Fortinet NSE5_FSM-6.3 Exam Practice Test Instant Access

Question 1

If a performance rule is triggered repeatedly due to high CPU use, what occurs in the incident table?

AA now incident is created each time the rule is triggered. and the First Seen and Last Seen times are updated.

BA new incident is created based on the Rule Frequency value, and the First Seen and Last Seen times ate updated.

CThe Incident Count value increases, and the First Seen and Last Seen times update.

DThe incident status changes to Repeated, and the First Seen and Last Seen times are updated.

Answer : C

Incident Management in FortiSIEM: FortiSIEM tracks incidents and their occurrences to help administrators manage and respond to recurring issues.

Performance Rule Triggering: When a performance rule, such as one for high CPU usage, is repeatedly triggered, FortiSIEM updates the corresponding incident rather than creating a new one each time.

Incident Table Updates:

Incident Count: The Incident Count value increases each time the rule is triggered, indicating how many times the incident has occurred.

First Seen and Last Seen Times: These timestamps are updated to reflect the first occurrence and the most recent occurrence of the incident.

Reference: FortiSIEM 6.3 User Guide, Incident Management section, explains how FortiSIEM handles recurring incidents and updates the incident table accordingly.

Question 2

What action must you take to produce a report that indicates which OS version the Windows servers in your environment are running on?

AUse the Inventory tab to run a query

BRun a CMDB report

CRun an analytic search

DRun a baseline report

Answer : B

Question 3

Refer to the exhibits.

Three events are collected over a 10-minute time period from two servers: Server A and Server B.

Based on the settings tor the rule subpattern. how many incidents will the servers generate?

AServer A will generate one incident and Server B will generate one incident.

BServer A will generate one incident and Server B will not generate any incidents.

CServer B will generate one incident and Server A will not generate any incidents.

DServer A will not generate any incidents and Server B will not generate any incidents.

Answer : D

Event Collection Overview: The exhibits show three events collected over a 10-minute period from two servers, Server A and Server B.

Rule Subpattern Settings: The rule subpattern specifies two conditions:

AVG(CPU Util) > DeviceToCMDBAttr(Host IP : Server CPU Util Critical Threshold): This checks if the average CPU utilization exceeds the critical threshold defined for each server.

COUNT(Matched Events) >= 2: This requires at least two matching events within the specified period.

Server A Analysis:

Events: Three events (CPU=90, CPU=90, CPU=95).

Average CPU Utilization: (90+90+95)/3 = 91.67, which exceeds the critical threshold of 90.

Matched Events Count: 3, which meets the condition of being greater than or equal to 2.

Incident Generation: Server A meets both conditions, so it generates one incident.

Server B Analysis:

Events: Three events (CPU=70, CPU=50, CPU=60).

Average CPU Utilization: (70+50+60)/3 = 60, which does not exceed the critical threshold of 90.

Matched Events Count: 3, but since the average CPU utilization condition is not met, no incident is generated.

Conclusion: Based on the rule subpattern, Server A will generate one incident, and Server B will not generate any incidents.

Reference: FortiSIEM 6.3 User Guide, Event Correlation Rules and Incident Management sections, which explain how incidents are generated based on rule subpatterns and event conditions.

Question 4

Refer to the exhibit.

What does the pauso icon indicate?

AData collection is paused after the intervals shown for metrics.

BData collection has not started.

CData collection execution failed because the device is not reachable.

DData collection is paused duo to an issue, such as a change of password.

Answer : D

Data Collection Status: FortiSIEM displays various icons to indicate the status of data collection for different devices.

Pause Icon: The pause icon specifically indicates that data collection is paused, but this can happen due to several reasons.

Common Cause for Pausing: One common cause for pausing data collection is an issue such as a change of password, which prevents the system from authenticating and collecting data.

Exhibit Analysis: In the provided exhibit, the presence of the pause icon next to the device suggests that data collection has encountered an issue that has caused it to pause.

Reference: FortiSIEM 6.3 User Guide, Device Management and Data Collection Status Icons section, which explains the different icons and their meanings.

Question 5

If FortiSIEM supervisor is deployed with the worker using the proprietary flat file database, which action is required?

AAn event database must be placed on NFS

BCollectors must be deployed

CA FortiSIEM service provider license must be obtained

DA separate network interface must be used for the storage network

Answer : A

Question 6

Refer to the exhibit.

What do the yellow stars listed in the Monitor column indicate?

AA yellow star indicates that a metric was applied during discovery, and data has been collected successfully

BA yellow star indicates that a metric was applied during discovery, but data collection has not started

CA yellow star indicates that a metric was applied during discovery, but FortiSIEM is unable to collect data.

DA yellow star indicates that a metric was not applied during discovery and, therefore, FortiSEIM was unable to collect data.

Answer : B

Monitor Column Indicators: In FortiSIEM, the Monitor column displays the status of various metrics applied during the discovery process.

Yellow Star Meaning: A yellow star next to a metric indicates that the metric was successfully applied during discovery and data has been collected for that metric.

Successful Data Collection: This visual indicator helps administrators quickly identify which metrics are active and have data available for analysis.

Reference: FortiSIEM 6.3 User Guide, Device Monitoring section, which explains the significance of different icons and indicators in the Monitor column.

Question 7

What does the Frequency field determine on a rule?

AHow often the rule will evaluate the subpattern.

BHow often the rule will trigger for the same condition.

CHow often the rule will trigger.

DHow often the rule will take a clear action.

Answer : C

Rule Evaluation in FortiSIEM: Rules in FortiSIEM are evaluated periodically to check if the defined conditions or subpatterns are met.

Frequency Field: The Frequency field in a rule determines the interval at which the rule's subpattern will be evaluated.

Evaluation Interval: This defines how often the system will check the incoming events against the rule's subpattern to determine if an incident should be triggered.

Impact on Performance: Setting an appropriate frequency is crucial to balance between timely detection of incidents and system performance.

Examples:

If the Frequency is set to 5 minutes, the rule will evaluate the subpattern every 5 minutes.

This means that every 5 minutes, the system will check if the conditions defined in the subpattern are met by the incoming events.

Reference: FortiSIEM 6.3 User Guide, Rules and Incidents section, which explains the Frequency field and how it impacts the evaluation of subpatterns in rules.

Fortinet NSE 5 - FortiSIEM 6.3 NSE5_FSM-6.3 Exam Practice Test