Fortinet FortiAnalyzer FortiAI Subscription Add-on

Fortinet FortiAnalyzer FortiAI Subscription Add-On:

FortiAnalyzer FortiAI is a subscription add-on that embeds Generative AI assistance inside FortiAnalyzer to help security teams investigate, triage, and respond to threats faster. It uses large language models (LLMs) to translate high-volume security telemetry into clear, actionable insights, enabling analysts to move from "alert" to "decision" with fewer manual steps. FortiAI is designed to complement FortiAnalyzer's SIEM and SOAR functions by accelerating analysis, improving consistency in investigations, and reducing the workload on SOC staff.

FortiAI is available for FortiAnalyzer on-prem appliances, FortiAnalyzer VM, and FortiAnalyzer Cloud. Subscription tiers align to your licensed ingestion volume (GB/day), and token top-ups can be added when additional consumption is required.

What it does:

FortiAI provides interactive, AI-powered assistance for common SOC tasks, such as:

• Interpreting alerts and detections in plain language
• Summarising relevant logs and highlighting key indicators
• Assisting incident triage and prioritisation decisions
• Supporting investigations by connecting related events and entities
• Providing guided recommendations for containment and response actions
• Accelerating report writing and executive-ready summaries based on evidence in FortiAnalyzer

Key capabilities

1) AI-assisted SOC analysis and investigation

• Converts complex security events into understandable narratives (what happened, what it means, what to do next)
• Helps identify suspicious patterns, likely attack stages, and relevant evidence across logs and events
• Supports faster pivoting by suggesting related entities (IPs, users, hosts, hashes, domains) and what to check next

2) Triage acceleration and alert context

• Assists in prioritising alerts by summarising severity drivers and likely business impact
• Helps reduce analyst fatigue by quickly providing context and "so what" explanations from correlated data
• Improves decision speed when handling large numbers of detections

3) Operational guidance for response

• Provides step-by-step guidance for investigation and response workflows (aligned to how SOC teams operate)
• Helps structure containment decisions (block IP, isolate endpoint, disable account, notify teams) in a consistent manner
• Works alongside FortiAnalyzer automation and playbooks to speed up end-to-end response

4) Reporting and communication support

• Produces incident summaries suitable for internal stakeholders and executives
• Helps draft operational notes for ticketing systems and handovers between analysts
• Supports compliance-style explanations by tying outcomes back to evidence in logs and dashboards

5) Flexible consumption model

• FortiAI service tiers are matched to the FortiAnalyzer ingestion tier (GB/day) so the AI service scales with the environment
• Token top-up licensing supports burst usage during investigations, incident spikes, or major events

Use cases

Security Operations (SOC)

Threat detection support

• Interpret detection outputs (correlation rules, anomaly findings, AI/ML detections)
• Summarise why a detection fired and what evidence supports it
• Identify likely attack chain elements based on observed telemetry

Alert triage

• Rapidly summarise "what's important" across related logs and events
• Provide clear recommended next steps for validation or escalation
• Reduce time spent manually stitching together context from multiple views

Incident investigation

• Build an incident storyline and timeline from available evidence
• Accelerate scoping by identifying impacted users/hosts and related indicators
• Assist analysts in explaining the attack path and how the event evolved

Response and coordination

• Support containment decisions by suggesting appropriate response actions
• Provide ready-to-share investigation summaries for incident bridges and tickets
• Reduce back-and-forth between SOC and IT teams by improving clarity of findings

Threat intelligence-driven analysis

• Make it easier to operationalise indicators (IOCs) by explaining relevance and potential impact
• Help analysts apply threat intel context during investigations and triage

Network Operations (NOC) and IT Operations

Log analytics and troubleshooting

• Summarise abnormal behaviour across network logs and application events
• Speed up root-cause discovery by pointing analysts to the most relevant signals
• Help translate raw logs into operator-friendly observations for escalations

Audit and compliance support

• Assist with producing evidence-based summaries for audit readiness and reporting
• Reduce time required to explain events, access patterns, and enforcement actions

View data sheet:FortiAnalyzer Ordering Guide