Forescout is a platform that provides continuous security monitoring and mitigation. It allows IT organizations to efficiently address numerous access, endpoint compliance and threat management challenges even within today’s complex, dynamic and expansive enterprise networks. Taking advantage of next-gen network access control (NAC) capabilities, the Forescout platform delivers both real-time intelligence and policy-based control to preempt threats and remediate problems while preserving business productivity. The Forescout platform integrates with your network, security and identity infrastructure to assure the right users and their devices gain appropriate access. Offering a range of built-in policy templates, the Forescout platform can flexibly manage employee and guest access in a way that is secure and seamless while providing organizations a quick and easy way to enforce Bring Your Own Device (BYOD) policy.
The Forescout platform automatically discovers, classifies and applies policies for users, devices, systems and applications on your network, helping minimize your security risks. Because the Forescout platform is agentless, it works with your endpoints – managed and unmanaged, known and unknown, PC and mobile security, embedded and virtual. With the Forescout platform, you can identify security gaps that may otherwise go undetected by your existing agent-based security systems.
Zotero is a powerful, easy-to-use research tool that helps you gather, organize, and analyze sources and then share the results of your research. ForeScout CounterACT is an automated security control platform that delivers real-time visibility and control of all devices on your network. ForeScout CounterACT automatically identifies who and what is on your network, controls access to your network resources, measures compliance with your security policies, blocks network threats, and remediates endpoint security violations when they occur. ForeScout offers Global 2000 enterprises and government organizations the unique ability to see devices, including non-traditional devices, the instant they connect to the network. Equally important, ForeScout lets you control these devices and orchestrate information sharing and operation among disparate security tools to accelerate incident.
The Forescout platform works with your existing infrastructure via the ControlFabric™ architecture. This set of integration technologies enables the Forescout platform and other IT solutions to exchange information, enhance control context, and efficiently mitigate a wide variety of network, security and operational issues. As a result, you can achieve continuous monitoring and mitigation capabilities that better leverage your infrastructure investments and optimize your IT resources.
Network Access Control
The Forescout platform lets employees, guests and contractors quickly connect, comply and get to appropriate network access, while at the same time providing operations rich device and network access visibility. The Forescout platform offers extensive guest registration options so you can tailor the admission process to suit your organization’s needs. Once registered and admitted, the Forescout platform can limit the user’s access to just the Internet or to specified network resources.
Endpoint Compliance
The Forescout platform automatically enforces security policies for everyone and everything on your network, which helps you minimize your security risks. Because the Forescout platform is agentless, it works with all types of endpoints—managed and unmanaged, known and unknown, physical and virtual. The Forescout platform can discover security weaknesses with your existing agent-based security systems that would otherwise go undetected. When the Forescout platform discovers a security problem, it can automatically fix the problem, or it can leverage your existing remediation or helpdesk systems.
Threat Prevention
The Forescout platform blocks both known and unknown attacks with 100% accuracy by continuously monitoring network devices for evidence of threatening behavior. Our patented ActiveResponse™ technology does not suffer from false positives so you can confidently deploy the Forescout platform's threat prevention system in full blocking mode. Since ActiveResponse does not require signature updates, it’s maintenance free and can ensure that your network is always protected from zero-day attacks, propagating infections and malicious attacks.
Works with What You Have
The Forescout platform works with the majority of popular switches, routers, firewalls, endpoints, patch management systems, antivirus systems, directories, ticketing systems that you already have. We require no infrastructure changes or equipment upgrades.
Agentless
The Forescout platform can identify, classify, authenticate and control network access of both managed and unmanaged (BYOD) endpoints without any help from agents or any kind of preconfigured endpoint software. Deep endpoint inspection can also be done without an agent as long as the Forescout platform has administrative credentials on the endpoint. In situations where the Forescout platform does not have administrative credentials (e.g. BYOD), deep inspection can be performed with the help of our optional SecureConnector agent.
