Skip to main content

Fortinet FortiSIEM

FortiSIEM is Fortinet's comprehensive Security Information and Event Management (SIEM) solution that provides centralized security operations and threat detection capabilities. FortiSIEM brings together visibility, correlation, automated response, and remediation in a single, scalable solution designed to help organizations manage their security posture effectively.

Arcanna - Fortinet FortiSIEM integration

The Arcanna integration with Fortinet FortiSIEM creates a bidirectional connection that enhances Security Operations Center (SOC) efficiency through intelligent incident management automation.

The integration enables Arcanna AI to automatically ingest security incidents directly from FortiSIEM, providing the AI platform with real-time access to detected threats, alerts, and security events. Based on Arcanna's AI-driven analysis and decision-making, the integration can automatically perform several actions back into FortiSIEM:

  • Add detailed investigation notes to incidents, enriching the case documentation with AI-generated insights
  • Modify incident statuses to reflect current investigation progress or resolution state
  • Update incident resolutions based on Arcanna's intelligent recommendations

Steps to configure Fortinet FortiSIEM integration:

Prerequisites

How to connect

Go to Arcanna instance:

  1. Create the Fortinet FortiSIEM integration:

    • Go to the Integrations tab.
    • Search for Fortinet FortiSIEM integration and click on it: fortisiem-search-integration
    • Fill in all the fields as shown below, using your own credentials, then press Confirm. fortisiem-create-integration

  2. Create an Arcanna job using Fortinet FortiSIEM as input integration:

    • Go to AI Jobs tab and click Create job
    • Select the Fortinet FortiSIEM integration just created as the input.
    • Complete the parameters with your credentials (Host, Port, User, Password, Organization), e.g.: fortisiem-integration-create
    • Click Save and run to save and start the job.
  • You can see now that the FortiSIEM Demo Job has ingested one document, the one sent earlier: fortisiem-jobs
  • Now we can navigate to the job's Event Explorer page and review our document. No decision is available since no Arcanna model has been trained yet: fortisiem-explorer
  1. Select Decision Points, then navigate to Feedback and Train to configure the features and train your initial Arcanna model.
  • Ingest a new alert (or reprocess an existing one) and navigate to the job's Event Explorer to see the Arcanna decision being applied: fortisiem-explorer
  1. Add the Fortinet FortiSIEM integration as a post-decision integration in the processing pipeline:

  • Go to the job's Flows page, press Add integration button and select Post Decision. Here search for FortiSIEM integration and select it:

    fortisiem-flows

  • Configure the FortiSIEM post-decision integration parameters:

    fortisiem-flows fortisiem-flows

  • Filters to apply the post-decision action conditionally based on specific criteria.

  • Enable the Arcanna decision label for which the actions will be applied.

  • Enable Add comments to incidents to add a custom comment to the incident. If no Custom comment template is provided, a default one will be used.

  • Change incident status - Changes the incident status based on the Arcanna model decision.

  • Change incident resolution - Changes the resolution status based on the Arcanna model decision.

  • Click Confirm

  • Ingest a new alert (or reprocess an existing one) and navigate to the job's Event Explorer to see the Arcanna post decision actions being applied:

    fortisiem-explorer

  • Go to the FortiSIEM dashboard and search for the incident:

    fortisiem-dashboard

You can see the actions performed by Arcanna on the incident based on the model decision in the Comments section.