Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.5.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.5.0 User Guide
    7.5.0
    7.5.1
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    FortiAI Chat

    FortiAI Chat

    FortiAI Chat enables you to ask questions about FortiSIEM or security in natural language (English). FortiSIEM Generative AI module (phGenerativeAI) will interface with PostgreSQL Database via Model Context Protocol (MCP), ClickHouse Database via MCP, inbuilt VectorDB and OpenAI LLM to generate an answer. You can also ask follow on questions to get a better answer or to drill-down into a response.

    The following kinds of questions are supported:

    • FortiSIEM Documentation Questions: These questions are answered by using VectorDB and OpenAI LLM. Examples are:

      • Can you give me guidance on tuning a rule in FortiSIEM to remove false positives?

      • Can you tell me how can I improve query speed in FortiSIEM running ClickHouse?

    • CMDB Questions: These questions are answered by using PostgreSQL Database via MCP, and OpenAI LLM. Examples are:

      • How many devices in my CMDB? Group by Vendor and Model.

      • Is there any CMDB device with IP 10.1.1.1? Provide name, vendor, model, interface name, IP address, Mask, MAC address.

      • Show me all devices where application bind is installed?

      • Show me all CMDB devices with Critical event collection status.

    • Data Collection Questions: These questions are answered by using ClickHouse Database via MCP and OpenAI LLM. Examples are:

      • What is the average incoming eps for last 1 hour? Show me a breakdown by 5 minutes?

      • Get Reporting Devices that did not send events yesterday but sent some events today.

    • Incident Questions: These questions are answered by using PostgreSQL Database via MCP, and OpenAI LLM. Examples are:

      • Analyze incidents today to list the incidents that user <user> is involved. Include event name, event severity category and count. List highest severity events first.

      • Tell me incidents involving <entity> that happened today? Provide incident title, last seen time and status.

      • Tell me the Open incidents related to incident <incident_id>. Provide Incident ID, Title, Incident Status.

      • List IOCs for incident <incident_id>.

    • Threat Hunting Questions: These questions are answered by using ClickHouse Database via MCP and OpenAI LLM. Examples are:

      • Show me top 10 countries that my hosts are communicating with, in last 1 hour.

      • Get traffic to destinations outside United States in last 1 hour. Aggregate by source IP, destination IP and destination country.

      • Is there any traffic matching FortiGuard Malware IP in last 1 hour? Aggregate by source IP, destination IP.

      • Is there any traffic matching any Known Malware IP in last 1 hour? Add the matching Malware IP Group to the table.

    • User Activity Questions: These questions are answered by using ClickHouse Database via MCP and OpenAI LLM. Examples are:

      • Are there any RDP logins to any windows host today that were not there in last 2 days? Provide host, user and count.

      • Are there any SSH root logons to linux servers in my environment in last 2 days?

      • Analyze logs to compare activities of user <user> today with yesterday. Show common activities and activities that the user did today but not yesterday?

    • Vulnerability Questions: These questions are answered by using ClickHouse Database via MCP, and OpenAI LLM. Examples are:

      • Check logs for last 2 days to see if there are any hosts in my environment that are affected by any well-known vulnerabilities with highly Vulnerable score greater than 8.

      • What are the publicly disclosed security vulnerabilities last week? Provide vendor, CVE, severity and affected systems and applications. Check logs in ClickHouse today to see if there are any hosts that are affected by any of these vulnerabilities.

    Enabling Users to run FortiAI

    By default, only Admin users can run FortiAI. If you want other users to run FortiAI, then enable modify the user's role and provide the ability to run FortiAI.

    1. Go to Admin > Settings > Role > Role Management.

    2. Create a role by clicking New (+), or select an existing role and clicking Edit ().

    3. Check the FortiAI: Run o checkbox.

    4. Click Save to save the Role.

    5. Make sure user is mapped to that Role from CMDB > Users.

    Asking a Question

    1. Click FortiAI () on top right. FortiAI Chat window will appear.

    2. To use a pre-defined question, click + on bottom window.

    3. Select the question from the popup and click . The question will appear in the main window.

    4. Click Send () to submit the question to FortiSIEM.

    Visualizing the Result

    If you ask a question where the result is aggregated, e.g. "Categorize CMDB devices by discovery method.", then you can type "visualize the data" in the chat window. It will generate a Donut chart in the chat window.

