Overview:
Analytics, Reports, and Compliance Across the Security Fabric
FortiAnalyzer is a powerful log management, analytics, and reporting
platform that provides organizations with a single console to manage,
automate, orchestrate, and respond, enabling simplified security
operations, proactive identification and remediation of risks, and
complete visibility of the entire attack landscape.
Integrated with the Fortinet Security Fabric, FortiAnalyzer enables
Network and Security Operations Teams with real-time detection
capabilities, centralized security analytics and end-to-end security
posture awareness to help analysts identify advanced persistent
threats (APTs) and mitigate risks before a breach can occur.
Highlights:
- Centralized network monitoring and visibility
- Advanced threat and vulnerability detection with event and log data correlation
- Augmented NOC/SOC operations for real-time response, analytics, and reporting
- Automation to save time, reduce errors, and improve efficiency
- Multi-tenancy solution with quota management
- Administrative domains for operational effectiveness and compliance
- 70+ reports and 2000+ ready-to-use datasets, charts, and macros
Capabilities:
Incident Detection and Response
Centralized NOC/SOC Visibility for the Attack Surface
FortiAnalyzer provides Security Fabric Analytics across all device logs with event correlation
and real-time detection of Advanced Persistent Threats (APTs), vulnerabilities and Indicators
of Compromise (IOC) for FortiGate NGFWs, FortiClient, FortiSandbox, FortiWeb, FortiMail and
other Fortinet products, for deep visibility and critical network insights. Simplified orchestration
and automated workflows provide Network Security Operations teams with real-time
notifications, reports, and dashboards for single-pane visibility and actionable results.
Incidents and Event Management
Security teams can monitor and manage alerts and event logs from Fortinet devices, with
events processed and correlated in a format that analysts can easily understand. Investigate
suspicious traffic patterns and search using filters in predefined or custom event handlers to
generate real-time notifications and monitoring for NOC and SOC operations, SD-WAN, SSL
VPN, wireless, Shadow IT, IPS, network recon, FortiClient, and more.
The Incidents component enables analysts to manage incident handling and life cycle, with
incidents generated by events that show affected assets, endpoints, users and timelines.
Fabric Automation
FortiAnalyzer Playbooks boost an organization’s security team abilities to simplify investigation
efforts through automated incident response, freeing up resources and allowing analysts to
focus on critical tasks. Out-of-the-box playbook templates enable SOC analysts to quickly
customize their use cases, define custom processes, interact with other Security Fabric
devices like FortiOS and EMS, edit playbooks and tasks in the visual playbook editor and use
the Playbook Monitor for investigation of compromised hosts, infections and critical incidents,
data enrichment for Assets and Identity views, blocking malware, C&C IPs, and more.
Security Fabric Analytics
Analytics and Reporting
FortiAnalyzer automation driven analytics empowers network security operations teams to
complete a fast assessment of network devices, systems, and users, with correlated log data
and FortiGuard threat intelligence for analysis of real-time and historical events.
- FortiView Monitors and Views provide deep insights with context and meaning of network
activity, risks, vulnerabilities, attack attempts, indicators of compromise and anomalies,
sanctioned and unsanctioned user activity
- Log View enables analysts to expand their investigation and utilize search filters on
managed device logs, drill down on logs, with custom views and log groups, including a
SIEM database with normalized logs for Fortinet devices in Fabric ADOMs.
- Reports provide comprehensive analysis of your Security Posture, including reports for
Operational Technology (OT), security rating, security rating for PCI, Secure SD-WAN, VPN,
FortiNDR network anomaly detection, cyber threat assessments, 360 Security Reviews,
situational awareness, compliance, auditing, and more.
Assets and Identity
FortiAnalyzer Fabric View with Assets and Identity monitoring provides SOC teams with
elevated awareness and visibility into an organization’s endpoints and users with dashboards
and correlated device and UEBA information, vulnerability detections, EMS tagging, and asset
classifications through telemetry with EMS, NAC, Fortinet Fabric Agent, and an OT Dashboard
View.
Subscriptions and Extensions:
Subscription Licenses and FortiGuard Security Services
- FortiGuard Outbreak Detection Service delivers automated content package download
for detecting the latest malware, including a summary of outbreaks and kill chain mapping
for how the malware works. The package includes a FortiGuard Report for the outbreak,
Event Handler, and a Report Template to detect outbreaks.
- FortiGuard Indicators of Compromise Service empowers security teams with forensic
data from 500 000 IOCs daily, used in combination with FortiAnalyzer analytics to identify
suspicious usage and artifacts observed on the network or in an operations system, that
have been determined with high confidence to be malicious infections or intrusions, and
historical rescan of logs for threat hunting.
- Shadow IT Monitoring Service provides continuous monitoring of unapproved devices,
resources, unsanctioned accounts and unauthorized use of SaaS and IaaS, API integration,
and third party apps. The service identifies rogue users using personal accounts for
managing company assets, using correlated FortiOS and FortiCASB data with a FortiCASB
account subscribed for SaaS features.
