FortiSIEM Rules Engine

Questions and Answers

Which of the following is NOT a component of a rule condition?

• Sub-patterns
• Aggregation
• Time window (correct)
• Group by

What does the aggregation condition specify?

• How to summarize the matching data (correct)
• The time period over which the condition should be evaluated
• Which event attributes are evaluated as part of the same incident
• The event the rule should evaluate

What does the group by condition allow the rules engine to identify?

• The number of times a specific event occurred
• The event the rule should evaluate
• Which event attributes are evaluated as part of the same incident (correct)
• The time period over which the condition should be evaluated

What is the purpose of the time window in a rule condition?

To specify the time period over which the condition should be evaluated (C)

What is a sub-pattern in a rule condition?

A search condition (B)

Which component of a rule condition counts the number of times a specific event occurred?

Aggregation (A)

What is the role of the filter in a rule condition?

To specify what event the rule should evaluate (B)

What does the aggregation condition do with the matching data?

All of the above (D)

What is the purpose of the group by condition in a rule condition?

To identify which event attributes are evaluated as part of the same incident (A)

What is the purpose of the time window in a rule condition?

To specify the time period over which the condition should be evaluated (D)

Which of the following questions should you consider when building rules in FortiSIEM?

All of the above (D)

What is the purpose of the advanced analytical rules engine in FortiSIEM?

To trigger incidents on the dashboard (D)

When building rules in FortiSIEM, what does it mean to compute an expression?

To check if the average of a certain attribute is over a specified threshold (C)

In FortiSIEM, what does it mean if a rule needs multiple events to be received before it triggers?

The rule will trigger only if multiple events are received (D)

What is one possible aggregation that can be performed on the results when building rules in FortiSIEM?

Count of the number of events that match the criteria (A)

When building rules in FortiSIEM, what time period should you allow for events to occur in?

It depends on the specific rule (A)

In FortiSIEM, when will the events being received be part of a totally new incident?

It depends on the specific rule (D)

What is the purpose of the three-step wizard when building rules in FortiSIEM?

To guide users in building rules (C)

What is an example of a condition that can be used to trigger a rule in FortiSIEM?

All of the above (D)

What is the main function of FortiSIEM's advanced analytical rules engine?

To watch events and trigger incidents on the dashboard (B)

Study Notes

Rule Conditions

• Rule conditions consist of several components, including aggregation, filter, group by, and time window.
• The aggregation condition specifies how to combine matching data.
• The group by condition allows the rules engine to identify specific events or patterns.
• The time window specifies the time period during which events must occur.

Components of a Rule Condition

• A sub-pattern is a specific component of a rule condition.
• The counter component counts the number of times a specific event occurred.
• The filter component is used to refine the search for specific events or patterns.

Building Rules in FortiSIEM

• When building rules, consider the following questions: What is the scenario you want to detect? What events are required to trigger the rule? What is the time period for the events to occur?
• The purpose of the advanced analytical rules engine is to detect complex scenarios and correlate events across multiple devices.
• Computing an expression means evaluating a mathematical operation or logical test on the event data.
• If a rule needs multiple events to be received before it triggers, it means the rule requires multiple events to occur within a specified time period.
• Aggregation operations can be performed on the results, such as sum, average, or count.
• Events should be allowed to occur within a specified time period, such as 1 hour or 1 day.
• Events will be part of a totally new incident if they do not match any existing incident.

Rule Triggering and Wizard

• The three-step wizard is used to build rules in FortiSIEM.
• An example of a condition that can be used to trigger a rule is "if 10 login failure events occur within 1 hour".
• The main function of FortiSIEM's advanced analytical rules engine is to detect complex scenarios and correlate events across multiple devices.

Description

Test your knowledge of FortiSIEM's rules engine and learn how to effectively build rules for event monitoring and incident triggering. Explore important considerations such as event requirements and time periods for rule activation.