Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.6.2 Administration Guide
    7.6.2
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Using FortiAI

    Using FortiAI

    The FortiAI assistant can be used to navigate the GUI and perform actions. It can also be used to answer questions and query data.

    The FortiAI assistant is operated using prompts. You can use natural language to request actions or information from the FortiAI assistant. If you enter a prompt that the FortiAI assistant does not understand, it will ask for more details to clarify your request. Responses from the FortiAI assistant may also include suggestions and requests for you to consider. For example, after responding to a query for information, the FortiAI assistant may ask if you would like help performing a related action, such as filtering log view or creating an event handler.

    The FortiAI assistant's responses can include text, images, widgets, and data retrieved directly from your FortiAnalyzer environment.

    Note

    If you log out, close, or reload your session, you will not be able to continue your current thread with the FortiAI assistant. For example, you will not be able to reference a chart created by the FortiAI assistant in the current thread after reloading.

    The following information is available in this topic:

    FortiAI capabilities

    Capabilities of FortiAI in FortiAnalyzer can be categorized into the following areas:

    Category Description

    Incident detection

    FortiAI can help to create event handlers and event handler rules for incident detection. The event handlers can be created automatically according to your prompts from any pane, and the rules are customized to your environment. FortiAI is capable of creating these event handlers using the SIEM database.

    For example, during log analysis, if you find a suspicious log and want to get informed of similar occurrences, you can send the following prompt to FortiAI: "Keep me updated with same log happening again." FortiAI will automatically help to create an event handler for this kind of log.

    Incident investigation

    FortiAI can help to gather relevant information from multiple places in the FortiAnalyzer GUI. In addition, FortiAI can provide the context for the information, such as the threat information and the affected assets.

    Using these queries, you can perform an interactive investigation with FortiAI by asking follow-up questions, refining queries for information, and exploring different aspects of the incident to discover correlations within a single thread.

    Incident response

    FortiAI is integrated with playbooks and connectors for incident response automation. FortiAI can also support with post-incident reviews and compliance by generating detailed incident reports.

    Using these queries, you can collect many details related to the incident, including targeted endpoint information, event details, critical incident information, and the impact explanations. This information can be used to determine the root cause of the security threat and to initiate response measures.

    Visibility and insights

    FortiAI can generate custom charts and reports from the available log data. You can specify data sources, parameters, and choose the visualization type through a guided process with FortiAI.

    In addition to the categories above, FortiAI can also be used to support use of your FortiAnalyzer device by providing product knowledge and performance monitoring.

    For product knowledge of FortiAnalyzer, FortiAI can respond to your prompts with smart summaries, including information about the product and instructions for use. For example, you can use the following prompts to gain insight:

    • How can I setup an HA Cluster in the GUI or CLI?

    • What is the asset and identity center?

    • How can I create a read-only user with restricted permission in the GUI or CLI?

    While FortiAI cannot currently perform any of these actions on your behalf (creating a HA cluster or a read-only user), it will provide summaries and instructions according to your requests.

    For performance monitoring, FortiAI can provide a summary of the FortiAnalyzer device, including overall performance details, storage utilization, and significant bottlenecks observed. For example, you can use the following prompts to gain insight:

    • How is my FAZ performing?

    • What is the current performance status of FortiAnalyzer?

    FortiAI uses by pane

    The table below provides a brief summary of the actions that can be performed with FortiAI in select FortiAnalyzer panes:

    Pane Description

    Device Manager

    FortiAI currently cannot navigate to or perform actions in Device Manager. FortiAI can guide you through actions in Device Manager, if needed.

    FortiView

    FortiAI can navigate to some FortiView panes, such as FortiView > Threats > Top Threats. In these panes, FortiAI can apply filters and create event handlers based on the results. You can use FortiAI to analyze the logs in these panes as well.

    FortiAI can navigate to the following FortiView panes: Top Threats, Top Source, Top Destination, Top Country, Top Policy Hit, Top Applications, and Top Website Domains.

    Log View

    FortiAI can navigate to Log View and apply filters. FortiAI can analyze the logs to provide insights, render charts to visualize the log data, and create reports based on the logs for further analysis. You can make follow-up queries to gain further insights about the filtered information, as needed. For example:

    • Initial prompt: Show me the top 5 threats identified from last 24 hours

      • Follow-up 1: Can you tell me more about the first threats?

      • Follow-up 2: Are there any users under this threat?