- OT Security Service provides security teams with advanced OT analytics, risk and
compliance reports, OT event handlers, and use-case correlation rules.
- Security Rating and Compliance Service helps security teams design, implement, and
maintain their security posture, and provides actionable configuration recommendations as
well as key performance and risk indicators.
- Security Automation Service subscription enables further automation for incident
response with enhanced monitoring and escalation, built-in incident management
workflows, connectors, playbooks and more.
Management Extension Applications (MEAs)
The Management Extensions pane allows you to enable licensed applications that are
released and signed by Fortinet, which can be installed and run on FortiAnalyzer, including the
FortiSIEM and FortiSOAR.
Deployments
- Deploying FortiAnalyzer - FortiAnalyzer can be deployed as a physical hardware appliance, virtual machine (VM) and
virtual machine subscription (VM-S), as well as private or public cloud instance, with scalability,
redundancy and backup, and high availability capabilities.
- FortiAnalyzer High Availability (HA) - FortiAnalyzer HA provides real-time redundancy to protect organizations by ensuring
continuous operational availability. In the event that the primary (active) FortiAnalyzer fails,
a secondary (passive) FortiAnalyzer (up to four-node cluster) will immediately take over,
providing log and data reliability and eliminating the risk of having a single point of failure.
- Multi-Tenancy with Flexible Quota Management - FortiAnalyzer provides the ability to manage multiple sub-accounts with each account
having its own administrators and users. The time-based archive/analytic log data policy, per
Administrative Domain (ADOM), allows automated quota management based on the defined
policy, with trending graphs to guide policy configuration and usage monitoring.
- Analyzer-Collector Mode - FortiAnalyzer provides two operation modes: Analyzer and Collector. In Collector mode, the
primary task is forwarding logs of the connected devices to an Analyzer and archiving the logs.
This configuration greatly benefits organizations with increasing log rates, as the resource
intensive log-receiving task is off-loaded to the Collector so that the Analyzer can focus on
generating analytics and reports.
Network operations teams can deploy multiple FortiAnalyzers in Collector and Analyzer modes
to work together to improve the overall performance of log receiving and processing increased
log volumes, providing log storage and redundancy, and rapid delivery of critical network and
threat information.
- FortiAnalyzer Fabric - FortiAnalyzer Fabric allows SOC Administrators to configure two operation modes - Supervisor
and Member. This allows viewing of member devices, ADOMs and authorized logging devices,
as well as incidents and events created on members. Admins get access to Reports and
FortiView across all member FortiAnalyzers, and can perform global search in Log View of logs
collected across FortiAnalyzer Fabric members with pre-defined device filters and log drill
down for each Member and Member ADOMs.
- Log Forwarding for Third-Party Integration - Forward logs from one FortiAnalyzer to another FortiAnalyzer unit, a syslog server, or (CEF)
server. In addition to forwarding logs to another unit or server, the client FortiAnalyzer retains a
local copy of the logs, which are subject to the data policy settings for archived logs. Logs are
forwarded in real-time or near real-time as they are received from network devices.
Cloud Services
FortiAnalyzer Cloud FortiAnalyzer Cloud offers customers a PaaS-based delivery option for automation-driven, single pane analytics, providing
log management, analytics, and reporting for Fortinet NGFW and SD-WAN with an easily accessible cloud-based solution.
FortiAnalyzer Cloud delivers reliable real-time insights into network activity with extensive reporting and monitoring for clear,
consistent visibility of an organization’s security posture. Customers can easily access their FortiAnalyzer Cloud from their
FortiCloud single sign-on portal.
Virtual Offereings
FortiAnalyzer VM-Subscription
The FortiAnalyzer VM Subscription license model consolidates into one single SKU: VM product SKU, FortiCare Support SKU,
FortiGuard IOC and Outbreak Detection Service, Security Automation services, to simplify the product purchase, upgrade,
and renewal. FortiAnalyzer-VM S provides organizations with centralized security event analysis, forensic research, reporting,
content archiving, data mining, malicious file quarantining, and vulnerability assessment. Centralized collection, correlation, and
analysis of geographically and chronologically diverse security data from Fortinet and third party devices deliver a simplified,
consolidated view of your security posture.
The FortiAnalyzer-VM S series SKUs come in stackable 5, 50, and 500 GB/ day logs licenses, so that multiple units of this SKU
can be purchased together providing organizations with the ability and cost-efficiencies to scale and meet their logging needs.
FortiAnalyzer VM
Fortinet offers the FortiAnalyzer-VM licensing in a stackable perpetual license model with a-la-carte technical support and
subscription services.
This software-based version of the FortiAnalyzer hardware appliance is designed to run on many virtualization platforms, which
allows you to expand your virtual solution as your environment expands.