Fortinet FortiSIEM 2000F
Unified Event Correlation and Risk Management for Modern Networks

Real-Time Operational Context for Rapid Security Analytics

• Continually updated and accurate device context — configuration, installed software and patches, running services
• System and application performance analytics along with contextual inter-relationship data for rapid triaging of security issues
• User context, in real-time, with audit trails of IP addresses, user identity changes, physical and geo-mapped location
• Detect unauthorized network devices, applications, and configuration changes

Out-of-the-Box Compliance Reports

• Out-of-the-box pre-defined reports supporting a wide range of compliance auditing and management needs including —
  PCI-DSS, HIPAA, SOX, NERC, FISMA, ISO, GLBA, GPG13, SANS Critical Controls, COBIT, ITIL, ISO 27001, NERC, NIST800-53, NIST800-171, NESA
• To meet GDPR requirements, Personally Identifiable Information (PII) can be obscured based on an administrator’s role

UEBA

• FortiSIEM Agent-based UEBA telemetry allows for the collection of high fidelity user-based activity that includes User, Process, Device, Resource, and Behavior. Using an agent-based approach allows for the collection of telemetry when the endpoint is on and off the corporate network, providing a more complete view of user activity. UEBA telemetry allows for the identification of unknown bad activities that can be alerted and acted upon

Performance Monitoring

• Monitor basic system/common metrics
• System level via SNMP, WMI, PowerShell
• Application level via JMX, WMI, PowerShell
• Virtualization monitoring for VMware, Hyper-V — guest, host, resource pool and cluster level
• Storage usage, performance monitoring — EMC, NetApp, Isilon, Nutanix, Nimble, Data Domain
• Specialized application performance monitoring
• Microsoft Active Directory and Exchange via WMI and Powershell
• Databases — Oracle, MS SQL, MySQL via JDBC
• VoIP infrastructure via IPSLA, SNMP, CDR/CMR
• Flow analysis and application performance — Netflow, SFlow, Cisco AVC, NBAR
• Ability to add custom metrics
• Baseline metrics and detect significant deviations

Availability Monitoring

• System up/down monitoring — via Ping, SNMP, WMI, Uptime Analysis, Critical Interface, Critical Process and Service, BGP/OSPF/EIGRP status change, Storage port up/down
• Service availability modeling via Synthetic Transaction Monitoring — Ping, HTTP, HTTPS, DNS, LDAP, SSH, SMTP, IMAP, POP, FTP, JDBC, ICMP, trace route and for generic TCP/UDP ports
• Maintenance calendar for scheduling maintenance windows
• SLA calculation — “normal” business hours and after-hours considerations

Powerful and Scalable Analytics

• Search events in real time— without the need for indexing
• Keyword and event-based searches
• Search historical events — SQL-like queries with Boolean filter conditions, group by relevant aggregations, time-of-day filters, regular expression matches, calculated expressions — GUI & API
• Use discovered CMDB objects, user/identity and location data in searches and rules
• Schedule reports and deliver results via email to key stakeholders
• Search events across the entire organization, or down to a physical or logical reporting domain
• Dynamic watch lists for keeping track of critical violators — with the ability to use watch lists in any reporting rule
• Scale analytics feeds by adding Worker nodes without downtime

Baselining and Statistical Anomaly Detection

• Baseline endpoint/server/user behavior — hour of day and weekday/weekend granularity
• Highly flexible — any set of keys and metrics can be “baselined”
• Built-in and customizable triggers on statistical anomalies

External Technology Integrations

• Integration with any external web site for IP address lookup
• API-based integration for external threat feed intelligence sources
• API-based 2-way integration with help desk systems — seamless, out-of-the box support for ServiceNow, ConnectWise and Remedy
• API-based 2-way integration with external CMDB — out-of-the box support for ServiceNow and ConnectWise
• Kafka support for integration with enhanced Analytics Reporting — i.e. ELK, Tableau and Hadoop
• API for easy integration with provisioning systems
• API for adding organizations, creating credentials, triggering discovery, modifying monitoring events

Real-Time Configuration Change Monitoring

• Collect network configuration files, stored in a versioned repository
• Collect installed software versions, stored in a versioned repository
• Automated detection of changes in network configuration and installed software
• Automated detection of file/folder changes — Windows and Linux — who and what details
• Automated detection of changes from an approved configuration file
• Automated detection of windows registry changes via FortiSIEM windows agent

