NSE 5 - FortiSIEM 5.2

Here you have the best Fortinet NSE5_FSM-5.2 practice exam questions

You have 31 total questions to study from
Each page has 5 questions, making a total of 7 pages
You can navigate through the pages using the buttons at the bottom
This questions were last updated on May 11, 2025
This site is not affiliated with or endorsed by Fortinet.

Question 1 of 31

Refer to the exhibit.

A FortiSIEM administrator wants to group some attributes for a report, but is not able to do so successfully.

As shown in the exhibit, why are some of the fields highlighted in red?

The Event Receive Time attribute is not available for logs.

The attribute COUNT (Matched event) is an invalid expression.

Unique attributes cannot be grouped.

No RAW Event Log attribute is available for devices.

Correct Answer: B

The fields highlighted in red indicate that there is an issue with those specific attributes. In this context, the attribute 'COUNT (Matched Events)' is an invalid expression, which is why it is highlighted. COUNT can be used in expressions or operations, but it must be correctly formatted and applicable within the report configuration. Other options do not explain the red highlighting correctly.

Question 2 of 31

In the rules engine, which condition instructs FortiSIEM to summarize and count the matching evaluated data?

Time Window

Aggregation

Group By

Filters

Correct Answer: B

In the rules engine, the condition that instructs FortiSIEM to summarize and count the matching evaluated data is 'Aggregation'. Aggregation combines multiple data records into a single summary record, which involves counting and summarizing the data based on specific criteria.

Question 3 of 31

Refer to the exhibit.

How was the FortiGate device discovered by FortiSIEM?

Through GUI log discovery

Through syslog discovery

Using the pull events method

Through auto log discovery

Correct Answer: D

The FortiGate device was discovered by FortiSIEM through auto log discovery. This conclusion is drawn from the 'Method: LOG' indication in the exhibit. The absence of a version number implies that the discovery method did not use SNMP credentials, which aligns with auto log discovery rather than GUI log discovery or other methods.

Question 4 of 31

Refer to the exhibit.

If events are grouped by Reporting IP, Event Type, and user attributes in FortiSIEM, how many results will be displayed?

Seven results will be displayed.

Three results will be displayed.

Unique attribute cannot be grouped.

Five results will be displayed.

Correct Answer: D

When grouped by Reporting IP, Event Type, and user attributes, the results indicated in the exhibit would be combined based on these values. Here are the distinct groups: (10.10.10.10, Failed Logon, Ryan), (10.10.10.11, Failed Logon, John), (10.10.10.10, Failed Logon, Paul), (10.10.10.11, Failed Logon, Wendy), and (10.10.10.10, Failed Logon, Ryan with a different Source IP). These combine to five distinct results.

Question 5 of 31

Which two FortiSIEM components work together to provide real-time event correlation?

Collector and Windows agent

Supervisor and worker

Worker and collector

Supervisor and collector

Correct Answer: B

The Supervisor and worker components work together to provide real-time event correlation in FortiSIEM. The Supervisor is responsible for the overall management, correlation, and analysis of data, while the worker nodes perform distributed data processing and initial correlation tasks. This distributed architecture allows for efficient handling of large volumes of events in real-time.