    Exporting as PDF

    You can type "generate a PDF" in the chat window and a Download PDF link will appear in the response. Click the Download PDF link and the PDF file will be in your Download folder.

    Saving a Question

    You can type your own question and get a response. To save the question, click Save Question () and select the folder in which the question will be saved.

    Maximize the Edit Window

    Click Expand () to maximize the Edit window.

    Guidelines for Asking Questions

    Follow the style of sample questions in Report > ReportAI. General guidelines are:

    • If you use the words "event" or "log" in the question, then the question is routed to ClickHouse MCP Agent.

    • If you use the words "incident" in the question, then the question is routed to PostgreSQL MCP Agent.

    • If you use the words "device" or "CMDB" in the question, then the question is routed to PostgreSQL MCP Agent.

    • You can always use the words "Use ClickHouse" or "Use Postgres" to force the routing to the right MCP Agent.

    • Note that Incident and device/user information is stored in PostgreSQL database. Events are stored in ClickHouse.

    Anonymizing Sensitive Data

    When you submit questions to FortiAI in Chat Interface, Log / Incident / Case Analysis, FortiSIEM anonymizes customer specific information before sending to LLM (OpenAI). Results returned from LLM are converted back to the original values before displaying to user. Similar anonymization is performed when you invoke FortiAI via Automation Policy.

    The full list of anonymized event attributes for Chat Interface and Log Analysis is here.

    For Incident / Case Analysis, the following fields are anonymized: IP fields, Host Name fields, User fields, Email fields.

    A built-in report FortiSIEM ChatGPT Queries is provided. You can run this report to see what queries are sent to ChatGPT and how much it costs. The Query result shows the sensitive fields being anonymized.

    Note: If you manually enter a log or Incident and ask ChatGPT to analyze it, then the fields are *not* anonymized, since FortiSIEM does not parse the data on the fly. This method is not recommended.

    Previous
    Next

    FortiAI Chat

    FortiAI Chat

    FortiAI Chat enables you to ask questions about FortiSIEM or security in natural language (English). FortiSIEM Generative AI module (phGenerativeAI) will interface with PostgreSQL Database via Model Context Protocol (MCP), ClickHouse Database via MCP, inbuilt VectorDB and OpenAI LLM to generate an answer. You can also ask follow on questions to get a better answer or to drill-down into a response.

    The following kinds of questions are supported:

    • FortiSIEM Documentation Questions: These questions are answered by using VectorDB and OpenAI LLM. Examples are:

      • Can you give me guidance on tuning a rule in FortiSIEM to remove false positives?

      • Can you tell me how can I improve query speed in FortiSIEM running ClickHouse?

    • CMDB Questions: These questions are answered by using PostgreSQL Database via MCP, and OpenAI LLM. Examples are:

      • How many devices in my CMDB? Group by Vendor and Model.

      • Is there any CMDB device with IP 10.1.1.1? Provide name, vendor, model, interface name, IP address, Mask, MAC address.

      • Show me all devices where application bind is installed?

      • Show me all CMDB devices with Critical event collection status.

    • Data Collection Questions: These questions are answered by using ClickHouse Database via MCP and OpenAI LLM. Examples are:

      • What is the average incoming eps for last 1 hour? Show me a breakdown by 5 minutes?

      • Get Reporting Devices that did not send events yesterday but sent some events today.

    • Incident Questions: These questions are answered by using PostgreSQL Database via MCP, and OpenAI LLM. Examples are:

      • Analyze incidents today to list the incidents that user <user> is involved. Include event name, event severity category and count. List highest severity events first.

      • Tell me incidents involving <entity> that happened today? Provide incident title, last seen time and status.

      • Tell me the Open incidents related to incident <incident_id>. Provide Incident ID, Title, Incident Status.

      • List IOCs for incident <incident_id>.

    • Threat Hunting Questions: These questions are answered by using ClickHouse Database via MCP and OpenAI LLM. Examples are:

      • Show me top 10 countries that my hosts are communicating with, in last 1 hour.

