Centralized NOC-SOC Security Analysis

overview

FortiAnalyzer

In today’s dynamic and fast changing security landscape, lack of visibility continues to extend breach and compromise events to an average of more than 100 days. For each day an organization is exposed it’s another opportunity for attackers to get to sensitive customer and confidential information. FortiAnalyzer delivers critical insight into threats across the entire attack surface and provides Instant visibility, situation awareness, real-time threat intelligence and actionable analytics, along with NOC-SOC security analysis and operations perspective for Fortinet’s Security Fabric.

Product Details

Threat Detection – Allows IT administrators to quickly identify and respond to network security threats across the network

Powerful NOC-SOC Dashboard – Customizable NOC-SOC dashboards provide management, monitoring and control over your network.

Scalable Performance & Flexible Deployments – Supports thousands of FortiGate and FortiClient™ agents, and dynamically scale storage based on retention requirements. Deploys as an individual unit or optimized for a specific operation

BENEFITS

Features and Benefits

Incident Response
FortiAnalyzer’s Incident Response capability improves Management & Analytics with focus on event management and identification of compromised endpoints. Use improved default and custom event handlers to detect malicious and suspicious activities on the spot. Integration of events with the FOS automation framework for automated endpoint quarantine. Incident detection and tracking, as well as evidence collection and analysis are streamlined through integration with ITSM platforms, helping to bridge gaps in your Security Operations Center and reinforce your Security Posture.

FortiView — Powerful Network Visibility
Provides a customizable interactive dashboard that helps you rapidly pinpoint problems, with intuitive summary views of network traffic, threats, applications and more. FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data into a single view. It can log and monitor threats to networks, filter data on multiple levels, keep track of administrative activity, and more.

Indicators of Compromise
The Indicators of Compromise (IOC) summary shows end users with suspicious web usage compromises. It provides information such as end users’ IP addresses, host name, group, OS, overall threat rating, a Map View, and number of threats. You can drill down to view threat details. To generate the Indicators of Compromise, FortiAnalyzer checks the web filter logs of each end user against its threat database. When a threat match is found, a threat score is given to the end user. FortiAnalyzer aggregates the threat scores of an end user and gives its verdict of the end user’s overall Indicators of Compromise. The Indicators of Compromise summary is produced through the UTM web filter of FortiGate devices and FortiAnalyzer subscription to FortiGuard to keep its local threat database synced with the FortiGuard threat database.

Reports
You can generate custom data reports from logs by using the Reports feature. FortiAnalyzer provides 30+ built-in templates that are ready to use, with sample reports to help identify the right report for you. Run reports on-demand or on a schedule with automated email notifications, uploads and a easy to manage calendar view. Create custom reports with the 300+ built-in charts and datasets ready for creating your own custom reports, with flexible report formats include PDF, HTML, CSV and XML.

Monitor and Alert
Event handlers define what messages to extract from logs and display in Event Management. You must enable an event handler to start generating events. You can configure event handlers to generate events for a specific device, for all devices, or for the local FortiAnalyzer unit. You can create event handlers for FortiGate, FortiCarrier, FortiCache, FortiMail, FortiManager, FortiWeb, FortiSandbox devices, and syslog servers. You can configure the system to send you alerts for event handlers via email address, SNMP community, or syslog server.

Network Operation & Security Operation Center
FortiAnlyzers NOC-SOC is a management center that helps you secure your overall network by providing actionalble log and threat data. The SOC helps you protect your network, web sites, applications, databases, servers and data centers, and other technologies, with centralized monitoring and awareness of the threats, events and network activity, using the predefined FAZ dashboards and widgets, or customize your own, delivered through a single-pane-of-glass interface for easy integration into your Security Fabric.

Log Fetch for Forensic Analysis
Log fetching is used to retrieve archived logs from one FortiAnalyzer device to another. This allows administrators to run queries and reports against historic data, which can be useful for forensic analysis. A FortiAnalyzer device can be either the fetch server or the fetching client, and it can perform both roles to retrieve the log data for a specified device and time period, based on specified filters. The retrieved data are then indexed, and can be used for data analysis and reports.

