ForeScout, which previously scanned network endpoints externally, is introducing client software that checks out machines as they try to join networks. Secure Connector is a dissolvable agent that. Forescout’s flagship product, ForeScout 8.2—a unified device visibility and control platform for IT and OT networks, dynamically identifies and evaluates network devices and applications as they connect to an organization’s network. An 802.1X plug-in is also available from ForeScout that would let the appliance capture and participate in 802.1X connection attempts. Authentication support is mainly provided passively with.
Forescout is Unified device visibility and control platform for IT and OT security.
Read this section and perform all necessary steps before you configure an integration instance.
Forescout Module Requirements
Before you can use this integration in Demisto, you need to enable certain modules in your Forescout environment.
- In the Forescout console, from the navigation bar select Tools > Options .
- In the dialog that appears, from the categories section on the left, click Modules .
- In the main area of the dialog, from the drop-down menu, select Open Integration Module . Make sure that the integration module and the following submodules are installed and enabled: Data Exchange (DEX) and Web API are all installed and enabled. If they aren't, install and enable them.
Configuration Parameters
url
This is the network address of the Forescout Enterprise Manager or standalone Appliance. (The host on which the the Forescout Appliance is hosted.) For example, if the Forescout Appliance is hosted at the IP address 192.168.10.23 , then you enter https://192.168.10.23 .
Web API Username and Password
The credentials entered here should be those created in the Forescout console for the Web API .
- In the Forescout console, from the top navigation bar, click Tools > Options .
- From the dialog that appears, in the categories section on the left, click Web API , and select User Settings .
- Create a username and password by clicking the Add button, and completing the fields. These are the credentials that you will enter when configuring the Demisto-Forescout integration: Web API Username and Password .
- Select Client IPs towards the top of the main area of the dialog, next to User Settings .
- Add the IP address where your Demisto instance is hosted or allow requests from all IP addresses to make sure that requests made by the Demisto-Forescout integration will be permitted.
- Click the Apply button to save the changes you made.
Data Exchange (DEX) Username and Password
The credentials entered here should be those created in the Forescout console for Data Exchange (DEX) .
- In the Forescout console, from the top navigation bar, click Tools > Options .
- From the dialog that appears, in the categories section on the left, click Data Exchange (DEX) .
- Select CounterACT Web Service > Accounts .
- Create a username and password by clicking the Add button, and completing the fields. Note : The value you entered for the Name field in the account-creation pop-up window is the value that you should enter for the Data Exchange (DEX) Account configuration parameter.
- Click the Apply button to save the changes you made.
The username and password entered in the account-creation dialog are the credentials that you will enter when configuring the Demisto-Forescout integration: Data Exchange (DEX) Username and Password .
Data Exchange (DEX) Account
The Data Exchange (DEX) credentials Name field. This can be found by navigating to Tools > Options > Data Exchange (DEX) > CounterACT Web Service > Accounts .
Important Usage Notes
This integration allows the user to update host properties and Forescout Lists. To create Forescout properties, which can then be updated using the Demisto-Forescout integration, from the Forescout console, navigate to Tools > Options > Data Exchange (DEX) > CounterACT Web Console > Properties . This is where you create new properties. Make sure to associate the properties with the account you created, and which you used in the configuration parameters of the Forescout integration in Demisto. Lists must also be defined and created in the Forescout console before you can update them using the Demisto-Forescout integration. For more information, reference the Defining and Managing Lists section in the Forescout Administration Guide .
- Navigate to Settings > Integrations > Servers & Services .
- Search for Forescout.
- Click Add instance to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- The network address of the Forescout Enterprise Manager or
standalone Appliance, e.g. ‘ https://10.0.0.8 ’. #disable-secrets-detection - Web API Username (see Detailed Instructions (?))
- Data Exchange (DEX) Username (see Detailed Instructions (?))
- Data Exchange (DEX) Account (see Detailed Instructions (?))
