Event Type Population: In FortiSIEM, the Event Type field is populated based on specific identifiers within the raw message or event log.

Raw Message Analysis: The exhibit shows a raw message with various components, including PH_DEV_MON_SYS_DISK_UTIL, PHL_INFO, phPerfJob, and diskUtil.

Primary Event Identifier: The PH_DEV_MON_SYS_DISK_UTIL at the beginning of the raw message is the primary identifier for the event type. It categorizes the type of event, in this case, a system disk utilization monitoring event.

Event Type Field: FortiSIEM uses this primary identifier to populate the Event Type field, providing a clear categorization of the event.

Reference: FortiSIEM 6.3 User Guide, Event Processing and Event Types section, details how event types are identified and populated in the system.

Incident Categories in FortiSIEM: Incidents in FortiSIEM are categorized to help administrators quickly identify and prioritize the type of issue.

Four Main Categories:

Performance: Incidents related to the performance of devices and applications, such as high CPU usage or memory utilization.

Availability: Incidents affecting the availability of services or devices, such as downtime or connectivity issues.

Security: Incidents related to security events, such as failed login attempts, malware detection, or unauthorized access.

Change: Incidents triggered by changes in the configuration or state of devices, such as new software installations or configuration modifications.

Importance of Categorization: These categories help in the efficient management and response to different types of incidents, allowing for better resource allocation and quicker resolution.

Reference: FortiSIEM 6.3 User Guide, Incident Management section, which details the different categories of incidents and their significance.

Device Discovery Information: Information about discovered devices, including their configurations and statuses, is stored in a specific database.

CMDB: The Configuration Management Database (CMDB) is used to store detailed information about the devices discovered by FortiSIEM.

Function: It maintains comprehensive details about device configurations, relationships, and other metadata essential for managing the IT infrastructure.

Significance: Storing discovery information in the CMDB ensures that the FortiSIEM system has a centralized repository of device information, facilitating efficient management and monitoring.

Reference: FortiSIEM 6.3 User Guide, Configuration Management Database (CMDB) section, which details the storage and usage of device discovery information.

Data Collection Status: FortiSIEM displays various icons to indicate the status of data collection for different devices.

Pause Icon: The pause icon specifically indicates that data collection is paused, but this can happen due to several reasons.

Common Cause for Pausing: One common cause for pausing data collection is an issue such as a change of password, which prevents the system from authenticating and collecting data.

Exhibit Analysis: In the provided exhibit, the presence of the pause icon next to the device suggests that data collection has encountered an issue that has caused it to pause.

Reference: FortiSIEM 6.3 User Guide, Device Management and Data Collection Status Icons section, which explains the different icons and their meanings.

Component Roles in FortiSIEM: Different components in FortiSIEM have specific roles and responsibilities, which contribute to the overall performance and functionality of the system.

Query Worker: The query worker component is specifically designed to handle and optimize search queries within FortiSIEM.

Function: It processes search requests and executes analytic searches efficiently, handling large volumes of data to provide quick results.

Optimization: By improving the efficiency of query execution, the query worker can significantly speed up long, ad hoc analytic searches, addressing performance issues.

Performance Impact: Utilizing the query worker ensures that searches are handled by a component optimized for such tasks, reducing the load on other components and improving overall system performance.

Reference: FortiSIEM 6.3 User Guide, System Components section, which describes the roles of different workers, including the query worker, and their impact on system performance.