Rule Subpattern Definition: In FortiSIEM, a subpattern within a rule is used to define specific conditions and criteria that must be met for the rule to trigger an incident or alert.

Components of a Subpattern: The subpattern includes the following elements:

Filters: Criteria to filter the events that the rule will evaluate.

Aggregation: Conditions that define how events should be aggregated or grouped for analysis.

Time Window Definitions: Specifies the time frame over which the events will be evaluated to determine if the rule conditions are met.

Explanation: Together, these components allow the system to efficiently and accurately detect patterns of interest within the event data.

Reference: FortiSIEM 6.3 User Guide, Rules and Patterns section, which explains the structure and configuration of rule subpatterns, including the use of filters, aggregation, and time window definitions.

Advanced Analytical Rules Engine: FortiSIEM's rules engine allows for complex event correlation using multiple subpatterns.

Operations for Referencing Subpatterns:

FOLLOWED_BY: This operation is used to indicate that one event follows another within a specified time window.

OR: This logical operation allows for the inclusion of multiple subpatterns, where the rule triggers if any of the subpatterns match.

AND: This logical operation requires all referenced subpatterns to match for the rule to trigger.

Usage: These operations allow for detailed and precise event correlation, helping to detect complex patterns and incidents.

Reference: FortiSIEM 6.3 User Guide, Advanced Analytics Rules Engine section, which explains the use of different operations to reference subpatterns in rules.

Component Roles in FortiSIEM: Different components in FortiSIEM have specific roles and responsibilities, which contribute to the overall performance and functionality of the system.

Query Worker: The query worker component is specifically designed to handle and optimize search queries within FortiSIEM.

Function: It processes search requests and executes analytic searches efficiently, handling large volumes of data to provide quick results.

Optimization: By improving the efficiency of query execution, the query worker can significantly speed up long, ad hoc analytic searches, addressing performance issues.

Performance Impact: Utilizing the query worker ensures that searches are handled by a component optimized for such tasks, reducing the load on other components and improving overall system performance.

Reference: FortiSIEM 6.3 User Guide, System Components section, which describes the roles of different workers, including the query worker, and their impact on system performance.

Disaster Recovery Mode: FortiSIEM's disaster recovery (DR) mode ensures that there is a backup system ready to take over in case the primary system fails.

Manual Tasks for DR Operation: In the event of a disaster, certain tasks must be performed manually to ensure a smooth transition to the secondary system.

Promoting the Secondary Supervisor:

Use the command phSecondary2primary to promote the secondary supervisor to the primary role. This command reconfigures the secondary supervisor to take over as the primary supervisor, ensuring continuity in management and coordination.

Changing DNS Configuration:

Update the DNS configuration to direct all users, devices, and collectors to the secondary FortiSIEM instance. This ensures that all components in the environment can communicate with the newly promoted primary supervisor without manual reconfiguration of individual devices.

Reference: FortiSIEM 6.3 Administration Guide, Disaster Recovery section, provides detailed steps on promoting the secondary supervisor and updating DNS configurations during a disaster recovery operation.

Device Discovery Information: Information about discovered devices, including their configurations and statuses, is stored in a specific database.

CMDB: The Configuration Management Database (CMDB) is used to store detailed information about the devices discovered by FortiSIEM.

Function: It maintains comprehensive details about device configurations, relationships, and other metadata essential for managing the IT infrastructure.

Significance: Storing discovery information in the CMDB ensures that the FortiSIEM system has a centralized repository of device information, facilitating efficient management and monitoring.

Reference: FortiSIEM 6.3 User Guide, Configuration Management Database (CMDB) section, which details the storage and usage of device discovery information.