1
Data Sheet
1
FortiSIEM®
Unified Event Correlation and Risk Management for
Modern Networks
Uptime is a mandate for today’s digital business and end users do not care if their
application problems are performance or security-related. That’s where FortiSIEM
comes in.
Unified NOC and SOC Analytics (Patented)
Fortinet has developed an architecture that enables unified data collection and analytics
from diverse information sources including logs, performance metrics, SNMP Traps,
security alerts, and configuration changes. FortiSIEM essentially takes the analytics
together for a comprehensive view of the security and availability of the business. Every
piece of information is converted into an event which is first parsed and then fed into an
event-based analytics engine for monitoring real-time searches, rules, dashboards, and
ad-hoc queries.
Highlights
•
Cross Correlation
of SOC and
NOC Analytics
•
Real-Time Network
Analytics
•
Security and
Compliance
out-of-the-box
•
Single IT Pane of
Glass
•
Cloud Scale
Architecture
•
Self Learning Asset
•
Multi-tenancy
•
MSP/MSSP Ready
•
Available as a virtual
or physical appliance
Available in:
Appliance
CloudVirtual
Machine
Hosted
Highlights
Machine Learning / UEBA
requiring the Administrator to write complex rules. FortiSIEM helps identify insider and
incoming threats that would pass traditional defenses. High fidelity alerts help prioritize which
threats need immediate attention.
User and Device Risk Scoring
FortiSIEM build a risk scores of Users and Devices that can augment UEBA rules and other
analysis. Risk scores are calculated by combining several datapoints regarding the user and
device. The User and Device risk scores are displayed in a unified entity risk dashboard.
Distributed Real-Time Event Correlation (Patented)
Distributed event correlation is a difficult problem, as multiple nodes have to share their partial
states in real time to trigger a rule. While many SIEM vendors have distributed data collection
and distributed search capabilities, Fortinet is the only vendor with a distributed real-time
event correlation engine. Complex event patterns can be detected in real time. This patented
algorithm enables FortiSIEM to handle a large number of rules in real time at high event rates
for accelerated detection timeframes.
Rapid problem resolution requires infrastructure context. Most log analysis and SIEM vendors
require administrators to provide the context manually, which quickly becomes stale, and is
highly prone to human error. Fortinet has developed an intelligent infrastructure and application
discovery engine that is able to discover both physical and virtual infrastructure, on-premises
and in public/ private clouds, simply using credentials without any prior knowledge of what the
devices or applications are.
aware event analytics using CMDB Objects in search conditions.
Dynamic User Identity Mapping
users obtain new addresses via DHCP or VPN.
Fortinet has developed a dynamic user identity mapping methodology. Users and their roles
are discovered from on-premises or Cloud SSO repositories. Network identity is identified from
important network events. Then geo-identity is added to form a dynamic user identity audit
trail. This method makes it possible to create policies or perform investigations based on user
identity instead of IP addresses—allowing for rapid problem resolution.
2
FortiSIEM® Data Sheet
HighlightsHighlights
Flexible and Fast Custom Log Parsing Framework (Patented)
Effective log parsing requires custom scripts but those can be slow to execute, especially for
high volume logs like Active Directory and firewall logs. Compiled code on the other hand, is
fast to execute but is not flexible since it needs new software releases. Fortinet has developed
an XML-based event parsing language that is functional like high level programming languages
and easy to modify yet can be compiled during run-time to be highly efficient.
Business Services Dashboard — Transforms System to Service Views
Traditionally, SIEM’s monitor individual components — servers, applications, databases, and
so forth — but what most organizations really care about is the services those systems
power. FortiSIEM now offers the ability to associate individual components with the end user
experience that they deliver together providing a powerful view into the true availability of the
business.
Automated Incident Mitigation
When an Incident is triggered, an automated script can be run to mitigate or eliminate the
threat. Built-in scripts support a variety of devices including Fortinet, Cisco, Palo Alto, and
Window/Linux servers. Built-in scripts can execute a wide range of actions including disabling
a user’s Active Directory account, disabling a switch port, blocking an IP address on a Firewall,
deauthenticating a user on a WLAN Access Point, and more. Scripts leverage the credentials
FortiSIEM already has in the CMDB. Administrators can easily extend the actions available by
creating their own scripts.
