Fortinet NSE5_FSM-6.3 Exam Practice Test Instant Access

Question 1

What is a prerequisite for FortiSIEM Linux agent installation?

AThe web server must be installed on the Linux server being monitored

BThe auditd service must be installed on the Linux server being monitored

CThe Linux agent manager server must be installed.

DBoth the web server and the audit service must be installed on the Linux server being monitored

Answer : B

FortiSIEM Linux Agent: The FortiSIEM Linux agent is used to collect logs and performance metrics from Linux servers and send them to the FortiSIEM system.

Prerequisite for Installation: The auditd service, which is the Linux Audit Daemon, must be installed and running on the Linux server to capture and log security-related events.

auditd Service: This service collects and logs security events on Linux systems, which are essential for monitoring and analysis by FortiSIEM.

Importance of auditd: Without the auditd service, the FortiSIEM Linux agent will not be able to collect the necessary event data from the Linux server.

Reference: FortiSIEM 6.3 User Guide, Linux Agent Installation section, which lists the prerequisites and steps for installing the FortiSIEM Linux agent.

Question 2

Which database is used for storing anomaly data, that is calculated for different parameters, such as traffic and device resource usage running averages, and standard deviation values?

AProfile DB

BEvent DB

CCMDB

DSVN DB

Answer : A

Anomaly Data Storage: Anomaly data, including running averages and standard deviation values for different parameters such as traffic and device resource usage, is stored in a specific database.

Profile DB: The Profile DB is used to store this type of anomaly data.

Function: It maintains statistical profiles and baselines for monitored parameters, which are used to detect anomalies and deviations from normal behavior.

Significance: Storing anomaly data in the Profile DB allows FortiSIEM to perform advanced analytics and alerting based on deviations from established baselines.

Reference: FortiSIEM 6.3 User Guide, Database Architecture section, which describes the purpose and contents of the Profile DB in storing anomaly and baseline data.

Question 3

Refer to the exhibit.

A FortiSIEM administrator wants to collect both SIEM event logs and performance and availability metrics (PAM) events from a Microsoft Windows server

Which protocol should the administrator select in the Access Protocol drop-down list so that FortiSIEM will collect both SIEM and PAM events?

ATELNET

BWMI

CLDAPS

DLDAP start TLS

Answer : B

Collecting SIEM and PAM Events: To collect both SIEM event logs and Performance and Availability Monitoring (PAM) events from a Microsoft Windows server, a suitable protocol must be selected.

WMI Protocol: Windows Management Instrumentation (WMI) is the appropriate protocol for this task.

SIEM Event Logs: WMI can collect security, application, and system logs from Windows devices.

PAM Events: WMI can also gather performance metrics, such as CPU usage, memory utilization, and disk activity.

Comprehensive Data Collection: Using WMI ensures that both types of data are collected efficiently from the Windows server.

Reference: FortiSIEM 6.3 User Guide, Data Collection Methods section, which details the use of WMI for collecting various types of logs and performance metrics.

Question 4

Refer to the exhibit.

What do the yellow stars listed in the Monitor column indicate?

AA yellow star indicates that a metric was applied during discovery, and data has been collected successfully

BA yellow star indicates that a metric was applied during discovery, but data collection has not started

CA yellow star indicates that a metric was applied during discovery, but FortiSIEM is unable to collect data.

DA yellow star indicates that a metric was not applied during discovery and, therefore, FortiSEIM was unable to collect data.

Answer : A

Monitor Column Indicators: In FortiSIEM, the Monitor column displays the status of various metrics applied during the discovery process.

Yellow Star Meaning: A yellow star next to a metric indicates that the metric was successfully applied during discovery and data has been collected for that metric.

Successful Data Collection: This visual indicator helps administrators quickly identify which metrics are active and have data available for analysis.

Reference: FortiSIEM 6.3 User Guide, Device Monitoring section, which explains the significance of different icons and indicators in the Monitor column.

Question 5

Which three ports can be used to send Syslogs to FortiSIEM? (Choose three.)

AUDP9999

BUDP 162

CTCP 514

DUDP 514

ETCP 1470

Answer : C, D, E

Syslog Ports: Syslog messages can be sent over different ports using TCP or UDP protocols.

Common Ports for Syslog:

UDP 514: This is the default port for sending syslog messages over UDP.

TCP 514: This is the default port for sending syslog messages over TCP, providing a more reliable transmission.

TCP 1470: This port is often used for secure or alternative syslog transmission.

Usage in FortiSIEM: FortiSIEM can be configured to receive syslog messages on these ports to ensure the logs are collected from various network devices.

Reference: FortiSIEM 6.3 User Guide, Syslog Integration section, which details the supported ports for syslog transmission.

Question 6

Refer to the exhibit.

What does the pauso icon indicate?

AData collection is paused after the intervals shown for metrics.

BData collection has not started.

CData collection execution failed because the device is not reachable.

DData collection is paused duo to an issue, such as a change of password.

Answer : D

Data Collection Status: FortiSIEM displays various icons to indicate the status of data collection for different devices.

Pause Icon: The pause icon specifically indicates that data collection is paused, but this can happen due to several reasons.

Common Cause for Pausing: One common cause for pausing data collection is an issue such as a change of password, which prevents the system from authenticating and collecting data.

Exhibit Analysis: In the provided exhibit, the presence of the pause icon next to the device suggests that data collection has encountered an issue that has caused it to pause.

Reference: FortiSIEM 6.3 User Guide, Device Management and Data Collection Status Icons section, which explains the different icons and their meanings.

Question 7

Refer to the exhibit.

Which section contains the sortings that determine how many incidents are created?

AActions

BGroup By

CAggregate

DFilters

Answer : C

Incident Creation in FortiSIEM: Incidents in FortiSIEM are created based on specific patterns and conditions defined within the system.

Group By Function: The 'Group By' section in the 'Edit SubPattern' window specifies how the data should be grouped for analysis and incident creation.

Impact of Grouping: The way data is grouped affects the number of incidents generated. Each unique combination of the grouped attributes results in a separate incident.

Exhibit Analysis: In the provided exhibit, the 'Group By' section lists 'Reporting Device,' 'Reporting IP,' and 'User.' This means incidents will be created for each unique combination of these attributes.

Reference: FortiSIEM 6.3 User Guide, Rule and Pattern Creation section, which details how grouping impacts incident generation.

Fortinet NSE5_FSM-6.3 Fortinet NSE 5 - FortiSIEM 6.3 Exam Practice Test