FortiAI Revolutionizes Security Operations on FortiAnalyzer Cloud
.
The cybersecurity landscape is witnessing a paradigm shift with the integration of generative artificial intelligence into core security operations. Fortinet's latest innovation, FortiAI, represents a significant leap forward in this evolution, bringing sophisticated AI assistance directly into the FortiAnalyzer Cloud platform. This integration transforms the traditional log management and analysis tool into an intelligent security co-pilot, capable of understanding natural language queries, interpreting complex security events, and recommending actionable responses. As organizations grapple with increasingly sophisticated threats and a shortage of skilled security analysts, FortiAI emerges as a force multiplier, democratizing advanced security intelligence and accelerating threat investigation and response times across distributed networks.
Understanding FortiAnalyzer Cloud: The Foundational Platform
FortiAnalyzer Cloud serves as the centralized analytics and log management hub for the entire Fortinet Security Fabric, collecting, correlating, and analyzing logs from FortiGate firewalls, FortiClient endpoints, FortiWeb application security systems, and other Fortinet products. Operating as a fully-managed cloud service, it provides 24/7 monitoring by Fortinet professionals, automatic scaling, and cost-effective access to enterprise-grade security analytics. The platform converts raw telemetry data into intelligible visualizations, offers pre-built compliance reports for standards like PCI and HIPAA, and supports threat hunting with frameworks like MITRE ATT&CK.
The service is designed for simplicity and accessibility, requiring only an internet connection and a browser. Each FortiCloud account can provision one FortiAnalyzer Cloud instance, which can be launched from the FortiCloud portal. Its architecture supports both Analyzer and Collector modes, with the latter dedicated to high-volume log ingestion in distributed organizations, making it a versatile foundation upon which FortiAI builds its advanced capabilities.
FortiAI Integration: The Intelligent Layer
FortiAI is a generative AI security assistant that integrates seamlessly into the FortiAnalyzer Cloud user interface. It is not a standalone product but an intelligent feature that augments the analyst's workflow. According to Fortinet's roadmap, the initial release of FortiAI is integrated into FortiAnalyzer, FortiSIEM, and FortiSOAR, with plans to expand to other products.
The integration is available starting from FortiAnalyzer version 7.6 GA. Administrators can access the assistant in two ways:
- By clicking the FortiAI icon in the banner from any page in the graphical user interface (GUI).
- Through the dedicated FortiAI module in the FortiAnalyzer tree menu.
To activate this capability, a valid FortiAI license must first be registered on the user's FortiCloud account. Once registered, the subscription appears as a support contract within the FortiAnalyzer Cloud asset. Enabling the service is straightforward: users sign into FortiAnalyzer Cloud, click the FortiAI icon in the toolbar, and select "Enable FortiAI for Myself."
A notable licensing constraint is that a licensed FortiAI instance on a FortiAnalyzer can be accessed by a maximum of three local administrators. Access control is managed via the FortiAnalyzer CLI. Importantly, in a FortiAnalyzer Fabric configuration, FortiAI cannot be used on the Fabric supervisor node.
Core Capabilities and Features
FortiAI harnesses the power of large language models (LLMs), but crucially augments and refines the raw GenAI output with Fortinet's proprietary threat intelligence from FortiGuard Labs, deep product knowledge, and validated security use cases. This ensures the provided information is context-aware, accurate, and actionable for enterprise security environments.
Its capabilities are designed to streamline the entire SecOps lifecycle:
- Natural Language Interaction: Analysts can use plain English (or one of 30 supported languages) to ask complex questions or give commands. For example, "Show me the top vulnerabilities affecting our endpoints this week" or "Create a report on lateral movement attempts."
- Incident Investigation & Summarization: The AI can automatically interpret security events, generating a concise summary, explaining the potential impact, and outlining the attacker's tactics, techniques, and procedures (TTPs).
- Actionable Remediation Guidance: Beyond analysis, FortiAI suggests concrete response actions, recommends relevant SOAR playbooks, and provides indicators for proactive threat hunting.