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| rule_ids | Filter hosts by those selected by policies or policy sub-rules. Policies and/or rules should be specified by their IDs. To find policy and rule IDs by which you can filter, run the forescout-get-policies command. If multiple policy and/or rule IDs are entered, only hosts that are selected by all of the policies and/or rules specified will be returned. Multiple policy or rule IDs should be separated by a comma. | Optional |
| fields | Filter hosts based on host field values. Enter fields with their associated values in the following format, ‘{field_1}={val_1}&{field_2}={val_2} … &{field_n}={val_n}’ where ‘{field_1}’ through ‘{field_n}’ are replaced by actual field names and ‘{val_1}’ through ‘{val_n}’ are replaced by the desired matching values. Note that a list field may be specified with the values separated by commas. Only hosts whose properties match all the specified values will be returned. For a list of potential host fields that may be specified, try executing the ‘forescout-get-hostfields’ command. A composite property may also be specified. If entered in the format where all the field-value pairs are in a single set of square brackets, for example, ‘{composite_prop}=[{field_1},{val_1},…,{field_n},{val_n}]’ then only hosts for which the specified composite property’s fields all match the values entered will be returned. If entered in the format, ‘{composite_prop}=[{field_1},{val}_1],…,[{field_n},{val_n}]’ where each field-value pair is enclosed in its own set of brackets, then hosts for which the composite property contains any of the field-values specified will be returned. Note that for composite properties, sub-fields should be entered as their internal representation in Forescout. To find internal representation for a composite property’s sub-fields try executing ‘forescout-get-host’ command with the host specified in the ‘identifier’ argument and the name of the composite property entered in the ‘fields’ argument of the command. | Optional |
| Path | Type | Description |
|---|---|---|
| Forescout.Host.ID | Number | Forescout ID for the host. |
| Forescout.Host.IPAddress | String | IP Address of the host. |
| Forescout.Host.MACAddress | String | MAC Address of the host. |
| Endpoint.IPAddress | String | IP Address of the host. |
| Endpoint.MACAddress | String | MAC Address of the host. |
Active Endpoints
| ID | IPAddress | MACAddress |
|---|---|---|
| 3232235820 | 192.168.1.44 | 000c29e9e452 |
| 3232235901 | 192.168.1.125 | 000c297cc5ae |
| 3232235828 | 192.168.1.52 | 005056a1ad60 |
| 3232235895 | 192.168.1.119 | 000c29497e4e |
| 3232235784 | 192.168.1.8 | 000000000000 |
| 3232235777 | 192.168.1.1 | |
| 3232235807 | 192.168.1.31 | 005056b1488d |
| 3232235793 | 192.168.1.17 | 005056b1a93f |
| 3232235988 | 192.168.1.212 |
Retrieves an index of Forescout host fields that match the specified criteria.
forescout-get-host-fields
| Argument Name | Description | Required |
|---|---|---|
| search_in | Each host field has three searchable parts, the ‘name’, ‘label’, and ‘description’. By default only the ‘name’ will be searched. If you want to expand the search to include the description, you would enter ‘name,description’ for this argument. | Optional |
| case_sensitive | Determines whether to match the case of the entered search term. | Optional |
| match_exactly | Determines whether the search term is matched against the entirety of the potential host field instead of just seeing whether the host field contains the search term. | Optional |
| search_term | The term to filter host fields by. By default, the search will be case insensitive and checked to see if a host field contains the search term unless otherwise specified in the ‘case_sensitive’ and ‘match_exactly’ arguments respectively. | Optional |
| host_field_type | Limit the search to host fields whose values are of a certain type. For example, to limit the search to host properties whose values are either boolean, ip or a date enter ‘boolean,ip,date’. | Optional |
| Path | Type | Description |
|---|---|---|
| Forescout.HostField | Unknown | List index of host properties. |
Index of Host Fields
| Label | Name | Description | Type |
|---|---|---|---|
| NetBIOS Hostname | nbthost | Indicates the NetBIOS hostname of the host. | string |
| DNS Name | hostname | Indicates the DNS name of the host. | string |
| EC2 Public DNS | aws_instance_public_dns | The public hostname of the EC2 instance, which resolves to the public IP address or Elastic IP address of the instance. | string |
| DHCP Hostname | dhcp_hostname | The device Host Name as advertised by DHCP | string |
| Linux Hostname | linux_hostname | Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely. | string |
