* Incident Categories in FortiSIEM: Incidents in FortiSIEM are categorized to help administrators quickly identify and prioritize the type of issue.
* Four Main Categories:
Performance: Incidents related to the performance of devices and applications, such as high CPU usage or memory utilization.
Availability: Incidents affecting the availability of services or devices, such as downtime or connectivity issues.
Security: Incidents related to security events, such as failed login attempts, malware detection, or unauthorized access.
Change: Incidents triggered by changes in the configuration or state of devices, such as new software installations or configuration modifications.
* Importance of Categorization: These categories help in the efficient management and response to different types of incidents, allowing for better resource allocation and quicker resolution.
* Reference: FortiSIEM 6.3 User Guide, Incident Management section, which details the different categories of incidents and their significance.

Rule Evaluation in FortiSIEM: Rules in FortiSIEM are evaluated periodically to check if the defined conditions or subpatterns are met.
Frequency Field: The Frequency field in a rule determines the interval at which the rule's subpattern will be evaluated.
* Evaluation Interval: This defines how often the system will check the incoming events against the rule's subpattern to determine if an incident should be triggered.
* Impact on Performance: Setting an appropriate frequency is crucial to balance between timely detection of incidents and system performance.
Examples:
* If the Frequency is set to 5 minutes, the rule will evaluate the subpattern every 5 minutes.
* This means that every 5 minutes, the system will check if the conditions defined in the subpattern are met by the incoming events.
References: FortiSIEM 6.3 User Guide, Rules and Incidents section, which explains the Frequency field and how it impacts the evaluation of subpatterns in rules.

* Collecting SIEM and PAM Events: To collect both SIEM event logs and Performance and Availability Monitoring (PAM) events from a Microsoft Windows server, a suitable protocol must be selected.
* WMI Protocol: Windows Management Instrumentation (WMI) is the appropriate protocol for this task.
SIEM Event Logs: WMI can collect security, application, and system logs from Windows devices.
PAM Events: WMI can also gather performance metrics, such as CPU usage, memory utilization, and disk activity.
* Comprehensive Data Collection: Using WMI ensures that both types of data are collected efficiently from the Windows server.
* Reference: FortiSIEM 6.3 User Guide, Data Collection Methods section, which details the use of WMI for collecting various types of logs and performance metrics.

* Enterprise Licensing Mode: In FortiSIEM enterprise licensing mode, collectors are deployed in remote sites to gather and forward data to the central FortiSIEM cluster located in the data center.
* Collector Functionality: Collectors are responsible for receiving logs, events (e.g., syslog), and performance metrics from devices.
* Link Down Scenario: When the link between the collector and the FortiSIEM cluster is down, the collector needs a mechanism to ensure no data is lost during the disconnection.
* Event Buffering: The collector buffers the events locally until the connection is restored, ensuring that no incoming events are lost. This buffered data is then forwarded to the FortiSIEM cluster once the link is re-established.
* Reference: FortiSIEM 6.3 User Guide, Data Collection and Buffering section, explains the behavior of collectors during network disruptions.