What is our primary use case?
We use Fortinet FortiSIEM for storage of security information and analysis, as well as for alerts from the 50-60 services that we have. All of our webs are linked to FortiSIEM. It's a form of SOC tool and data is used for identifying trends and what's happening around the networks. We're customers and end-to-end users when it comes to FortiSIEM, but for other Fortinet products we're either partners or a value-added reseller. I'm the principal cloud architect in our company.
What is most valuable?
I think the most valuable feature is the easy alert setup, it's very important. It's quite simple to use and enables us to have different alerts in different categories. SOC is able to see all the red alerts, it's impossible to miss them. It's a good tool for analysis and for SOC. We upload all network detection tools that support FortiSIEM and can investigate for different alerts or vulnerabilities. A great feature is that you can use Python scripting for data stack. It's great for devices that don't generate a genuine local source of information.
What needs improvement?
This solution is not very good on non-API features and lacks that functionality. We've raised multiple tickets to Fortinet about this and they are pending there. The product development hasn't been fast enough to ensure it can function on the cloud. It's excellent when you download and get the security locks but in areas like Microsoft 365, you have to fetch the security access using APIs and they don't update quickly enough. If Microsoft announces a new service today, we have to wait at least six months before FortiSIEM start supporting it. It's crucial that the API support is updated, for now FortiSIEM lacks functionality compared to its competitors.
For how long have I used the solution?
What do I think about the stability of the solution?
It's a very reliable solution, we haven't had any outages during the last year and we're using it a lot. We have over 40 people using it 24/7.
What do I think about the scalability of the solution?
This solution is not very scalable if you have a lot of security events; it's focused more around smaller companies. We've become too big for it with 48,000 devices which we are monitoring and we had to create another instance and split things. It's not perfect because it requires purchase of a second license. We use the solution all the time.
How are customer service and technical support?
Fortinet support is very fast. If I need to ask something, I'll get a response within a couple of hours.
How was the initial setup?
The initial setup was quite straightforward. They have good documentation and once we deployed, there were only a couple of times where we needed a little bit of support because there were delayed reactions.
What's my experience with pricing, setup cost, and licensing?
The licensing is on an annual basis and calculated on the set up number. Of course, the licensing cost could be less but it's not too bad and is quite nicely priced. With Centreon or Splunk you just pay for the use but if we compare the cost of FortiSIEM with Splunk, it's less than half the price.
Which other solutions did I evaluate?
We took a look at IBM QRadar, which was the main competitor, and we also looked at Splunk. Splunk lost out quickly because of the cost and we ended up going with Fortinet because it was much easier to manage and implement things than QRadar and it has the Python scripting.
What other advice do I have?
If your use case suits this solution, I would recommend it. If you are a professional operator and you're into pre-investing, and not just paying per use, then FortiSIEM is one of the best options you can have.
I rate this product an eight out of 10.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?