Log Forwarding for Third-Party Integration
You can forward logs from a FortiAnalyzer unit to another FortiAnalyzer unit, a syslog server, or a Common Event Format (CEF) server. The client is the FortiAnalyzer unit that forwards logs to another device. The server is the FortiAnalyzer unit, syslog server, or CEF server that receives the logs. In addition to forwarding logs to another unit or server, the client retains a local copy of the logs. The local copy of the logs is subject to the data policy settings for archived logs. Logs are forwarded in real-time or near real-time as they are received. Forwarded content files include: DLP files, antivirus quarantine files, and IPS packet captures.

Analyzer-Collector mode
You can deploy in Analyzer mode and Collector mode on different FortiAnalyzer units and make the units work together to improve the overall performance of log receiving, analysis, and reporting. When FortiAnalyzer is in Collector mode, its primary task is forwarding logs of the connected devices to an Analyzer and archiving the logs. The Analyzer offloads the log receiving task to the Collector so that the Analyzer can focus on data analysis and report generation. This aximizes the Collector’s log receiving performance.

Multi-tenancy with Flexible Quota Management
Time-based archive/analytic log data policy per Administrative Domain (ADOM), automated quota management based on the defined policy, and trending graphs to guide policy configuration and usage monitoring.

Delivery

Available in

  • refresh-database-1856_a6704a77-603a-45b0-925d-41498e0fb1aa

    Appliance

  • radar-signal-727_b1dcc914-3ee5-449c-941e-d4684ee50ba3

    Virtual Machine

  • handshake-2819_4c48473b-74a8-4575-890d-e1824695a74c

    Cloud

Models and Specifications

Hardware

FortiAnalyzer 200F

  • Devices/VDOMs
    (maximum)
  • 150
  • GB/Day of Logs
  • 100
  • Analytic
    Sustained Rate
    (logo/sec)
  • 3,000

FortiAnalyzer 300F

  • Devices/VDOMs
    (maximum)
  • 180
  • GB/Day of Logs
  • 150
  • Analytic
    Sustained Rate
    (logo/sec)
  • 4,500

FortiAnalyzer 400E

  • Devices/VDOMs
    (maximum)
  • 200
  • GB/Day of Logs
  • 200
  • Analytic
    Sustained Rate
    (logo/sec)
  • 6,000

FortiAnalyzer 800F

  • Devices/VDOMs
    (maximum)
  • 800
  • GB/Day of Logs
  • 300
  • Analytic
    Sustained Rate
    (logo/sec)
  • 8,250

FortiAnalyzer 1000E

  • Devices/VDOMs
    (maximum)
  • 2000
  • GB/Day of Logs
  • 600
  • Analytic
    Sustained Rate
    (logo/sec)
  • 18,000

FortiAnalyzer 2000E

  • Devices/VDOMs
    (maximum)
  • 2000
  • GB/Day of Logs
  • 1000
  • Analytic
    Sustained Rate
    (logo/sec)
  • 30,000

FortiAnalyzer 3000F

  • Devices/VDOMs
    (maximum)
  • 4000
  • GB/Day of Logs
  • 5000
  • Analytic
    Sustained Rate
    (logo/sec)
  • 42,000

FortiAnalyzer 3700F

  • Devices/VDOMs
  • 10,000
  • GB/Day of Logs
  • 8,300
  • Analytic
    Sustained Rate
    (logo/sec)
  • 100,000
Virtual Machines

FortiAnalyzer VM-BASE

  • Devices/VDOMs
  • 10,000
  • GB/Day of Logs
  • 1
  • Storage
    Capacity
  • 500 GB

FortiAnalyzer VM-GB1

  • Devices/VDOMs
  • 10,000
  • GB/Day of Logs
  • +1
  • Storage
    Capacity
  • +500 GB

FortiAnalyzer VM-GB5

  • Devices/VDOMs
  • 10,000
  • GB/Day of Logs
  • +5
  • Storage
    Capacity
  • +3 TB

FortiAnalyzer VM-GB25

  • Devices/VDOMs
  • 10,000
  • GB/Day of Logs
  • +25
  • Storage
    Capacity
  • +10 TB

FortiAnalyzer VM-GB100

  • Devices/VDOMs
  • 10,000
  • GB/Day of Logs
  • +100
  • Storage
    Capacity
  • +24 TB

FortiAnalyzer VM-GB500

  • Devices/VDOMs
  • 10,000
  • GB/Day of Logs
  • +500
  • Storage
    Capacity
  • +48 TB

FortiAnalyzer VM-GB2000

  • Devices/VDOMs
  • 10,000
  • GB/Day of Logs
  • +2000
  • Storage
    Capacity
  • +100 TB