Fortinet FortiSIEM Reviews

My primary use case for Fortinet FortiSIEM is systems monitoring and alerting. I use it for standard functions like log monitoring, incident detection, and notification. 

My customers are mostly medium-sized enterprises ranging from engineering companies, mining companies, independent schools, and government departments to agencies.

Fortinet FortiSIEM is valuable mainly for its features around firewall monitoring, intrusion detection, and authentication. It provides extensive logging and record-keeping for internal networks, cloud applications, and services as well as perimeter physical network security. Compliance management capabilities, although limited, are utilized by mature customers for reporting.

Mainly, we are configuring various correlation rules in FortiSIEM to detect various types of cyber threats and cybersecurity attacks, particularly brute force attacks, denial of service attacks, and distributed denial. We are using it to identify suspicious activities by internal staff as well as outsiders, for any type of intrusion.

The most fascinating aspect of FortiSIEM is its integration with the MITRE ATT&CK framework. It maps threat vectors and IOCs on the MITRE framework to identify the kind and magnitude of a threat and the techniques used. This allows us to take requisite measures using the SOAR solution or by involving our team of SOC analysts and incident responders.

I am part of the team that implements the solution, and we hand it over to the operations team. We use FortiSIEM to ingest logs. The customer provides us with the IPs for the log sources, and we add them to the FortiSIEM dashboard. We can check the logs for signs of malicious access from outside devices and set rules based on the customer's preferences. 

FortiSIEM sends an email or SMS notifications to admins when there are significant incidents. It's a highly efficient way of responding to incidents. 

We're using it to manage devices on the network. We get real-time incident reports on changes done on the servers and changes on routers and switches. They also use it to provide reports to management on activities, incidents, and events.

I like the reporting model where you can drill-down capabilities into user actions on the network.

I also like CMDB. The CMDB captures devices as long as they have SNMP enabled. It captures the information for me. 

We are using Fortinet FortiSIEM on-premises and Azure Sentinel on the cloud. We are a university with an E5 license, and we cannot pump everything to Azure Sentinel because it will cost quite a lot. That's why we have two SIEM systems, one for cloud and one for on-premises.

We use Fortinet FortiSIEM for our on-premises services. It has a perpetual license, and we pay once. Depending on your storage size, you can pump to your on-premises SIEM system whenever you like. Our strategy is to use Azure Sentinel as little as possible. Since we have two SIEM systems, vendor integration is a problem, and we need more staff.

We have many application systems, and I can set up Fortinet FortiSIEM for users to monitor their systems.

We use the solution for monitoring, intrusion detection, and user behavior analytics. We run the dashboards to detect anomalies. We have our own incident tracking solution. We use it to track the time to detect versus the time to resolve and close the ticket.

The product kicks the logs automatically without an agent. We also use it for file integrity monitoring. The analytics engine is quite good. It can correlate traffic across our various platforms and give us a standard dashboard view of what's happening. By seeing what's happening on the network, we can pick anomalies like encrypted traffic, policy violations, and unusual accesses. It helps us be compliant. We can push back on the users and the IT team and keep them accountable based on what they are doing across their network.

Real-time monitoring makes life quite easy for me. Once I have the assurance that I have visibility into what's happening, I can report to the business and my boss that all is well. It also allows me to keep the security operations team on its toes. We do a lot of red teaming. It allows us to see whether the SOC team is doing what it is supposed to do.

The tool is relatively easy to integrate. It's agentless. We have a Windows environment majorly. We can tell the product to monitor everything at once. As long as it's authenticated, it will fix what we need.

We use this technology to configure and setup rules and conduct threat hunting.

Connecting all supported security technologies, such as firewalls from Palo Alto, Fortinet, and Check Point, is crucial. The platform needs to recognize logs coming from sources like Syslog. You might integrate an IPS or WAF for use cases like phishing. Whether on-premise or in the cloud, AD is especially important for providing context and supporting specific use cases. If FortiSIEM doesn't natively support a particular technology or cannot parse certain security logs, you can configure a custom parser to interpret those logs effectively.

We use the solution to collect logs from critical servers on the customer's infrastructure, like Active Directory, and a few security devices, like firewall, proxy, and antivirus setup. Our team monitors the log. If we get an alert, we take the necessary action in the development environment.

The solution’s IP database is awesome. If we get malicious IP attacks in the firewall, the solution has a validated database to mark IPs as malicious and generate an alert. We need not use any third-party solution.