Help
FortiSIEM Discussions
Ali_Maher
New Contributor III

Created on ‎05-11-2024 03:09 PM

FortiSIEM Database purpose

Hello Everyone,

hope all is well!

 

I am here as i am a little confused with the different types of the FSM database,

i totally understand that there are different types of database such as:

1- Event Database :- Store Security Events which comes from the data sources.

2- CMDB

3- SVN

4- Profile

 

I hope I can have more clarification about the three DBs (CMDB-SVN-Profile).

#FortiSIEM

BR, Ali Maher
BR, Ali Maher
Labels:
614
0 Kudos
1 Solution
Secusaurus
Contributor II

Created on ‎05-12-2024 10:47 PM

Hello Ali,

 

Your questions are covered in the NSE training for FortiSIEM (FCP):

 

Event Database: Stores the events in an organized way, including the raw logs.

CMDB (Configuration Management Database): Stores the configuration of your SIEM: The things that are listed in the tab "CMDB" as well as all custom rules, resources, configurations, credentials, parsers and all the settings you made

SVN (Subversion Database): Stores current and historical device CLI-based configs (e.g. firewalls, routers, switches) and installed software on servers

Profile: Stores baseline datasets (mostly "buckets") which is then used for anomaly detection

 

They are distinct databases because they need different types and speeds for accessing them. Also, if you only have a CMDB backup, for example, you can restore your SIEM to a running state without having to backup terabytes of data.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner

View solution in original post

FCP & FCSS Security Operations | Fortinet Advanced Partner
567
3 REPLIES 3
Secusaurus
Contributor II

Created on ‎05-12-2024 10:47 PM

Hello Ali,

 

Your questions are covered in the NSE training for FortiSIEM (FCP):

 

Event Database: Stores the events in an organized way, including the raw logs.

CMDB (Configuration Management Database): Stores the configuration of your SIEM: The things that are listed in the tab "CMDB" as well as all custom rules, resources, configurations, credentials, parsers and all the settings you made

SVN (Subversion Database): Stores current and historical device CLI-based configs (e.g. firewalls, routers, switches) and installed software on servers

Profile: Stores baseline datasets (mostly "buckets") which is then used for anomaly detection

 

They are distinct databases because they need different types and speeds for accessing them. Also, if you only have a CMDB backup, for example, you can restore your SIEM to a running state without having to backup terabytes of data.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
568
FSM_FTNT
Staff
Staff
In response to Secusaurus

Created on ‎05-13-2024 03:25 AM

Just to add to Secusaurus, the event database that we generally recommend will be ClickHouse.

550
Ali_Maher
New Contributor III

Created on ‎05-13-2024 04:42 AM

Thanks for the detailed answer, it's really appreciated!

 

I want to summarize that

CMDB -> Store the FortiSIEM configuration itself which can help restore the appliance to the last state.

SVN -> Store the configuration of the Discovery devices (FW -Router - ...) to check configuration changes on the log sources.

 

profile -> help to identify the anomalies.

 

Thanks in advance!

BR, Ali Maher
BR, Ali Maher
541
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.