- Operational Automation: It simplifies platform operations by translating natural language prompts into complex database queries, generating reports, or even helping to write event handler and correlation rules.
Licensing and Deployment Requirements
Using FortiAI on FortiAnalyzer Cloud is a licensed add-on service. The prerequisite is a base FortiAnalyzer Cloud subscription, which itself has specific licensing models:
| Log Source | License Requirement & SKU Example |
|---|---|
| FortiGate Devices | FC-10-[FortiGate Model]-585-02-DD (Standard) or FC-10-[Model]-464-02-DD (with SOCaaS) |
| FortiEndpoint (EMS) | Included in EMS license tiers (e.g., ZERO TRUST CONNECT, XDR). Entitled log rates scale from 50 MB/day to 20 GB/day based on user tier. |
| FortiWeb, FortiMail, FortiNDR | Requires an Additional Storage license (e.g., FC1-10-AZCLD-463-01-DD for +5 GB/day). This same SKU also enables logging from FortiClient and expands storage for FortiGate/FortiEndpoint logs. |
Once the foundational FortiAnalyzer Cloud instance is deployed and licensed, the FortiAI add-on license must be purchased and registered on FortiCloud. The service will not be enabled without it.
Practical Use Cases for Security Teams
FortiAI transitions FortiAnalyzer from a reactive reporting tool to a proactive security partner. Practical applications include:
- Accelerating Tier 1 Analysis: Junior analysts can query FortiAI to understand an alert's context, severity, and recommended first steps, reducing mean time to acknowledge (MTTA).
- Threat Hunting with Natural Language: Instead of constructing complex SQL queries, hunters can ask, "Find all instances where a user account executed PowerShell shortly after a failed login."
- Streamlined Compliance Reporting: Managers can quickly generate executive summaries or compliance status reports by instructing the AI, bypassing manual dashboard configuration.
- Cross-Platform Investigation: By drawing on the unified data lake, FortiAI can correlate events across firewalls, endpoints, and web applications to trace an attack's path and scope.
Frequently Asked Questions (FAQ)
Q1: What is the minimum FortiAnalyzer version required to use FortiAI? A: FortiAI integration is officially supported starting from FortiAnalyzer version 7.6 GA. This applies to both on-premises and cloud versions.
Q2: How do I enable FortiAI on my FortiAnalyzer Cloud instance? A: First, ensure a valid FortiAI license is registered to your FortiCloud account. Then, log into your FortiAnalyzer Cloud instance, click the FortiAI icon in the toolbar, and select "Enable FortiAI for Myself." The service will then be active.
Q3: Are my queries and data shared with FortiAI kept private? A: Yes. Fortinet states that sharing is limited to customer inputs, and FortiAI does not expose or provide access to customer log data or sensitive information to external models.
Q4: Can I use FortiAI to manage my firewall configurations? A: The FortiAI integration described here is specifically for FortiAnalyzer, focusing on log analysis, investigation, and reporting. For firewall configuration assistance, a separate FortiAI for FortiManager capability exists, which helps with scripting, vulnerability diagnostics, and network maintenance.
Q5: How many administrators can use FortiAI on a single license? A: A licensed FortiAI instance on a FortiAnalyzer supports access for up to a maximum of three local administrators. Administrator access must be configured via the FortiAnalyzer CLI.
Conclusion: The Future of Assisted Security Operations
The integration of FortiAI into FortiAnalyzer Cloud marks a decisive step toward more autonomous and intelligent security operations. By embedding a context-aware AI assistant directly into the analyst's workflow, Fortinet is reducing cognitive load, bridging the skills gap, and accelerating response times. FortiAI doesn't replace the security analyst; instead, it empowers them by making deep threat intelligence and complex data queries accessible through simple conversation. As this technology evolves, its expansion across the Fortinet Security Fabric promises a future where AI-driven insights become a standard, seamless layer of defense, enabling organizations to navigate the escalating complexity of the cyber threat landscape with greater confidence and efficiency.