting matched events isCOUNT(Matched Events).

Function:COUNTis a function that takes a parameter, in this case, "Matched Events," to count the number of occurrences.

 Common Errors: Incorrect syntax, such as reversing the order or using parentheses improperly, can lead to invalid expressions.

 References: FortiSIEM 6.3 User Guide, Expression Builder section, which explains the correct syntax and usage for creating valid expressions for event analysis.

 Search Filters in FortiSIEM: When searching for events, the correct use of filters and logical operators is crucial to obtain accurate results.

 Issue Analysis:

Selected Filters: The exhibit shows filters for two different Reporting IP addresses.

Logical Operators: The use of "AND" between the two Reporting IP addresses implies that an event must match both IP addresses simultaneously, which is not possible for a single event.

 Correct Usage: To search for events from either of the two IP addresses, parentheses should be used to group conditions logically.

Corrected Filter:(Reporting IP = 192.168.1.1 OR Reporting IP = 172.16.10.3)would return events from either IP address.

 References: FortiSIEM 6.3 User Guide, Search and Filters section, which explains the use of logical operators and the importance of parentheses in constructing effective search queries.

 Grouping Events: Grouping events by specific attributes allows for the aggregation of similar events.

 Grouping Criteria: For this question, events are grouped by "Reporting IP," "Event Type," and "User."

 Unique Combinations Analysis:

10.10.10.10, Failed Logon, Ryan, 1.1.1.1, Web App

10.10.10.11, Failed Logon, John, 5.5.5.5, DB

10.10.10.10, Failed Logon, Ryan, 1.1.1.1, Web App(duplicate, counted as one unique result)

10.10.10.10, Failed Logon, Paul, 3.3.2.1, Web App

10.10.10.11, Failed Logon, Ryan, 1.1.1.15, DB

10.10.10.11, Failed Logon, Wendy, 1.1.1.6, DB

10.10.10.10, Failed Logon, Ryan, 1.1.1.15, DB

 Result Calculation: There are seven unique combinations based on the specified grouping attributes.

 References: FortiSIEM 6.3 User Guide, Event Management and Reporting sections, explaining how events are grouped and reported based on selected attributes.

 Syslog Reception Verification: To verify whether syslog messages are being received from a network device, a network packet capture tool can be used.

 tcpdump Command:tcpdumpis a powerful command-line packet analyzer tool available in Unix-like operating systems. It allows administrators to capture and analyze network traffic.

Usage: By usingtcpdumpwith the appropriate filters (e.g., port 514 for syslog), administrators can monitor the incoming syslog messages in real-time to verify if they are being received.

Example Command:tcpdump -i port 514captures the syslog messages on the specified network interface.

 References: FortiSIEM 6.3 User Guide, CLI Commands section, which details the usage oftcpdumpfor network traffic analysis and verification of syslog reception.