Fortinet Exam NSE5_FSM-6.3 Topic 9 Question 18 Discussion

Advanced Analytical Rules Engine: FortiSIEM's rules engine allows for complex event correlation using multiple subpatterns.

Operations for Referencing Subpatterns:

FOLLOWED_BY: This operation is used to indicate that one event follows another within a specified time window.

OR: This logical operation allows for the inclusion of multiple subpatterns, where the rule triggers if any of the subpatterns match.

AND: This logical operation requires all referenced subpatterns to match for the rule to trigger.

Usage: These operations allow for detailed and precise event correlation, helping to detect complex patterns and incidents.

Reference: FortiSIEM 6.3 User Guide, Advanced Analytics Rules Engine section, which explains the use of different operations to reference subpatterns in rules.