Fortinet FortiSIEM 3500F
Unified Event Correlation and Risk Management for Modern Networks

Real-Time Operational Context for Rapid Security Analytics

• Continually updated and accurate device context — configuration, installed software and patches, running services
• System and application performance analytics along with contextual inter-relationship data for rapid triaging of security issues
• User context, in real-time, with audit trails of IP addresses, user identity changes, physical and geo-mapped location
• Detect unauthorized network devices, applications, and configuration changes

Out-of-the-Box Compliance Reports

• Out-of-the-box pre-defined reports supporting a wide range of compliance auditing and management needs including — PCI-DSS, HIPAA, SOX, NERC, FISMA, ISO, GLBA, GPG13, SANS Critical Controls

Performance Monitoring

• Monitor basic system/common metrics
• System level via SNMP, WMI, PowerShell
• Application level via JMX, WMI, PowerShell
• Virtualization monitoring for VMware, Hyper-V — guest, host, resource pool and cluster level
• Storage usage, performance monitoring — EMC, NetApp, Isilon, Nutanix, Nimble, Data Domain
• Specialized application performance monitoring
• Microsoft Active Directory and Exchange via WMI and Powershell
• Databases — Oracle, MS SQL, MySQL via JDBC
• VoIP infrastructure via IPSLA, SNMP, CDR/CMR
• Flow analysis and application performance — Netflow, SFlow, Cisco AVC, NBAR
• Ability to add custom metrics
• Baseline metrics and detect significant deviations

Availability Monitoring

• System up/down monitoring — via Ping, SNMP, WMI, Uptime Analysis, Critical Interface, Critical Process and Service, BGP/OSPF/EIGRP status change, Storage port up/down
• Service availability modeling via Synthetic Transaction Monitoring — Ping, HTTP, HTTPS, DNS, LDAP, SSH, SMTP, IMAP, POP, FTP, JDBC, ICMP, trace route and for generic TCP/UDP ports
• Maintenance calendar for scheduling maintenance windows
• SLA calculation — “normal” business hours and after-hours considerations

Real-Time Configuration Change Monitoring

• Collect network configuration files, stored in a versioned repository
• Collect installed software versions, stored in a versioned repository
• Automated detection of changes in network configuration and installed software
• Automated detection of file/folder changes — Windows and Linux — who and what details
• Automated detection of changes from an approved configuration file
• Automated detection of windows registry changes via FortiSIEM windows agent

Device and Application Context

• Network Devices including Switches, Routers, Wireless LAN
• Security devices — Firewalls, Network IPS, Web/Email Gateways, Malware Protection, Vulnerability Scanners
• Servers including Windows, Linux, AIX, HP UX
• Infrastructure Services including DNS, DHCP, DFS, AAA, Domain Controllers, VoIP
• User-facing Applications including Web Servers, App Servers, Mail, Databases
• Storage devices including NetApp, EMC, Isilon, Nutanix, Data Domain
• Cloud Apps including AWS, Box.com, Okta, Salesforce.com
• Cloud infrastructure including AWS
• Environmental devices including UPS, HVAC, Device Hardware
• Virtualization infrastructure including VMware ESX, Microsoft Hyper-V Scalable and Flexible Log Collection

Scalable and Flexible Log Collection

• Collect, Parse, Normalize, Index and Store security logs at very high speeds (beyond 10K events/sec per node)
• Out-of-the-box support for a wide variety of security systems and vendor APIs — both on-premises and cloud
• Windows Agents provide highly scalable and rich event collection including file integrity monitoring, installed software changes and registry change monitoring
• Linux Agents provide file integrity monitoring, syslog monitoring and custom log file monitoring
• Modify parsers from within the GUI and redeploy on a running system without downtime and event loss
• Create new parsers (XML templates) via integrated parser development environment and share among users via export/import function
• Securely and reliably collect events for users and devices located anywhere

Notification and Incident Management

• Policy-based incident notification framework
• Ability to trigger a remediation script when a specified incident occurs
• API-based integration to external ticketing systems — ServiceNow, ConnectWise, and Remedy
• Built-in ticketing system
• Incident reports can be structured to provide the highest priority to critical business services and applications
• Trigger on complex event patterns in real time

Rich Customizable Dashboards

• Configurable real-time dashboards, with “Slide-Show” scrolling for showcasing KPIs
• Sharable reports and analytics across organizations and users
• Color-coded for rapidly identifying critical issues
• Fast — updated via in-memory computation
• Specialized layered dashboards for business services, virtualized infrastructure, and specialized apps

External Threat Intelligence Integrations

• API’s for integrating external threat feed intelligence — Malware domains, IPs, URLs, hashes, Tor nodes
• Built-in integration for popular threat intelligence sources — ThreatStream, CyberArk, SANS, Zeus
• Technology for handling large threat feeds — incremental download and sharing within cluster, real-time pattern matching with network traffic. All STIX & TAXII feeds are supported

Powerful and Scalable Analytics

• Search events in real time— without the need for indexing
• Keyword and event-based searches
• Search historical events — SQL-like queries with Boolean filter conditions, group by relevant aggregations, time-of-day filters, regular expression matches, calculated expressions — GUI & API
• Use discovered CMDB objects, user/identity and location data in searches and rules
• Schedule reports and deliver results via email to key stakeholders
• Search events across the entire organization, or down to a physical or logical reporting domain
• Dynamic watch lists for keeping track of critical violators — with the ability to use watch lists in any reporting rule
• Scale analytics feeds by adding Worker nodes without downtime

Baselining and Statistical Anomaly Detection

• Baseline endpoint/server/user behavior — hour of day and weekday/weekend granularity
• Highly flexible — any set of keys and metrics can be “baselined”
• Built-in and customizable triggers on statistical anomalies

External Technology Integrations

• Integration with any external web site for IP address lookup
• API-based integration for external threat feed intelligence sources
• API-based 2-way integration with help desk systems — seamless, out-of-the box support for ServiceNow, ConnectWise and Remedy
• API-based 2-way integration with external CMDB — out-of-the box support for ServiceNow and ConnectWise
• Kafka support for integration with enhanced Analytics Reporting — i.e. ELK, Tableau and Hadoop
• API for easy integration with provisioning systems
• API for adding organizations, creating credentials, triggering discovery, modifying monitoring events

Simple and Flexible Administration

• Web-based GUI
• Rich Role-based Access Control for restricting access to GUI and data at various levels
• All inter-module communication protected by HTTPS
• Full audit trail of FortiSIEM user activity
• Easy software upgrade with minimal downtime & event loss
• Rapid updates to Fortinet FortiSIEM knowledge base updates (parsers, rules, reports)
• Policy-based archiving
• Hashing of logs in real time for non-repudiation & integrity verification
• Flexible user authentication — local, external via Microsoft AD and OpenLDAP, Cloud SSO/SAML via Okta
• Ability to log into remote server behind a collector from FortiSIEM GUI via remote SSH tunnel

Easy Scale Out Architecture

• Available as Virtual Machines for on-premises and public/private cloud deployments on the following hypervisors — VMware ESX, Microsoft Hyper-V, KVM, Amazon Web Services AMI, OpenStack, Azure (only Collector)
• Multiple physical appliance models with varying levels of performance to provide a variety of deployment options
• Scale data collection by deploying multiple Collectors
• Collectors can buffer events when connection to FortiSIEM Supervisor is not available
• Scale analytics by deploying multiple Workers
• Built-in load balanced architecture for collecting events from remote sites via collectors