Device and Application Context

• Network Devices including Switches, Routers, Wireless LAN
• Security devices — Firewalls, Network IPS, Web/Email Gateways, Malware Protection, Vulnerability Scanners
• Servers including Windows, Linux, AIX, HP UX
• Infrastructure Services including DNS, DHCP, DFS, AAA, Domain Controllers, VoIP
• User-facing Applications including Web Servers, App Servers, Mail, Databases
• Storage devices including NetApp, EMC, Isilon, Nutanix, Data Domain
• Cloud Apps including AWS, Box.com, Okta, Salesforce.com
• Cloud infrastructure including AWS
• Environmental devices including UPS, HVAC, Device Hardware
• Virtualization infrastructure including VMware ESX, Microsoft Hyper-V Scalable and Flexible Log Collection

FortiSIEM Advanced Agents

• Fortinet has developed a highly efficient agentless technology for collecting information. However some information, such as file integrity monitoring data, is expensive to collect remotely. FortiSIEM has combined its agentless technology with high performance agents for Windows and Linux to significantly bolster its data collection.

Scalable and Flexible Log Collection

• Collect, Parse, Normalize, Index and Store security logs at very high speeds (beyond 10K events/sec per node)
• Out-of-the-box support for a wide variety of security systems and vendor APIs — both on-premises and cloud
• Windows Agents provide highly scalable and rich event collection including file integrity monitoring, installed software changes and registry change monitoring
• Linux Agents provide file integrity monitoring, syslog monitoring and custom log file monitoring
• Modify parsers from within the GUI and redeploy on a running system without downtime and event loss
• Create new parsers (XML templates) via integrated parser development environment and share among users via export/import function
• Securely and reliably collect events for users and devices located anywhere

Notification and Incident Management

• Policy-based incident notification framework
• Ability to trigger a remediation script when a specified incident occurs
• API-based integration to external ticketing systems — ServiceNow, ConnectWise, and Remedy
• Built-in ticketing system
• Incident reports can be structured to provide the highest priority to critical business services and applications
• Trigger on complex event patterns in real time
• Incident Explorer — dynamically linking incidents to hosts, IPs and user to understand all related incidents quickly

Rich Customizable Dashboards

• Configurable real-time dashboards, with “Slide-Show” scrolling for showcasing KPIs
• Sharable reports and analytics across organizations and users
• Color-coded for rapidly identifying critical issues
• Fast — updated via in-memory computation
• Specialized layered dashboards for business services, virtualized infrastructure, and specialized apps

External Threat Intelligence Integrations

• API’s for integrating external threat feed intelligence — Malware domains, IPs, URLs, hashes, Tor nodes
• Built-in integration for popular threat intelligence sources — ThreatStream, CyberArk, SANS, Zeus, ThreatConnect
• Technology for handling large threat feeds — incremental download and sharing within cluster, real-time pattern matching with network traffic. All STIX & TAXII feeds are supported

Simple and Flexible Administration

• Web-based GUI
• Rich Role-based Access Control for restricting access to GUI and data at various levels
• All inter-module communication protected by HTTPS
• Full audit trail of FortiSIEM user activity
• Easy software upgrade with minimal downtime & event loss
• Rapid updates to Fortinet FortiSIEM knowledge base updates (parsers, rules, reports)
• Policy-based archiving
• Hashing of logs in real time for non-repudiation & integrity verification
• Flexible user authentication — local, external via Microsoft AD and OpenLDAP, Cloud SSO/SAML via Okta
• Ability to log into remote server behind a collector from FortiSIEM GUI via remote SSH tunnel

Easy Scale Out Architecture

• Available as Virtual Machines for on-premises and public/private cloud deployments on the following hypervisors — VMware ESX, Microsoft Hyper-V, KVM, Amazon Web Services AMI, OpenStack, Azure (only Collector)
• Multiple physical appliance models with varying levels of performance to provide a variety of deployment options
• Scale data collection by deploying multiple Collectors
• Collectors can buffer events when connection to FortiSIEM Supervisor is not available
• Scale analytics by deploying multiple Workers
• Built-in load balanced architecture for collecting events from remote sites via collectors
• Log storage can be either the FortiSIEM proprietary NoSQL database, or Elasticsearch which provides the ultimate in scalability
• To meet high availability requirements, the Supervisor can be configured with Active/ Passive instances