SIEM Parsing Engine

Questions and Answers

Which of the following does the parser use to identify the event types in the messages?

Windows event logs

Unique identifying numbers (correct)

Security metrics

Unique key words

What does PAM stand for in FortiSIEM?

Performance and Availability Management (correct)

Performance and Availability Metrics

Performance and Access Monitoring

Performance and Application Monitoring

What does FortiSIEM collect at a set polling interval for PAM?

Infrastructure resource utilization

Performance metrics (correct)

Security metrics

Application health

What does FortiSIEM use to detect anomalous activity?

Baseline metrics

What does FortiSIEM provide an integrated view into?

Network and application behavior

What does FortiSIEM convert the PAM metrics into?

Logs

What does the parser look for in each message to assign an event identifier?

Unique key words

What does FortiSIEM monitor in addition to security metrics?

Performance and availability metrics

What does FortiSIEM build a baseline of?

Network and application behaviors

What does FortiSIEM provide a view into?

Performance and availability

Which of the following is one of the main functions of the parsing engine?

To extract important information from the log file

What attributes are added by the parsing engine to the final event?

Timestamp indicating when the event was received, and the event type

Why is the final event enriched with additional data?

To make searching, filtering, and reporting more granular

What does the parsing engine do with the raw message?

Extracts everything it can from it

What is one example of an attribute added by the parsing engine to the final event?

Destination country

What does the parsing engine examine in each element of the log file?

Important or useful information

What can be said about the final event compared to the raw message?

The final event contains far more data

What does the parsing engine do with each event received or collected?

Creates a normalized, structured data event

What is an example of an attribute in the final event that comes from the raw message itself?

Direction of the traffic

What does the parsing engine look for in each raw message?

Something unique to identify the event type

Study Notes

Identifying Event Types

• The parser identifies event types in messages based on specific criteria.

PAM in FortiSIEM

• PAM stands for Privileged Access Management in FortiSIEM.
• FortiSIEM collects PAM metrics at a set polling interval.

Anomaly Detection and Visualization

• FortiSIEM detects anomalous activity using machine learning (ML) and statistical models.
• FortiSIEM provides an integrated view into security and performance metrics.

Parsing Engine Functions

• The parsing engine examines each element of the log file to extract relevant information.
• The parsing engine assigns an event identifier to each message based on specific criteria.
• One of the main functions of the parsing engine is to parse raw messages into final events.
• The parsing engine adds attributes to the final event, such as event type and timestamp.

Enriching the Final Event

• The final event is enriched with additional data from the parsing engine.
• The parsing engine extracts attributes from the raw message, such as IP addresses and usernames.
• The final event contains more information than the raw message.

Parsing Engine Operations

• The parsing engine processes each event received or collected, adding attributes to the final event.
• The parsing engine converts PAM metrics into a usable format.
• The parsing engine looks for specific patterns or keywords in each raw message to extract relevant information.

Description

Test your knowledge on event attributes produced by the parsing engine in SIEM. Learn about the main functions of the parsing engine and how it separates log files into essential elements. Explore the process of identifying important information from events.