Jump to content

Thoughts on FortiSIEM


Chris

Recommended Posts

In the thread "Favorite SIEM", some were interested in my evaluation on FortiSIEM, so I will now put in some of my thoughts on this in here.

First things first: Our company likes to establish a MSSP model and one of its components will of course be a SIEM. As we have deep knowledge in a lot of Fortinet products (and have a good standing and partner status), we decided to prefer FortiSIEM over other vendors for our first decision process. Which ends up in me having a large test lab and a lot of test cases to check if we want to sail with this boat. Having said this, I might be a little biased in my thoughts.

So, now about the system.

What I really like about is, is that there are a lot of predefined rules (filters) and all kinds of dashboards and "reports" which can create widgets for these dashboards. It also has a distinct look at OT environments (which they use especially in an "ICS" ATT&CK overview). I am well aware that pre-defined filters don't make up a SIEM, as you will build all the rules by yourself lateron anyways. But it's very nice for onboarding new customers, as they will see major things right at the beginning without complex fitting processes.

The SIEM is also focused very much on the GUI (which I also like on the firewalls of Fortinet), making almost everything accessible graphically. So, as soon as everything is set up (which is quite hacky, but far better than ELK), you won't mess around with Linux anymore. Having everything there, however, makes it very difficult to find "that one function, I need for xy". Custom attributes for CMDB-objects are possible, but where the heck do I find the config pane for this one again?

Talking to a Fortinet technician, I was told, you barely use "cases" (which means tickets) on FortiSIEM, but would do the everyday job on the "incidents" view. This makes my think about how a SOC would be structured in their minds? This either means, FortiSIEM is only used in very small teams or no one likes the ticket system in it. And yes, I don't like the ticketing in there either. It's structured like a to-do-list where I can see some more details of a task when clicking on it, but not like a conversation in a ticket.

Speaking of integrations, we missed Siemens as a big vendor in OT areas. However, configuring a parser (via XML "programming language") is straightforward, so I can live with this.

Tracking of endpoints uses (to-be-sold-separately) "Advanced Agents", which you need to install on Windows or Linux. In my opinion, this only makes sense on servers, but having a (to-be-sold-separately) UEBA-license, you might find out something about user behavior. In my test, I did not find out really interesting things and would rather recommend an EDR here.

"Playbooks" are kind of a protected name for things that happen on a different product (FortiSOAR). So, wherever you see the term "Playbook" on FortiSIEM, you cannot use it without additional licenses. Programming own scripts works in python (version 2, as it seems...) and is called "Remediation". That's kind of weird, when you define that an incident should automatically fire a "remediation" just to have a tailormade notification. Btw.: There is no mobile app, so default notifications are only e-mail.

Licensing is quite complicated, but as far as I see cheaper than other vendors. License is based roughly on single devices (which translate into "events per second", which is the real currency, but if you license the correct amount of devices, you will have enough of these EPS). You may also buy a subscription to IoC-updates, which continuously add rules into the system.

 

I am not finished with the test (did only do integrations and filling data yet; will try to figure out the daily workflow in January), so feel free to ask any question, if you are interested in this.

I will update this thread, as soon as I have new things to tell.

 

Best,
Chris

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...