Infusion of Security Intelligence
security TI framework. This grand unification of diverse sources of data enables organizations
to rapidly identify root causes of threats, and take the steps necessary to remediate and
prevent them in the future. Steps can often be automated with new Threat Mitigation Libraries
for many Fortinet products.
Large Enterprise and Managed Service Provider Ready — “Multi-Tenant Architecture”
Fortinet has developed a highly customizable, multi-tenant architecture that enables
enterprises and service providers to manage a large number of physical/ logical domains and
over-lapping systems and networks from a single console. In this environment it is very easy
to cross-correlate information across physical and logical domains, and individual customer
networks. Unique reports, rules, and dashboards can easily be built for each, with the ability to
deploy them across a wide set of reporting domains, and customers. Event archiving policies
can also be deployed on a per domain or customer basis. Granular RBAC controls allow varying
levels of access to Administrators and Tenants/ Customers. For large MSSPs, Collectors can be
configured as multi-tenant to reduce the overall deployment footprint.
3
FortiSIEM® Data Sheet
Features
Real-Time Operational Context for Rapid Security Analytics
•
Continually updated and accurate device context — configuration, installed software and
patches, running services
•
System and application performance analytics along with contextual inter-relationship data
for rapid triaging of security issues
•
User context, in real-time, with audit trails of IP addresses, user identity changes, physical
and geo-mapped location
•
Detect unauthorized network devices, applications, and configuration changes
Out-of-the-Box Compliance Reports
•
Out-of-the-box pre-defined reports supporting a wide range of compliance auditing and
management needs including —
•
on an administrator’s role
UEBA
•
activity that includes User, Process, Device, Resource, and Behavior. Using an agent-
based approach allows for the collection of telemetry when the endpoint is on and off the
for the identification of unknown bad activities that can be alerted and acted upon
Performance Monitoring
•
Monitor basic system/ common metrics
•
System level via SNMP, WMI, and PowerShell
•
•
level
•
Specialized application performance monitoring
•
Databases — Oracle, MS SQL, MySQL via JDBC
•
VoIP infrastructure via IPSLA, SNMP, and CDR/CMR
•
•
Ability to add custom metrics
•
Baseline metrics and detect significant deviations
4
FortiSIEM® Data Sheet
Features
Availability Monitoring
•
System up/ down monitoring — via Ping, SNMP, WMI, Uptime Analysis, Critical Interface,
•
ports
•
Maintenance calendar for scheduling maintenance windows
•
SLA calculation — normal business hours and after-hours considerations
Powerful and Scalable Analytics
•
Search events in real time— without the need for indexing
•
Keyword and event-based searches
•
Search historical events — SQL-like queries with Boolean filter conditions, group by relevant
aggregations, time-of-day filters, regular expression matches, calculated expressions —
GUI and API
•
Use discovered CMDB objects, user/ identity and location data in searches and rules
•
Schedule reports and deliver results via email to key stakeholders
•
Search events across the entire organization, or down to a physical or logical reporting
domain
•
Dynamic watch lists for keeping track of critical violators — with the ability to use watch
lists in any reporting rule
•
Scale analytics feeds by adding Worker nodes without downtime
Baselining and Statistical Anomaly Detection
•
Baseline endpoint/ server/ user behavior — hour of day and weekday/ weekend granularity
•
•
Built-in and customizable triggers on statistical anomalies
External Technology Integrations
•
Integration with any external web site for IP address lookup
•
API-based integration for external threat feed intelligence sources
•
API-based two-way integration with help desk systems — seamless, out-of-the box support
for ServiceNow, ConnectWise, and Remedy
•
•
•
API for easy integration with provisioning systems
•
API for adding organizations, creating credentials, triggering discovery, modifying
monitoring events
5
FortiSIEM® Data Sheet
Features
Real-Time Configuration Change Monitoring
•
Collect network configuration files, stored in a versioned repository
•