      • Follow-up 3: What is the destination IP associated with this threat?

    FortiAI also supports incident response from the Log View pane. You can use FortiAI to view logs related to a specific event or incident, and you can take action with FortiAI to quarantine compromised endpoints.

    FortiAI can navigate to Log View > Threat Hunting and apply filters. In addition, FortiAI can provide an analysis of the related logs in this pane.

    Fabric View

    FortiAI currently cannot navigate to or perform actions in Fabric View. FortiAI can guide you through actions in Fabric View, if needed.

    Incidents & Events

    FortiAI can navigate to Event Handlers and create event handlers according to your prompts. Note that these event handlers can also be created when using FortiAI to filter FortiView and Log View. FortiAI can also navigate to Event Monitor and apply filters; FortiAI can create event handlers using these filters as well.

    FortiAI can navigate to Incidents. You can use FortiAI to provide a list of incidents, and to create and save incident reports.

    FortiAI can display an event summary from any pane in the GUI.

    Reports

    FortiAI currently cannot navigate to reports; however, you can use FortiAI to render charts from Log View. These charts can be saved for future reference or used to create event handlers.

    System Settings

    FortiAI currently cannot navigate to or perform actions in System Settings. FortiAI can guide you through actions in System Settings, if needed.

    In addition to the actions described in the table above, FortiAI can also to perform certain actions in any pane. For example, FortiAI can perform the following actions from anywhere in the GUI:

    • Perform security reputation checks on suspicious IPs, domains, and URLs.

    • Gather system process information for investigation purposes.

    • Provide analysis and recommendations for data filtered/gathered in a FortiAI thread.

    • Create event handlers.

    For examples of FortiAI being used in FortiAnalyzer, see FortiAI example tasks.

    FortiAI prompts

    When using FortiAI, your prompts should be directly related to the information the assistant is programmed to access, enabling efficient and effective data retrieval.

    A valid prompt is a clear, well-defined question that the FortiAI assistant can easily interpret and process. It should be specific and relevant to the data or queries the FortiAI assistant is designed to handle. A valid prompt can be translated into precise SQL queries to retrieve accurate results.

    Example of valid prompts:

    • Can you provide a summary of the latest security incidents detected?

    • Could you assist in identifying any anomalies in our network traffic?

    • Is there any unusual behavior observed from specific user accounts we should investigate?

    • Are there any known exploits or vulnerabilities that we need to remediate immediately?

    • Is there any unusual outbound network traffic that could indicate data exfiltration?

    An invalid prompt is one that cannot be easily interpreted or processed by the FortiAI assistant. This typically includes prompts that are ambiguous, lack sufficient detail, or are outside the scope of the FortiAI assistant’s capabilities.

    Example of invalid prompts:

    • "How many attacks will I receive tomorrow based on past trends?"

      This prompt is asking for information that requires FortiAI to make assumptions. Instead, consider prompting for an analysis of the current trends, and then following up to determine possible next steps to mitigate attacks according to those trends.

    • "Give me a report of PCI compliance for my infrastructure."

      This prompt is too vague and FortiAI will likely ask for clarification, requiring more tokens. Instead, consider making the initial prompt more specific by including the related logs, devices, and/or a timeline. For more suggested best practices regarding tokens, see FortiAI tokens.

    Tooltip

    The above examples use full sentences. However, in general, using more text means using more tokens. To more efficiently use tokens, keep your prompts concise.

    For more information about tokens, see FortiAI tokens.
    The FortiAI pane

    The FortiAI assistant pane includes the following:

    Section

    Description

    Toolbar

    Click an icon to perform the related action or open the related dialog.

    Restart Thread

    Restart the FortiAI chat thread.

    Download Chat History

    Download the current chat thread in HTML or PNG format.

    Close

    Close the FortiAI pane.

    This does not clear the current thread. You can continue the chat thread by re-opening the FortiAI assistant in the same session.

    Thread

    Displays your prompts and the FortiAI assistant’s responses for the current thread.

    At the bottom of responses from the FortiAI assistant, click the help icon to display the function callback results.

    Prompt

    Enter a prompt for the FortiAI assistant, and then click send. Alternatively, you can click the microphone icon to speak a prompt for the FortiAI assistant.

    When available, suggested prompts display above the text box. You can click these suggestions to prompt the FortiAI assistant.

