How Packet-Derived Telemetry Feeds the Zero Trust Architecture NIST Defines
Network Copilot is presented as an agentic assistant that ingests MELT telemetry from FortiGate firewalls into Splunk, then correlates current and historical data to answer operator questions with explainable root-cause analysis. The approach targets manual log correlation bottlenecks that slow L1/L2 troubleshooting.
Research Overview
The paper describes an implementation that collects metrics, events, logs, and traces (MELT) from FortiGate and forwards that information to Splunk for centralized indexing. An intelligent agent queries Splunk in real time to correlate events and respond to questions with context.
It also states the platform can store telemetry in an internal database for historical analysis and that responses can draw from both Splunk and platform-native data sources. The workflow is positioned as an AI operational assistant for NetOps and security teams handling heterogeneous telemetry.
Key Findings
The deployment is described as reducing complexity and mean-time-to-resolution (MTTR) for L1/L2 teams by providing explainable, context-aware answers in natural language. The paper contrasts this with dashboards and static analytics by emphasizing cross-system correlation.
It describes NCP as operating on an agentic model that parses configurations and logs across firewall, SIEM, and network device sources to perform rapid root-cause analysis. It also states the responses are not “black-box answers.”
Technical Breakdown
The architecture supports log ingestion and normalization across heterogeneous sources, followed by cross-domain correlation across firewall, network, system, and application domains. It includes natural-language interaction examples such as asking why a user is blocked.
The paper describes explainable root-cause analysis and guided remediation “without risky auto-fixes.” It also includes a sample FortiGate event showing a configuration change to a firewall policy name and other sample logs used in troubleshooting scenarios.
Operational Impact
The reference deployment model uses a FortiGate configuration inline with live traffic, then exports generated traffic, authentication, threat, system, and configuration logs to Splunk for ingestion into Network Copilot. Operators are described as interacting with NCP using plain English while NCP correlates live and historical telemetry.
Three day-to-day use cases illustrate the workflow: identifying configuration changes in the last 24 hours, explaining why a user cannot connect to FortiGate based on failed login events, and explaining why a user cannot access the internet by using traffic denies such as “Denied by implicit policy.” Each scenario includes expected outcomes and test steps for validating Splunk ingestion and response quality.
The guide frames Network Copilot as a practical agentic approach for correlating firewall and Splunk-sourced telemetry into explainable, context-aware responses that support faster L1/L2 troubleshooting. This Blog Signals brief is a fact-based summary of the vendor blog.