TheLookupTableHasfunction is used tocheck whether a specified key exists in a lookup table. It returnseither true or false, depending on whether the key is found in the table.

● If the key is present, the function returnstrue.

● If the key is absent, the function returnsfalse.

The exhibit shows a FortiSIEM cluster deployed in a multi-tenant service provider environment, serving multiple customers. The architecture includes:

1. Customers with Collectors

Customer A and Customer B (AWS) have collectors deployed within their environments.

Collectors gather and forward logs to the FortiSIEM cluster for centralized analysis.

2. Customers Without Collectors

Customer C does not have a collector; instead, it sends logs directly to the FortiSIEM cluster.

3. Super Organization Managing Infrastructure

The service provider infrastructure devices (e.g., networking and security appliances) are managed directly by the FortiSIEM cluster.

This mixed setup, where some customers use collectors while others send logs directly, represents a hybrid deployment with and without collectors.

Group By automatically applies a COUNT aggregation.

When using Group By in FortiSIEM structured queries, it automatically applies a COUNT(*) function unless a different aggregation (such as SUM, AVG, or MAX) is specified. This helps summarize data by counting occurrences of grouped attributes.

Group By is applied to real-time and historical searches.

Grouping functions work in both real-time (live event monitoring) and historical (past event analysis) searches, making it useful for trend analysis, anomaly detection, and correlation.

In FortiSIEM, an agent’s status of "Running Inactive" indicates that the agent is installed and running but not actively sending data or has encountered a misconfiguration. The following reasons can cause this status:

1. The agent was registered incorrectly

If an agent was not registered properly, it might not establish a proper connection with the FortiSIEM system, resulting in an inactive status.

2. The agent is temporarily down

If the agent goes offline (e.g., due to system shutdown, network issues, or agent crash), it will show as inactive.

3. The template was not assigned

Agents require a template to function correctly. If no template is assigned, the agent cannot collect or process events, leading to an inactive state.

InFortiSIEM, collectors need to upload event logs to aworker nodefor processing. However, if there isno dedicated worker, thesupervisor can function as the workerto receive data.

● The error message suggests that aworker upload addressmust be defined before adding a collector.

● Since there isno dedicated worker, the administrator canset the Supervisor IP as the upload destinationto enable log collection.

In a multi-tenant FortiSOAR deployment, a Managed Security Service Provider (MSSP) hosts a shared FortiSOAR instance that serves multiple customers. Each customer operates as a separate tenant within the instance, ensuring data isolation and security.

FortiSOAR uses secure network connectivity (VPNs, direct connections, or secure tunnels) between the MSSP’s FortiSOAR manager node and the customer’s devices.

The customer does not need to install additional software or tenant nodes; instead, the MSSP manages multi-tenancy at the platform level.

From the exhibit, the rule exception is set for:

● Time Range: Starts at 00:00:00

● Duration: 2 days

● Recurrence Pattern: December 25th and December 26th

This means that during these two days (every year in December), the rule will not trigger incidents.

Rule exceptions temporarily suppress incident generation during the specified period.

Events are still processed, but no incidents are generated.

InFortiSIEM,SQLite databasesused forbaseliningare stored in the/opt/phoenix/cachedirectory. This location is used fortemporary storage and caching of profile datathat is essential for anomaly detection and trend analysis.

●Baselininginvolves analyzing historical data to determine expected behavior patterns.

●SQLite databasesstore aggregated statistics, which are referenced during rule evaluations.

● Thecache directoryallows quick access to these values without querying the main database repeatedly.

From the exhibit, we can determine the IP range that will be added to the CMDB and mapped to Customer E.

● The included IP range is 10.50.0.1 – 10.50.0.50.

● This means any device within this range (10.50.0.1 to 10.50.0.50) will be added to the CMDB.

10.50.0.1 → Falls within the included range (10.50.0.1 – 10.50.0.50) → Added to CMDB.

10.50.0.149 → Falls within the 10.50.0.1 – 10.50.0.50 range → Added to CMDB.

From the provided XML configuration, we need to focus on the section, which defines the attributes used for grouping.

In theSelectClause, the following attributes are listed:

reptDevName, reptDevAddr, COUNT(*), COUNT(DISTINCT user), COUNT(DISTINCT srcIpAddr)

●reptDevNamerepresents thereporting device.

●reptDevAddrrepresents thereporting IP.

●COUNT(DISTINCT user)tracks unique users.

●COUNT(DISTINCT srcIpAddr)tracks distinct source IPs.

In theGroupByAttrsection:

reptDevName, reptDevAddr

This confirms that the grouping is performed byReporting Device (reptDevName)andReporting IP (reptDevAddr).

Thelicense filelocated at/etc/opsd/.fortisiem4x0is critical for thecollector's operation, as it verifies the collector'sregistration with the supervisorand enables proper functionality.

If thislicense file is removed, the collector:

● Willlose its registrationwith the supervisor.

● Willstop receiving updates and configurationsfrom the FortiSIEM supervisor.

● Will requirere-registrationwith the supervisor to obtain a new license file.

The rule is tracking asudden increase in WMI response timesover a30-minute window. The key detail here is the increase factor.

● The term1.50 times increasemeans the new value is150%of the previous baseline.

● A1.50x increasecorresponds to a150% increase, since the new value isoriginal + 150% of original.

EPS burstingin FortiSIEM allows temporary spikes in events per second (EPS) beyond the licensed limit, but only if there areaccumulated unused EPS credits. This ensures flexibility in handling short-term surges without requiring a permanent license upgrade.

● FortiSIEMaccumulates unused EPS creditswhen actual EPS usage is below the licensed limit.

● When anevent surgeoccurs, FortiSIEM canburst up to 5x the licensed EPS,but only if there are sufficient accumulated credits.

This allowsadaptive scalingwhile preventing abuse of resources beyond allocated licensing.

Therule engineinFortiSIEMloadsbaseline data valuesfrom theprofile database. This database stores historical trends and behavioral baselines for various metrics, such asCPU usage, network activity, and authentication patterns.

●Profile databasemaintainslong-term aggregated statisticsfor anomaly detection.

●Baseline valuesare used to comparecurrent eventsagainst expected behavior.

● This helps indetecting deviations, such as a sudden increase in failed logins or unusual traffic spikes.