    Monthly token usage

    Displays the percentage of monthly tokens used for the current month. For more information, see FortiAI tokens.
    Previous
    Next

    Using FortiAI

    Using FortiAI

    The FortiAI assistant can be used to navigate the GUI and perform actions. It can also be used to answer questions and query data.

    The FortiAI assistant is operated using prompts. You can use natural language to request actions or information from the FortiAI assistant. If you enter a prompt that the FortiAI assistant does not understand, it will ask for more details to clarify your request. Responses from the FortiAI assistant may also include suggestions and requests for you to consider. For example, after responding to a query for information, the FortiAI assistant may ask if you would like help performing a related action, such as filtering log view or creating an event handler.

    The FortiAI assistant's responses can include text, images, widgets, and data retrieved directly from your FortiAnalyzer environment.

    Note

    If you log out, close, or reload your session, you will not be able to continue your current thread with the FortiAI assistant. For example, you will not be able to reference a chart created by the FortiAI assistant in the current thread after reloading.

    The following information is available in this topic:

    FortiAI capabilities

    Capabilities of FortiAI in FortiAnalyzer can be categorized into the following areas:

    Category Description

    Incident detection

    FortiAI can help to create event handlers and event handler rules for incident detection. The event handlers can be created automatically according to your prompts from any pane, and the rules are customized to your environment. FortiAI is capable of creating these event handlers using the SIEM database.

    For example, during log analysis, if you find a suspicious log and want to get informed of similar occurrences, you can send the following prompt to FortiAI: "Keep me updated with same log happening again." FortiAI will automatically help to create an event handler for this kind of log.

    Incident investigation

    FortiAI can help to gather relevant information from multiple places in the FortiAnalyzer GUI. In addition, FortiAI can provide the context for the information, such as the threat information and the affected assets.

    Using these queries, you can perform an interactive investigation with FortiAI by asking follow-up questions, refining queries for information, and exploring different aspects of the incident to discover correlations within a single thread.

    Incident response

    FortiAI is integrated with playbooks and connectors for incident response automation. FortiAI can also support with post-incident reviews and compliance by generating detailed incident reports.

    Using these queries, you can collect many details related to the incident, including targeted endpoint information, event details, critical incident information, and the impact explanations. This information can be used to determine the root cause of the security threat and to initiate response measures.

    Visibility and insights

    FortiAI can generate custom charts and reports from the available log data. You can specify data sources, parameters, and choose the visualization type through a guided process with FortiAI.

    In addition to the categories above, FortiAI can also be used to support use of your FortiAnalyzer device by providing product knowledge and performance monitoring.

    For product knowledge of FortiAnalyzer, FortiAI can respond to your prompts with smart summaries, including information about the product and instructions for use. For example, you can use the following prompts to gain insight:

    • How can I setup an HA Cluster in the GUI or CLI?

    • What is the asset and identity center?

    • How can I create a read-only user with restricted permission in the GUI or CLI?

    While FortiAI cannot currently perform any of these actions on your behalf (creating a HA cluster or a read-only user), it will provide summaries and instructions according to your requests.

    For performance monitoring, FortiAI can provide a summary of the FortiAnalyzer device, including overall performance details, storage utilization, and significant bottlenecks observed. For example, you can use the following prompts to gain insight:

    • How is my FAZ performing?

    • What is the current performance status of FortiAnalyzer?

    FortiAI uses by pane

    The table below provides a brief summary of the actions that can be performed with FortiAI in select FortiAnalyzer panes:

    Pane Description

    Device Manager

    FortiAI currently cannot navigate to or perform actions in Device Manager. FortiAI can guide you through actions in Device Manager, if needed.

    FortiView

    FortiAI can navigate to some FortiView panes, such as FortiView > Threats > Top Threats. In these panes, FortiAI can apply filters and create event handlers based on the results. You can use FortiAI to analyze the logs in these panes as well.

    FortiAI can navigate to the following FortiView panes: Top Threats, Top Source, Top Destination, Top Country, Top Policy Hit, Top Applications, and Top Website Domains.

    Log View

    FortiAI can navigate to Log View and apply filters. FortiAI can analyze the logs to provide insights, render charts to visualize the log data, and create reports based on the logs for further analysis. You can make follow-up queries to gain further insights about the filtered information, as needed. For example:

    • Initial prompt: Show me the top 5 threats identified from last 24 hours

      • Follow-up 1: Can you tell me more about the first threats?

      • Follow-up 2: Are there any users under this threat?

      • Follow-up 3: What is the destination IP associated with this threat?