Non-disruptive
Unlike conventional NAC products that immediately disrupt users with heavy-handed access controls, the Forescout platform can be deployed seamlessly without impacting any users or devices. Furthermore, our solution can easily be implemented in a phased approach to minimize disruption and accelerates results. In the initial phase, the Forescout platform gives you visibility to your trouble spots. When you want to move forward with automated control, you can do so gradually, starting with the most problematic locations and choosing an appropriate enforcement action.
Open Interoperability
Unlike infrastructure vendors which offer minor interoperability and modest third-party coverage, the Forescout paltform offers extensive third-party vendor interoperability and an open integration architecture.
Accelerated Results
The Forescout platform provides useful results in days by giving you real-time visibility to assets and security issues on your network. The built-in knowledge base helps you configure security policies quickly and accurately.
Forescout is Unified device visibility and control platform for IT and OT security.
Read this section and perform all necessary steps before you configure an integration instance.
Forescout Module Requirements
Before you can use this integration in Demisto, you need to enable certain modules in your Forescout environment.
- In the Forescout console, from the navigation bar select Tools > Options .
- In the dialog that appears, from the categories section on the left, click Modules .
- In the main area of the dialog, from the drop-down menu, select Open Integration Module . Make sure that the integration module and the following submodules are installed and enabled: Data Exchange (DEX) and Web API are all installed and enabled. If they aren't, install and enable them.
Configuration Parameters
url
This is the network address of the Forescout Enterprise Manager or standalone Appliance. (The host on which the the Forescout Appliance is hosted.) For example, if the Forescout Appliance is hosted at the IP address 192.168.10.23 , then you enter https://192.168.10.23 .
Web API Username and Password
The credentials entered here should be those created in the Forescout console for the Web API .
- In the Forescout console, from the top navigation bar, click Tools > Options .
- From the dialog that appears, in the categories section on the left, click Web API , and select User Settings .
- Create a username and password by clicking the Add button, and completing the fields. These are the credentials that you will enter when configuring the Demisto-Forescout integration: Web API Username and Password .
- Select Client IPs towards the top of the main area of the dialog, next to User Settings .
- Add the IP address where your Demisto instance is hosted or allow requests from all IP addresses to make sure that requests made by the Demisto-Forescout integration will be permitted.
- Click the Apply button to save the changes you made.
Data Exchange (DEX) Username and Password
The credentials entered here should be those created in the Forescout console for Data Exchange (DEX) .
- In the Forescout console, from the top navigation bar, click Tools > Options .
- From the dialog that appears, in the categories section on the left, click Data Exchange (DEX) .
- Select CounterACT Web Service > Accounts .
- Create a username and password by clicking the Add button, and completing the fields. Note : The value you entered for the Name field in the account-creation pop-up window is the value that you should enter for the Data Exchange (DEX) Account configuration parameter.
- Click the Apply button to save the changes you made.
The username and password entered in the account-creation dialog are the credentials that you will enter when configuring the Demisto-Forescout integration: Data Exchange (DEX) Username and Password .
Data Exchange (DEX) Account
The Data Exchange (DEX) credentials Name field. This can be found by navigating to Tools > Options > Data Exchange (DEX) > CounterACT Web Service > Accounts .
Important Usage Notes
This integration allows the user to update host properties and Forescout Lists. To create Forescout properties, which can then be updated using the Demisto-Forescout integration, from the Forescout console, navigate to Tools > Options > Data Exchange (DEX) > CounterACT Web Console > Properties . This is where you create new properties. Make sure to associate the properties with the account you created, and which you used in the configuration parameters of the Forescout integration in Demisto. Lists must also be defined and created in the Forescout console before you can update them using the Demisto-Forescout integration. For more information, reference the Defining and Managing Lists section in the Forescout Administration Guide .
- Navigate to Settings > Integrations > Servers & Services .
- Search for Forescout.
