Discovery Flashcards
(29 cards)
Where is discovery information stored?
in CMDB
When does FortiSIEM gain the ability to discover all physical and virtual infrastructure?
After entering admin credentials as well as a range of IP addresses that exist on the network
What is typically used for network device configuration pulling?
SSH
Which FortiSIEM components are capable of device discovery?
Supervisor or a Dedicated collector
What is mandatory for discovering Linux servers?
SNMP
What is SSH typically used for when discovering Linux server?
specific memory paging and disk I/O utilization values
Which FortiSIEM components can discover Linux servers?
only the Supervisor or a Dedicated collector perform discovery
What is the process of discovering Windows machines?
What are the three possible ways of sending logs/events from a Windows machine?
- WMI through RPC (TCP 135)
- Third party agents (Snare) via syslog (UDP/514, TCP/1470)
- FortiSIEM Agent (TCP/443)
What needs to be used for flat file log collection to collect log files such as DNS and DHCP?
flat file - logs written to local files (e.g., .log or .txt) like DHCP or DNS
Agent - not a feature of WMI or SNMP
How is the collection done if a device is discovered by the Supervisor?
FortiSIEM will load balance collection amongst the FortiSIEM cluster
How is the collection done if a device is discovered by the Collector?
a one-to-one relationship is formed between the discovered device and Collector - only the discovering collector performs the data collection
What should be the destination for syslog from the network device?
Collector
What are 2 types of discovery?
- Auto Log Discovery
- GUI Discovery
What does FSM do when Auto Log Discovery is used?
waits for devices, such as firewall or router to send its syslog messages or SNMP traps
Depending on deployment model, manually configure syslog on network devices to send the logs to …?
- Supervisor
- Worker
- Collector
Describe the steps in the Auto Discovery Process
How can you exclude specific IP ranges from the discovery process?
the Discovery tab provides a device filter to restrict what IP ranges are added from auto discovery to avoid scanning critical infrastructure like IPMI/iDRAC ranges, skip customer/test/lab segments, etc.
How does GUI discovery work and what does it do?
actively collects data from devices in the network and uses user-defined credentials and various protocols for two distinct purposes:
1. discover devices, applications and users in the network and populate CMDB object groups
2. determine what metrics are available for each device and application and automatically apply collection templates
What is the advantage of GUI Discovery over Auto Log Discovery?
fully populates the CMDB and determines what can be monitored on the device from performance and availability management standpoint
Describe the GUI Discovery Process
Where is GUI Discovery configured?
Admin > Setup > Discovery
What is a pull event?
- a collection template designed to pull security (SIEM-type of events) from devices
- for security event log collection, GUI discovery applies log collection templates known as Pull Events
- FortiSIEM can actively connect to devices or systems to fetch logs or events, rather than waiting for the device to push them
When are pull events especially useful?
- Windows systems (via WMI or Agent)
- Databases (via JDBC)
- Cloud platforms (API-based pull)
- Email gateways, ticketing systems, web services, etc.