    FortiAI also supports incident response from the Log View pane. You can use FortiAI to view logs related to a specific event or incident, and you can take action with FortiAI to quarantine compromised endpoints.

    FortiAI can navigate to Log View > Threat Hunting and apply filters. In addition, FortiAI can provide an analysis of the related logs in this pane.

    Fabric View

    FortiAI currently cannot navigate to or perform actions in Fabric View. FortiAI can guide you through actions in Fabric View, if needed.

    Incidents & Events

    FortiAI can navigate to Event Handlers and create event handlers according to your prompts. Note that these event handlers can also be created when using FortiAI to filter FortiView and Log View. FortiAI can also navigate to Event Monitor and apply filters; FortiAI can create event handlers using these filters as well.

    FortiAI can navigate to Incidents. You can use FortiAI to provide a list of incidents, and to create and save incident reports.

    FortiAI can display an event summary from any pane in the GUI.

    Reports

    FortiAI currently cannot navigate to reports; however, you can use FortiAI to render charts from Log View. These charts can be saved for future reference or used to create event handlers.

    System Settings

    FortiAI currently cannot navigate to or perform actions in System Settings. FortiAI can guide you through actions in System Settings, if needed.

    In addition to the actions described in the table above, FortiAI can also to perform certain actions in any pane. For example, FortiAI can perform the following actions from anywhere in the GUI:

    • Perform security reputation checks on suspicious IPs, domains, and URLs.

    • Gather system process information for investigation purposes.

    • Provide analysis and recommendations for data filtered/gathered in a FortiAI thread.

    • Create event handlers.

    For examples of FortiAI being used in FortiAnalyzer, see FortiAI example tasks.

    FortiAI prompts

    When using FortiAI, your prompts should be directly related to the information the assistant is programmed to access, enabling efficient and effective data retrieval.

    A valid prompt is a clear, well-defined question that the FortiAI assistant can easily interpret and process. It should be specific and relevant to the data or queries the FortiAI assistant is designed to handle. A valid prompt can be translated into precise SQL queries to retrieve accurate results.

    Example of valid prompts:

    • Can you provide a summary of the latest security incidents detected?

    • Could you assist in identifying any anomalies in our network traffic?

    • Is there any unusual behavior observed from specific user accounts we should investigate?

    • Are there any known exploits or vulnerabilities that we need to remediate immediately?

    • Is there any unusual outbound network traffic that could indicate data exfiltration?

    An invalid prompt is one that cannot be easily interpreted or processed by the FortiAI assistant. This typically includes prompts that are ambiguous, lack sufficient detail, or are outside the scope of the FortiAI assistant’s capabilities.

    Example of invalid prompts:

    • "How many attacks will I receive tomorrow based on past trends?"

      This prompt is asking for information that requires FortiAI to make assumptions. Instead, consider prompting for an analysis of the current trends, and then following up to determine possible next steps to mitigate attacks according to those trends.

    • "Give me a report of PCI compliance for my infrastructure."

      This prompt is too vague and FortiAI will likely ask for clarification, requiring more tokens. Instead, consider making the initial prompt more specific by including the related logs, devices, and/or a timeline. For more suggested best practices regarding tokens, see FortiAI tokens.

    Tooltip

    The above examples use full sentences. However, in general, using more text means using more tokens. To more efficiently use tokens, keep your prompts concise.

    For more information about tokens, see FortiAI tokens.
    The FortiAI pane

    The FortiAI assistant pane includes the following:

    Section

    Description

    Toolbar

    Click an icon to perform the related action or open the related dialog.

    Restart Thread

    Restart the FortiAI chat thread.

    Download Chat History

    Download the current chat thread in HTML or PNG format.

    Close

    Close the FortiAI pane.

    This does not clear the current thread. You can continue the chat thread by re-opening the FortiAI assistant in the same session.

    Thread

    Displays your prompts and the FortiAI assistant’s responses for the current thread.

    At the bottom of responses from the FortiAI assistant, click the help icon to display the function callback results.

    Prompt

    Enter a prompt for the FortiAI assistant, and then click send. Alternatively, you can click the microphone icon to speak a prompt for the FortiAI assistant.

    When available, suggested prompts display above the text box. You can click these suggestions to prompt the FortiAI assistant.

    Monthly token usage

    Displays the percentage of monthly tokens used for the current month. For more information, see FortiAI tokens.
    Previous
    Next