- Click Add instance to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- The network address of the Forescout Enterprise Manager or
standalone Appliance, e.g. ‘ https://10.0.0.8 ’. #disable-secrets-detection - Web API Username (see Detailed Instructions (?))
- Data Exchange (DEX) Username (see Detailed Instructions (?))
- Data Exchange (DEX) Account (see Detailed Instructions (?))
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| rule_ids | Filter hosts by those selected by policies or policy sub-rules. Policies and/or rules should be specified by their IDs. To find policy and rule IDs by which you can filter, run the forescout-get-policies command. If multiple policy and/or rule IDs are entered, only hosts that are selected by all of the policies and/or rules specified will be returned. Multiple policy or rule IDs should be separated by a comma. | Optional |
| fields | Filter hosts based on host field values. Enter fields with their associated values in the following format, ‘{field_1}={val_1}&{field_2}={val_2} … &{field_n}={val_n}’ where ‘{field_1}’ through ‘{field_n}’ are replaced by actual field names and ‘{val_1}’ through ‘{val_n}’ are replaced by the desired matching values. Note that a list field may be specified with the values separated by commas. Only hosts whose properties match all the specified values will be returned. For a list of potential host fields that may be specified, try executing the ‘forescout-get-hostfields’ command. A composite property may also be specified. If entered in the format where all the field-value pairs are in a single set of square brackets, for example, ‘{composite_prop}=[{field_1},{val_1},…,{field_n},{val_n}]’ then only hosts for which the specified composite property’s fields all match the values entered will be returned. If entered in the format, ‘{composite_prop}=[{field_1},{val}_1],…,[{field_n},{val_n}]’ where each field-value pair is enclosed in its own set of brackets, then hosts for which the composite property contains any of the field-values specified will be returned. Note that for composite properties, sub-fields should be entered as their internal representation in Forescout. To find internal representation for a composite property’s sub-fields try executing ‘forescout-get-host’ command with the host specified in the ‘identifier’ argument and the name of the composite property entered in the ‘fields’ argument of the command. | Optional |
| Path | Type | Description |
|---|---|---|
| Forescout.Host.ID | Number | Forescout ID for the host. |
| Forescout.Host.IPAddress | String | IP Address of the host. |
| Forescout.Host.MACAddress | String | MAC Address of the host. |
| Endpoint.IPAddress | String | IP Address of the host. |
| Endpoint.MACAddress | String | MAC Address of the host. |
Active Endpoints
| ID | IPAddress | MACAddress |
|---|---|---|
| 3232235820 | 192.168.1.44 | 000c29e9e452 |
| 3232235901 | 192.168.1.125 | 000c297cc5ae |
| 3232235828 | 192.168.1.52 | 005056a1ad60 |
| 3232235895 | 192.168.1.119 | 000c29497e4e |
| 3232235784 | 192.168.1.8 | 000000000000 |
| 3232235777 | 192.168.1.1 | |
| 3232235807 | 192.168.1.31 | 005056b1488d |
| 3232235793 | 192.168.1.17 | 005056b1a93f |
| 3232235988 | 192.168.1.212 |
Retrieves an index of Forescout host fields that match the specified criteria.
