Submit Search

FortiAI

Overview
OpenAI Integration and Disclaimer
How to ask FortiAI to Create a Report
Anonymizing Sensitive Data
FortiAI GUI Interface

Overview

FortiAI is available by clicking the FortiAI icon () in the upper right corner of the UI.

FortiAI can be invoked from the following places in the GUI:

Analytics > Search > Raw message column
Incidents > List By Time > <Select an Incident > > Action
Incidents > List By Time > <Select an Incident> > Incident Details > Trigger Events > Raw Message
Incidents > Risk > Entity <Drill down> > <Select an Incident> > Actions
Incidents > Risk > Entity <Drill down> > <Select an Incident> > Details > Trigger Events > Raw Message
Incidents > Investigation > <Select an Incident> > ...
Incidents > Investigation > <Select an Incident> > Events > Raw Message
Admin > Settings > Notification Policy > New Policy > Action

After the FortiAI icon has been clicked, a FortiAI window appears. In the Input field, enter your English language question, Security Operations Center (SOC) question, aggregation query, or raw message query, and hit the Enter key, or click the Send icon.

Responses from questions are taken from 7.2.2 Product documentation and internal knowledge base articles.

FortiAI responds to the following Security Operations Center (SOC) queries:

Get FortiSIEM health – This retrieves the current health of FortiSIEM nodes including Supervisor, Worker and Collector.
Get the latest known vulnerabilities – This retrieves the list of vulnerabilities in your environment known to FortiSIEM. To get this data, you must enable FortiSIEM to collect data from FortiClient/EMS or vulnerability scanners.
Get my FortiSIEM environment - This retrieves information on your FortiSIEM environment.
Get latest 10 high severity Incidents - This retrieves the most recent top ten high severity incidents.
Get most frequent 10 Incidents - This retrieves the 10 most frequent incidents.
Get Top 10 risky users - This retrieves the top 10 users with risks.
Get Top 10 risky devices - This retrieves the top 10 devices with security risks.

In the case of a report query, validated XML code is provided. You can push this code to the Analytics page by clicking on the Action drop-down option, selecting "Run on Analytics" (which will take you to the Analytics page). On the Analytics page, click Run to run the provided report. Incident analysis provided by OpenAI/ChatGPT-4 can be added to Incident Comments.

After FortiAI has responded, an Action drop-down option "Ask again" option is available in your previous inquiry dialogue windows. The "Ask again" action will paste the original inquiry you sent into the FortiAI Input field so that you can use it as a basis for modification, or use it as a basis to view other similar pre-selected questions (by pressing the UP key in the dialog window).

Use the following table to construct your query.

Notes:

The FortiAI can be configured by following the instructions here.
Click the UP key at any time to select from any pre-selected questions or report based off the current input.

OpenAI Integration and Disclaimer

FortiAI lets you connect FortiSIEM to your own OpenAI account, using your own OpenAI license key. This integration will send data from your FortiSIEM to OpenAI and will show you responses from OpenAI. Fortinet does not verify or correct these responses and has no responsibility for them. OpenAI is operated by a third party, not Fortinet. You must exercise discretion and independently verify any information or recommendations you receive from OpenAI before relying on them.

Note: FortiAI uses GPT3.5-Turbo and GPT4. Your OpenAI API key must support access to these models.

How to ask FortiAI to Create a Report

Query Type	Construct
Aggregation Query	Create a report to show <list> where <constraint>, group them by <list>, order by <list> Exact values have to be within single quotes. Examples: Create a report to show the source IP, destination IP and total number of events where the reporting device IP belongs to the Firewall device group and event type belongs to the Permitted network connections group, group them by source IP, destination IP, and only show results for total number of events greater than 100, order by the number of events in descending order. Create a report to show the destination IP, destination country and total number of events where the reporting device IP belongs to the Firewall device group, source IP is '10.1.1.1' and event type belongs to the Permitted network connections group, group them by destination IP, destination country and only show results for total number of events greater than 100, order by the number of connections in descending order.
Raw Message Query	Create a report to show <list> where <constraint>, order by <list> Exact values have to be within single quote Examples: Create a report to show the event receive time, reporting device name, domain and user where event type is 'Win-Security-4624', order by event time in descending order. Create a report to show the event receive time, reporting device name, domain and user where event type is Windows logon success, order by event time in descending order

Query Type

Construct

Aggregation Query

Create a report to show <list> where <constraint>, group them by <list>, order by <list>

Exact values have to be within single quotes.

Examples:

Create a report to show the source IP, destination IP and total number of events where the reporting device IP belongs to the Firewall device group and event type belongs to the Permitted network connections group, group them by source IP, destination IP, and only show results for total number of events greater than 100, order by the number of events in descending order.
Create a report to show the destination IP, destination country and total number of events where the reporting device IP belongs to the Firewall device group, source IP is '10.1.1.1' and event type belongs to the Permitted network connections group, group them by destination IP, destination country and only show results for total number of events greater than 100, order by the number of connections in descending order.

Raw Message Query

Create a report to show <list> where <constraint>, order by <list>

Exact values have to be within single quote

Examples:

Create a report to show the event receive time, reporting device name, domain and user where event type is 'Win-Security-4624', order by event time in descending order.
Create a report to show the event receive time, reporting device name, domain and user where event type is Windows logon success, order by event time in descending order

In the FortiAI window, in the upper right corner, click X to exit FortiAI at any time.

Anonymizing Sensitive Data

When you ask ChatGPT for log and Incident analysis using the FortiAI menu option, then customer specific information is anonymized before being sent to ChatGPT. The returned results are converted back to the original values before being displaying to the user. Similar anonymization is performed when you invoke ChatGPT via Automation policy.

Note: If you manually enter a log or Incident and ask ChatGPT to analyze it, then the fields are *not* anonymized, since FortiSIEM does not parse the data on the fly. This method is not recommended.

The full list of anonymized event attributes is here.

A built-in report FortiSIEM ChatGPT Queries is provided. You can run this report to see what queries are sent to ChatGPT and how much it costs. The Query result shows the sensitive fields being anonymized.

Expand/Reduce Input Field Size

In the Input field, click the expand/reduce icon to increase/decrease the size of the input field.

Maximize/Minimize FortiAI Window

In the FortiAI window, in the upper right corner, click the window size icon to maximize/minimize the FortiAI window.

FortiSIEM 7.2.2