A Managed Security Service Provider (MSSP) is designing a new FortiSIEM deployment for a large enterprise client. The client has three major data centers across different continents and an estimated event rate of 50,000 EPS. The key requirements are centralized management, high availability for the analytics and reporting engine, and local event collection and parsing at each data center to minimize WAN traffic. Which architectural design best meets these requirements?
A security analyst needs to create a correlation rule to detect a potential brute-force attack followed by a successful login. The logic must identify at least 10 failed login events for the same user from the same source IP within a 5-minute window, which are then immediately followed by a successful login for that same user and source IP. How must the rule be constructed in FortiSIEM to achieve this specific sequence of events? ```mermaid flowchart TD A[Start: Event Received] --> B{Login Failed?}; B -- Yes --> C[Increment Counter for User/IP]; B -- No --> D{Login Successful?}; D -- No --> E[Ignore]; C --> F{Counter >= 10 in 5min?}; F -- Yes --> D; F -- No --> E; D -- Yes --> G{Same User/IP as failed attempts?}; G -- Yes --> H[Trigger Incident]; G -- No --> E; H --> I[End]; ```
A FortiSIEM administrator is investigating a performance issue where the Supervisor node's CPU utilization is consistently high. After initial investigation, the cause is determined to be an excessive number of low-value syslog events coming from a newly added group of IoT devices. The security team has confirmed these specific events are not needed for analysis. What is the most efficient method within FortiSIEM to reduce the processing load on the Supervisor without losing visibility into other critical events from the same IoT devices?
True or False: In a multi-tenant FortiSIEM deployment, administrators from one organization can view and manage incidents belonging to another organization if they are granted Super/Global administrator privileges.
A financial institution is using FortiSIEM to monitor access to its critical database servers. A compliance requirement mandates a monthly report that shows a summary of distinct users who accessed each database server, along with the total number of connections per user. Which components of the FortiSIEM Analytics tab are required to create this specific report? (Select TWO)
An administrator at a retail company is deploying a new FortiSIEM Collector in a branch store. After deployment, the Collector appears online in the FortiSIEM GUI, but no events from the store's devices are appearing in the central analytics console. The administrator has verified that devices are successfully sending syslog messages to the Collector's IP address. Which of the following is the most likely cause of this issue?
A security team wants to create an incident that triggers when any user is added to a privileged group in Active Directory, such as 'Domain Admins'. However, they want to prevent an incident from being created if the change was performed by an approved administrator account (e.g., 'svc-ad-admin'). Which rule component should be used to achieve this?
What is the primary purpose of the 'Define Condition' time field within a FortiSIEM rule?
A systems administrator is tasked with deploying the FortiSIEM Windows Agent to 500 workstations across the enterprise. Which deployment method offers the most efficient and scalable solution for this task?
An organization has configured a rule that generates a 'Malware Detected' incident. The security policy requires that when this incident is triggered, the infected endpoint's IP address is automatically added to a blocklist on the network's FortiGate firewall. Which two FortiSIEM components are primarily involved in this automated remediation process? (Select TWO)