forescout-get-host-fields
| Argument Name | Description | Required |
|---|---|---|
| search_in | Each host field has three searchable parts, the ‘name’, ‘label’, and ‘description’. By default only the ‘name’ will be searched. If you want to expand the search to include the description, you would enter ‘name,description’ for this argument. | Optional |
| case_sensitive | Determines whether to match the case of the entered search term. | Optional |
| match_exactly | Determines whether the search term is matched against the entirety of the potential host field instead of just seeing whether the host field contains the search term. | Optional |
| search_term | The term to filter host fields by. By default, the search will be case insensitive and checked to see if a host field contains the search term unless otherwise specified in the ‘case_sensitive’ and ‘match_exactly’ arguments respectively. | Optional |
| host_field_type | Limit the search to host fields whose values are of a certain type. For example, to limit the search to host properties whose values are either boolean, ip or a date enter ‘boolean,ip,date’. | Optional |
What Is Forescout Secure Connector
| Path | Type | Description |
|---|---|---|
| Forescout.HostField | Unknown | List index of host properties. |
Index of Host Fields
| Label | Name | Description | Type |
|---|---|---|---|
| NetBIOS Hostname | nbthost | Indicates the NetBIOS hostname of the host. | string |
| DNS Name | hostname | Indicates the DNS name of the host. | string |
| EC2 Public DNS | aws_instance_public_dns | The public hostname of the EC2 instance, which resolves to the public IP address or Elastic IP address of the instance. | string |
| DHCP Hostname | dhcp_hostname | The device Host Name as advertised by DHCP | string |
| Linux Hostname | linux_hostname | Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely. | string |
| Macintosh Hostname | mac_hostname | Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely. | string |
| Switch Hostname | sw_hostname | The switch name as defined in the switch | string |
| WiFi End Point Hostname | wifi_end_point_host_name | string | |
| Virtual Machine Guest Hostname | vmware_guest_host | Indicates the hostname of the guest operating system. VMware Tools must be running on the endpoint to resolve this property. | string |
| VMware ESXi Server Name | vmware_esxi_hostname | Indicates the hostname of the ESXi server. | string |
| WLAN Client Username | wifi_client_hostname | Indicates the user name of the client. | string |
Forescout Secure Connect
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| fields | List of host properties to include in the output for the targeted endpoint. If a specified host property is not found, the property is omitted from the outputs. For a list of potential host properties that may be specified, try executing the ‘forescout-get-host-fields’ command. Requested fields should be comma separated. | Optional |
| ip | IP (ipv4) of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when forescout-get-hosts is executed. | Optional |
| mac | MAC address of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when forescout-get-hosts is executed. | Optional |
| id | Forescout ID of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when forescout-get-hosts is executed. | Optional |
| Path | Type | Description |
|---|---|---|
| Forescout.Host.MatchedFingerprint | Unknown | An endpoint may match multiple profiles. This property indicates all the classification profiles that this endpoint matches. |
| Forescout.Host.EngineSeenPacket | String | Indicates the host was seen by CounterACT. |
| Forescout.Host.Online | String | Host is online. |
| Forescout.Host.PrimClassification | String | Indicates the most specific endpoint function detected. If CounterACT detects multiple endpoint functions, the property is resolved as the most specific value that is common to all the detected functions. If there is no common value, the property is resolved as ‘Multiple Suggestions’. |