Collect installed software versions, stored in a versioned repository
•
Automated detection of changes in network configuration and installed software
•
Automated detection of file/ folder changes — Windows and Linux — who and what details
•
Automated detection of changes from an approved configuration file
•
Device and Application Context
•
Network Devices including Switches, Routers, Wireless LAN
•
Vulnerability Scanners
•
•
•
User-facing Applications including Web Servers, App Servers, Mail, Databases
•
Cloud Apps including AWS, Box.com, Okta, Salesforce.com
•
Cloud infrastructure including AWS
•
•
Log Collection
FortiSIEM Advanced Agents
•
for Windows and Linux to significantly bolster its data collection
FortiSIEM Cloud is available in the following regions:
North America Europe Asia Pacific Australia
Canada Central Ireland India - Mumbai Sydney
USA West - Oregon Singapore
Sweden - Stockholm
6
FortiSIEM® Data Sheet
Features
Scalable and Flexible Log Collection
•
Collect, Parse, Normalize, Index, and Store security logs at very high speeds
•
Out-of-the-box support for a wide variety of security systems and vendor APIs — both on-
premises and cloud
•
Windows Agents provide highly scalable and rich event collection including file integrity
monitoring, installed software changes, and registry change monitoring
•
Linux Agents provide file integrity monitoring, syslog monitoring, and custom log file
monitoring
•
Modify parsers from within the GUI and redeploy on a running system without downtime
and event loss
•
share among users via export/import function
•
Securely and reliably collect events for users and devices located anywhere
Automation and Incident Management
•
Policy-based incident notification framework
•
Ability to trigger a remediation script when a specified incident occurs
•
API-based integration to external ticketing systems — ServiceNow, ConnectWise, and
Remedy
•
Built-in Case Management system
•
Incident reports can be structured to provide the highest priority to critical business
services and applications
•
Trigger on complex event patterns in real time
•
related incidents quickly
Rich Customizable Dashboards
•
•
Sharable reports and analytics across organizations and users
•
Color-coded for rapidly identifying critical issues
•
•
Specialized layered dashboards for business services, virtualized infrastructure, event
logging status dashboard, and specialized apps
7
FortiSIEM® Data Sheet
Features
External Threat Intelligence Integrations
•
APIs for integrating external threat feed intelligence — Malware domains, IPs, URLs, hashes,
Tor nodes
•
ThreatStream, ThreatConnect
•
Technology for handling large threat feeds — incremental download and sharing within
Simple and Flexible Administration
•
Web-based GUI
•
Rich Role-based Access Control for restricting access to GUI and data at various levels
•
•
•
•
Policy-based archiving
•
•
SAML via Okta, Duo, RADIUS
•
tunnel
Easy Scale Out Architecture
•
Available as Virtual Machines for on-premises and public/ private cloud deployments on
•
Multiple physical appliance models with varying levels of performance to provide a variety
of deployment options
•
Scale data collection by deploying multiple Collectors
•
•
Scale analytics by deploying multiple Workers
•
Built-in load balanced architecture for collecting events from remote sites via collectors
•
which provides the ultimate in scalability
•
To meet high availability requirements, the Supervisor can be configured with Active/
Passive instances
8
FortiSIEM® Data Sheet
Features
AGENTLESS TECHNOLOGY ADVANCED WINDOWS AGENT ADVANCED LINUX AGENT
Agentless
Discovery — —
Performance Monitoring — —
— —
Agents
—
Collect DNS, DHCP, DFS, IIS Logs — —
Local Parsing and Time Normalization — —
Installed Software Detection — —
Registry Change Monitoring — —
File Integrity Monitoring —
Customer Log File Monitoring —
WMI Command Output Monitoring — —
PowerShell Command Output Monitoring — —
Central Management and Upgrades of Agent —
Osquery Support — —
Licensing Scheme
FortiSIEM provides subscription and perpetual licenses.
The Devices + EPS license is available on software/virtual and hardware appliance deployments in subscription and perpetual
terms. A Device license supports data capture and correlation, alerting and alarming, reports, analytics, search, and includes
generates in a second. Additional EPS can be purchased separately from the Device license.
