Fortinet Advisor

Overview

Fortinet Advisor is available by clicking the Fortinet Advisor icon () in the upper right corner of the UI.

Fortinet Advisor can be invoked from the following places in the GUI:

  • Analytics > Search > Raw message column
  • Incidents > List By Time > <Select an Incident > > Action
  • Incidents > List By Time > <Select an Incident> > Incident Details > Trigger Events > Raw Message
  • Incidents > Risk > Entity <Drill down> > <Select an Incident> > Actions
  • Incidents > Risk > Entity <Drill down> > <Select an Incident> > Details > Trigger Events > Raw Message
  • Incidents > Investigation > <Select an Incident> > ...
  • Incidents > Investigation > <Select an Incident> > Events > Raw Message
  • Admin > Settings > Notification Policy > New Policy > Action

After the Fortinet Advisor icon has been clicked, a Fortinet Advisor window appears. In the Input field, enter your English language question, Security Operations Center (SOC) question, aggregation query, or raw message query, and hit the Enter key, or click the Send icon.

Responses from questions are taken from 7.1.0 Product documentation and internal knowledge base articles.

Fortinet Advisor responds to the following Security Operations Center (SOC) queries: 

  • Get FortiSIEM health – This retrieves the current health of FortiSIEM nodes including Supervisor, Worker and Collector.
  • Get the latest known vulnerabilities – This retrieves the list of vulnerabilities in your environment known to FortiSIEM. To get this data, you must enable FortiSIEM to collect data from FortiClient/EMS or vulnerability scanners.

In the case of a report query, validated XML code is provided. You can push this code to the Analytics page by clicking on the Action drop-down option, selecting "Run on Analytics" (which will take you to the Analytics page). On the Analytics page, click Run to run the provided report. Incident analysis provided by OpenAI/ChatGPT-4 can be added to Incident Comments.

After Fortinet Advisor has responded, an Action drop-down option "Ask again" option is available in your previous inquiry dialogue windows. The "Ask again" action will paste the original inquiry you sent into the Fortinet Advisor Input field so that you can use it as a basis for modification, or use it as a basis to view other similar pre-selected questions (by pressing the UP key in the dialog window).

Use the following table to construct your query.

Notes

  • The Fortinet Advisor can be configured by following the instructions here.
  • Click the UP key at any time to select from any pre-selected questions or report based off the current input.

OpenAI Integration and Disclaimer

The Fortinet Advisor lets you connect FortiSIEM to your own OpenAI account, using your own OpenAI license key. This integration will send data from your FortiSIEM to OpenAI and will show you responses from OpenAI. Fortinet does not verify or correct these responses and has no responsibility for them. OpenAI is operated by a third party, not Fortinet. You must exercise discretion and independently verify any information or recommendations you receive from OpenAI before relying on them.

Note: Fortinet Advisor uses GPT3.5-Turbo and GPT4. Your OpenAI API key must support access to these models.

How to ask Fortinet Advisor to Create a Report

Query Type

Construct

Aggregation Query

Create a report to show <list> where <constraint>, group them by <list>, order by <list>

Exact values have to be within single quotes.

Examples:

  • Create a report to show the source IP, destination IP and total number of events where the reporting device IP belongs to the Firewall device group and event type belongs to the Permitted network connections group, group them by source IP, destination IP, and only show results for total number of events greater than 100, order by the number of events in descending order.

  • Create a report to show the destination IP, destination country and total number of events where the reporting device IP belongs to the Firewall device group, source IP is '10.1.1.1' and event type belongs to the Permitted network connections group, group them by destination IP, destination country and only show results for total number of events greater than 100, order by the number of connections in descending order.

Raw Message Query

Create a report to show <list> where <constraint>, order by <list>

Exact values have to be within single quote

Examples:

  • Create a report to show the event receive time, reporting device name, domain and user where event type is 'Win-Security-4624', order by event time in descending order.

  • Create a report to show the event receive time, reporting device name, domain and user where event type is Windows logon success, order by event time in descending order

In the Fortinet Advisor window, in the upper right corner, click X to exit the Fortinet Advisor at any time.

Anonymizing Sensitive Data

When you ask ChatGPT for log and Incident analysis using the Fortinet Advisor menu option, then customer specific information is anonymized before being sent to ChatGPT. The returned results are converted back to the original values before being displaying to the user. Similar anonymization is performed when you invoke ChatGPT via Notification policy.

Note: If you manually enter a log or Incident and ask ChatGPT to analyze it, then the fields are *not* anonymized, since FortiSIEM does not parse the data on the fly. This method is not recommended.

The full list of anonymized event attributes is here.

A built-in report FortiSIEM ChatGPT Queries is provided. You can run this report to see what queries are sent to ChatGPT and how much it costs. The Query result shows the sensitive fields being anonymized.

Fortinet Advisor GUI Interface

Expand/Reduce Input Field Size

In the Input field, click the expand/reduce icon to increase/decrease the size of the input field.

Maximize/Minimize Fortinet Advisor Window

In the Fortinet Advisor window, in the upper right corner, click the window size icon to maximize/minimize the Fortinet Advisor window.