| Forescout.Host.MacVendorString | String | Indicates a value associated with the NIC Vendor |
| Forescout.Host.SambaOpenPort | String | NetBIOS ports are open |
| Forescout.Host.UserDefFp | String | Indicates the operating system of the endpoint, as determined by classification tools. |
| Forescout.Host.Vendor | String | Network Device Vendor, Type and Model |
| Forescout.Host.AgentVersion | String | Indicates the SecureConnector version installed on a Windows host. |
| Forescout.Host.Fingerprint | String | Passive OS detection based on Syn packets |
| Forescout.Host.AccessIP | String | Indicates the last IP that was investigated for this host |
| Forescout.Host.VendorClassification | String | Indicates the most specific vendor and model detected. |
| Forescout.Host.ManageAgent | String | Indicates if the host is running SecureConnector. |
| Forescout.Host.Onsite | String | Indicates that a host is connected to the organizational network |
| Forescout.Host.MacPrefix32 | String | MAC prefix |
| Forescout.Host.VaNetfunc | String | Reported CDP VoIP device description for VA netfunc |
| Forescout.Host.NmapDefFp7 | String | Nmap-OS Fingerprint(Ver. 7.01) |
| Forescout.Host.NmapDefFp5 | String | Nmap-OS Fingerprint(Ver. 5.3) |
| Forescout.Host.AgentInstallMode | String | Indicates the SecureConnector deployment mode installed on the host. |
| Forescout.Host.NmapFp7 | String | Nmap-OS Class(Ver. 7.01) (Obsolete) |
| Forescout.Host.ClType | String | Indicates how CounterACT determines the Network Function property of the endpoint. |
| Forescout.Host.ClRule | String | Indicates the rule responsible for classifying the host |
| Forescout.Host.AgentVisibleMode | String | Indicates the SecureConnector visible mode installed on the host. |
| Forescout.Host.OSClassification | String | Operating System |
| Forescout.Host.ClassificationSourceOS | String | Indicates how the Operating System classification property was determined for this endpoint. |
| Forescout.Host.LastNbtReportTime | String | Last time when NBT name was reported |
| Forescout.Host.Misc | String | Miscellaneous |
| Forescout.Host.ClassificationSourceFunc | String | Indicates how the Function classification property was determined for this endpoint. |
| Forescout.Host.NmapNetfunc7 | String | Nmap-Network Function(Ver. 7.01) |
| Forescout.Host.MAC | Unknown | ARP Spoofing (Obsolete) |
| Forescout.Host.OpenPort | Unknown | Open Ports |
| Forescout.Host.GstSignedInStat | String | Logged In Status |
| Forescout.Host.DhcpClass | String | The device class according to the DHCP fingerprint |
| Forescout.Host.ADM | String | Admission Events. |
| Forescout.Host.DhcpReqFingerprint | String | The host DHCP request fingerprint |
| Forescout.Host.DhcpOptFingerprint | String | The host DHCP options fingerprint |
| Forescout.Host.Ipv4ReportTime | String | Indicates the last time that IPv4 reported to the infrastructure |
| Forescout.Host.DhcpOS | String | The device OS according to the DHCP fingerprint |
| Forescout.Host.DhcpHostname | String | The device Host Name as advertised by DHCP |
| Forescout.Host.IPAddress | String | Host IP address |
| Forescout.Host.MACAddress | String | Host MAC address |
| Forescout.Host.ID | Number | Forescout ID number for the host |
| Endpoint.IPAddress | String | IP Address of the host. |
| Endpoint.MACAddress | String | MAC Address of the host. |
| Endpoint.DHCPServer | String | Endpoint DHCP Server. |
| Endpoint.Hostname | String | Hostname of the endpoint. |
| Endpoint.OS | String | Endpoint Operating System. |
| Endpoint.Model | String | Vendor and Model of the endpoint. |
| Endpoint.Domain | String | Domain of the endpoint. |
Endpoint Details for IP=192.168.1.212
4. Get a list of policies
Retrieves a list of all policies defined in the Forescout platform and
their sub-rules.
forescout-get-policies
There are no input arguments for this command.