      • Get traffic to destinations outside United States in last 1 hour. Aggregate by source IP, destination IP and destination country.

      • Is there any traffic matching FortiGuard Malware IP in last 1 hour? Aggregate by source IP, destination IP.

      • Is there any traffic matching any Known Malware IP in last 1 hour? Add the matching Malware IP Group to the table.

    • User Activity Questions: These questions are answered by using ClickHouse Database via MCP and OpenAI LLM. Examples are:

      • Are there any RDP logins to any windows host today that were not there in last 2 days? Provide host, user and count.

      • Are there any SSH root logons to linux servers in my environment in last 2 days?

      • Analyze logs to compare activities of user <user> today with yesterday. Show common activities and activities that the user did today but not yesterday?

    • Vulnerability Questions: These questions are answered by using ClickHouse Database via MCP, and OpenAI LLM. Examples are:

      • Check logs for last 2 days to see if there are any hosts in my environment that are affected by any well-known vulnerabilities with highly Vulnerable score greater than 8.

      • What are the publicly disclosed security vulnerabilities last week? Provide vendor, CVE, severity and affected systems and applications. Check logs in ClickHouse today to see if there are any hosts that are affected by any of these vulnerabilities.

    Enabling Users to run FortiAI

    By default, only Admin users can run FortiAI. If you want other users to run FortiAI, then enable modify the user's role and provide the ability to run FortiAI.

    1. Go to Admin > Settings > Role > Role Management.

    2. Create a role by clicking New (+), or select an existing role and clicking Edit ().

    3. Check the FortiAI: Run o checkbox.

    4. Click Save to save the Role.

    5. Make sure user is mapped to that Role from CMDB > Users.

    Asking a Question

    1. Click FortiAI () on top right. FortiAI Chat window will appear.

    2. To use a pre-defined question, click + on bottom window.

    3. Select the question from the popup and click . The question will appear in the main window.

    4. Click Send () to submit the question to FortiSIEM.

    Visualizing the Result

    If you ask a question where the result is aggregated, e.g. "Categorize CMDB devices by discovery method.", then you can type "visualize the data" in the chat window. It will generate a Donut chart in the chat window.

    Exporting as PDF

    You can type "generate a PDF" in the chat window and a Download PDF link will appear in the response. Click the Download PDF link and the PDF file will be in your Download folder.

    Saving a Question

    You can type your own question and get a response. To save the question, click Save Question () and select the folder in which the question will be saved.

    Maximize the Edit Window

    Click Expand () to maximize the Edit window.

    Guidelines for Asking Questions

    Follow the style of sample questions in Report > ReportAI. General guidelines are:

    • If you use the words "event" or "log" in the question, then the question is routed to ClickHouse MCP Agent.

    • If you use the words "incident" in the question, then the question is routed to PostgreSQL MCP Agent.

    • If you use the words "device" or "CMDB" in the question, then the question is routed to PostgreSQL MCP Agent.

    • You can always use the words "Use ClickHouse" or "Use Postgres" to force the routing to the right MCP Agent.

    • Note that Incident and device/user information is stored in PostgreSQL database. Events are stored in ClickHouse.

    Anonymizing Sensitive Data

    When you submit questions to FortiAI in Chat Interface, Log / Incident / Case Analysis, FortiSIEM anonymizes customer specific information before sending to LLM (OpenAI). Results returned from LLM are converted back to the original values before displaying to user. Similar anonymization is performed when you invoke FortiAI via Automation Policy.

    The full list of anonymized event attributes for Chat Interface and Log Analysis is here.

    For Incident / Case Analysis, the following fields are anonymized: IP fields, Host Name fields, User fields, Email fields.

    A built-in report FortiSIEM ChatGPT Queries is provided. You can run this report to see what queries are sent to ChatGPT and how much it costs. The Query result shows the sensitive fields being anonymized.

    Note: If you manually enter a log or Incident and ask ChatGPT to analyze it, then the fields are *not* anonymized, since FortiSIEM does not parse the data on the fly. This method is not recommended.

    Previous
    Next