FortiSIEM GB per day is available as a subscription license on software deployments. FortiSIEM measures the GB per day
storage of uncompressed event data. Please check GB per day licensing support for availability in FortiSIEM 7.2.x release notes.
FortiSIEM GB per day licensing is supported with the ClickHouse event database only.
FortiSIEM Cloud
FortiSIEM Cloud unifies all licensed components that are available with VA and HW licensing within the FortiSIEM Compute Units
9
FortiSIEM® Data Sheet
Specifications
FortiSIEM 500G “Collector”
FortiSIEM 2200G
“Supervisor or Worker”
FortiSIEM 3600G
“Supervisor or Worker”
Hardware Specifications
CPU
Memory
Network Interfaces
Console Port
USB Ports
Storage Capacity
Usable Event Data Storage —
Performance Benchmark
Performance/ 100 WMI for Logs
Recommended Max. UEBA users — 10 000 10 000
Dimensions
Height x Width x Length (inches)
Height x Width x Length (mm)
Weight
Form Factor 1 RU 2 RU
Environment
AC Power Supply
Power Consumption (Average / Maximum)
Heat Dissipation
Operating Temperature
Storage Temperature
Humidity
non-operating, non-condensing
non-operating, non-condensing
Forced Airflow Front to Back Front to Back Front to Back
Operating Altitude —
Compliance
Compliance FCC, ISED, CE, RCM, VCCI, BSMI, UL/cUL, CB
10
FortiSIEM® Data Sheet
Ordering Information
PRODUCT SKU DESCRIPTION
Device + EPS Licensing
FortiSIEM Hardware Product
FortiSIEM 500G
FortiSIEM 2200G
separately.
FortiSIEM 3600G
be purchased separately.
FortiSIEM Base Product
FortiSIEM All-In-One Perpetual License
Add XX devices and EPS/device All-in-one Perpetual License.
FortiSIEM All-In-One Perpetual License for
Does not include Maintenance & Support.
FortiSIEM All-In-One Perpetual License for
Does not include Maintenance & Support
FortiSIEM All-In-One Subscription License Per Device Subscription License that manages minimum XX devices, 10 EPS/device.
FortiSIEM Additional Products
FortiSIEM End-Point Device Perpetual License Add XX End-Points and 2 EPS/End-Point for All-in-one Perpetual License.
FortiSIEM End-Point Device Subscription License Per End-Point Subscription License for minimum XX End-Points, 2 EPS/End-Point.
Add 1 EPS Perpetual License Add 1 EPS Perpetual.
Add 1 EPS Subscription License Add 1 EPS Subscription.
FortiSIEM Advanced Agent (Windows & Linux)
Perpetual License
XX Advanced Agents for Perpetual License.
FortiSIEM Advanced Agent (WIndows & Linux)
Subscription License
Per Agent Subscription License for minimum XX Advanced Agents.
IOC Service Subscription License
Advanced Agents - UEBA Telemetry Perpetual Licenses. Does not include Maintenance & Support.
Does not include Maintenance & Support.
FortiSIEM Manager Subscription license for FortiSIEM Manager providing centralised incident, management and status
FortiSIEM High Availability Super FortiSIEM High Availability Supervisor Cluster Subscription.
FortiSIEM Support
FortiCare Support for FortiSIEM
FortiCare Support for Hardware Appliance FortiCare Premium Support - Hardware Appliance only - product support required separately.
FortiSIEM GB Per Day Licensing
FortiSIEM GB Subscription License
day. Includes HA Super, FortiCare Premium support.
FortiSIEM GB UEBA Subscription License
FortiSIEM GB Advanced Agent Subscription
License
Service
FortiSIEM Cloud
FortiSIEM Compute Units
FortiCare Support.
FortiSIEM Cloud Online Storage
order. Annual Subscription.
FortiSIEM Cloud Archive Storage
11
FortiSIEM® Data Sheet
Copyright © 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product
or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s SVP Legal and above, with a
purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute
clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer,
or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
www.fortinet.com
Fortinet Corporate Social Responsibility Policy
products and services to engage in, or support in any way, violations or abuses of human rights, including those involving illegal censorship,
and report any
.