| Path | Type | Description |
|---|---|---|
| Forescout.Policy.ID | String | Forescout ID for the policy. |
| Forescout.Policy.Name | String | Forescout name of the policy. |
| Forescout.Policy.Description | String | Description of the policy. |
| Forescout.Policy.Rule | Unknown | List of rules that make up the policy. |
Forescout Policies
| ID | Name | Description | Rule |
|---|---|---|---|
| 2101168655015691125 | Primary Classification | ID: -1203369125012565008, Name: CounterACT Devices, Description: , ID: -5021668745466479821, Name: NAT Devices, Description: When a device is NAT, its other classifications may be inaccurate. Therefore, we put the NAT detection first., ID: -275357014618763061, Name: Printers, Description: , ID: 4202614624411873493, Name: VoIP Devices, Description: , ID: 195929949297431248, Name: Networking Equipment, Description: , ID: -6750955562195414496, Name: Storage, Description: , ID: -6030907744367556977, Name: Windows, Description: , ID: 2278199708439440583, Name: Macintosh, Description: , ID: -7562731206926229799, Name: LinuxUnix, Description: , ID: 4030118542035508409, Name: Mobile Devices, Description: , ID: 168049340370707647, Name: Approved Misc Devices, Description: , ID: 8701509617393717735, Name: Multiple Profile Matches, Description: Endpoints matching this sub-rule could not have either their Function or Operating System determined due to conflicting profile matches.nnInvestigate the devices in this sub-rule and either manually classify them or build additional sub-rules to classify them based on patterns you observe. View the values Suggested Function and Suggested Operating System properties to discover the conflicting profile matches., ID: -642863379250182254, Name: Other Known Function, Description: , ID: -4200038946418694277, Name: Other Known Operating System, Description: , ID: 150826048313755731, Name: Other Known Vendor, Description: , ID: -8959326502596556700, Name: Unclassified, Description: | |
| -7733328397206852516 | Corporate/Guest Control | ID: 2240420499151482925, Name: Corporate Hosts, Description: , ID: 1248354759835029874, Name: Signed-in Guests, Description: , ID: 9151906460028315616, Name: Guest Hosts, Description: | |
| -4928940807449738209 | Antivirus Compliance | ID: 7661917523791823306, Name: Not Manageable, Description: Optional step: Make Windows machines managable by installing the Secure Connector, ID: -2012169476997908764, Name: AV Not Installed, Description: Antivirus is not installed., ID: 8013197435392890209, Name: AV Not Running, Description: Antivirus is not running., ID: 6048295467368903309, Name: AV Not Updated, Description: Antivirus is not updated., ID: -7389372863827790785, Name: Compliant, Description: | |
| 267720461254861999 | sadfsafg | asdf |
Update a host’s field. Note that if a List field or Composite field has not been defined in Forescout to ‘Aggregate new values from each update’ that performing an update operation on a field will overwrite previous data written to that field.
forescout-update-host-fields
| Argument Name | Description | Required |
|---|---|---|
| update_type | The type of update to perform on a host field. | Optional |
| host_ip | The IP address of the target host. Required if ‘updated_type’ is ‘update’ or ‘delete’. | Required |
| field | Enter the the name of the field to update. Composite fields should be updated using the ‘fields_json’ command argument. | Optional |
| value | Value to be assigned to the field specified in the ‘field’ argument. If the value is a list of items, then items should be separated using a comma. | Optional |
| fields_json | One may perform multiple field-value assignments using this command argument. The argument should be entered in valid JSON format. This argument is useful for setting composite fields although other fields may be entered as well. For example, ‘{“Example_Composite”: [{“Shape”: “Triangle”, “Color”: “Beige”}, {“Shape”: “Square”, “Color”: “Violet”}], “String_Field”: “Example”}’ where ‘Example_Composite’ is the name of the Composite field in Forescout and ‘Shape’ and ‘Color’ are sub fields. In the example, ‘String_Field’ is a regular host field of type string whose value will be assigned ‘Example’. If the composite field was defined in Forescout as an aggregate property then additional records will be appended, otherwise they will be overwritten. | Optional |
There is no context output for this command.
Successfully updated 4 properties for host ip=192.168.1.212
Base Command
Forescout Secure Connector Mac
Input
| Argument Name | Description | Required |
|---|---|---|
| update_type | The type of update to perform on a Forescout list. | Optional |
| list_names | Names of lists defined in the Forescout platform that you wish to update. If the ‘update_type’ is set to ‘delete_all_list_values’ then it is unnecessary to fill in the ‘values’ command argument. Multiple list names should be separated by a comma. To find names of lists that may be updated, navigate to Tools > Options > Lists in the Forescout platform. | Required |
| values | The values to add or delete from the lists entered in the ‘list_names’ command argument. Multiple values should separated by a comma. Note that the values entered here will be updated for all of the lists entered in the ‘list_names’ command argument. | Optional |
There is no context output for this command.
Successfully added values to the 2 lists.
Comments are closed.