| Macintosh Hostname | mac_hostname | Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely. | string |
| Switch Hostname | sw_hostname | The switch name as defined in the switch | string |
| WiFi End Point Hostname | wifi_end_point_host_name | string | |
| Virtual Machine Guest Hostname | vmware_guest_host | Indicates the hostname of the guest operating system. VMware Tools must be running on the endpoint to resolve this property. | string |
| VMware ESXi Server Name | vmware_esxi_hostname | Indicates the hostname of the ESXi server. | string |
| WLAN Client Username | wifi_client_hostname | Indicates the user name of the client. | string |
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| fields | List of host properties to include in the output for the targeted endpoint. If a specified host property is not found, the property is omitted from the outputs. For a list of potential host properties that may be specified, try executing the ‘forescout-get-host-fields’ command. Requested fields should be comma separated. | Optional |
| ip | IP (ipv4) of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when forescout-get-hosts is executed. | Optional |
| mac | MAC address of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when forescout-get-hosts is executed. | Optional |
| id | Forescout ID of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when forescout-get-hosts is executed. | Optional |
| Path | Type | Description |
|---|---|---|
| Forescout.Host.MatchedFingerprint | Unknown | An endpoint may match multiple profiles. This property indicates all the classification profiles that this endpoint matches. |
| Forescout.Host.EngineSeenPacket | String | Indicates the host was seen by CounterACT. |
| Forescout.Host.Online | String | Host is online. |
| Forescout.Host.PrimClassification | String | Indicates the most specific endpoint function detected. If CounterACT detects multiple endpoint functions, the property is resolved as the most specific value that is common to all the detected functions. If there is no common value, the property is resolved as ‘Multiple Suggestions’. |
| Forescout.Host.MacVendorString | String | Indicates a value associated with the NIC Vendor |
| Forescout.Host.SambaOpenPort | String | NetBIOS ports are open |
| Forescout.Host.UserDefFp | String | Indicates the operating system of the endpoint, as determined by classification tools. |
| Forescout.Host.Vendor | String | Network Device Vendor, Type and Model |
| Forescout.Host.AgentVersion | String | Indicates the SecureConnector version installed on a Windows host. |
| Forescout.Host.Fingerprint | String | Passive OS detection based on Syn packets |
| Forescout.Host.AccessIP | String | Indicates the last IP that was investigated for this host |
| Forescout.Host.VendorClassification | String | Indicates the most specific vendor and model detected. |
| Forescout.Host.ManageAgent | String | Indicates if the host is running SecureConnector. |
| Forescout.Host.Onsite | String | Indicates that a host is connected to the organizational network |
| Forescout.Host.MacPrefix32 | String | MAC prefix |
| Forescout.Host.VaNetfunc | String | Reported CDP VoIP device description for VA netfunc |
| Forescout.Host.NmapDefFp7 | String | Nmap-OS Fingerprint(Ver. 7.01) |
| Forescout.Host.NmapDefFp5 | String | Nmap-OS Fingerprint(Ver. 5.3) |
| Forescout.Host.AgentInstallMode | String | Indicates the SecureConnector deployment mode installed on the host. |
| Forescout.Host.NmapFp7 | String | Nmap-OS Class(Ver. 7.01) (Obsolete) |
| Forescout.Host.ClType | String | Indicates how CounterACT determines the Network Function property of the endpoint. |
| Forescout.Host.ClRule | String | Indicates the rule responsible for classifying the host |
| Forescout.Host.AgentVisibleMode | String | Indicates the SecureConnector visible mode installed on the host. |
| Forescout.Host.OSClassification | String | Operating System |
| Forescout.Host.ClassificationSourceOS | String | Indicates how the Operating System classification property was determined for this endpoint. |
| Forescout.Host.LastNbtReportTime | String | Last time when NBT name was reported |
| Forescout.Host.Misc | String | Miscellaneous |
| Forescout.Host.ClassificationSourceFunc | String | Indicates how the Function classification property was determined for this endpoint. |
| Forescout.Host.NmapNetfunc7 | String | Nmap-Network Function(Ver. 7.01) |
| Forescout.Host.MAC | Unknown | ARP Spoofing (Obsolete) |
| Forescout.Host.OpenPort | Unknown | Open Ports |
| Forescout.Host.GstSignedInStat | String | Logged In Status |
| Forescout.Host.DhcpClass | String | The device class according to the DHCP fingerprint |
| Forescout.Host.ADM | String | Admission Events. |
| Forescout.Host.DhcpReqFingerprint | String | The host DHCP request fingerprint |
| Forescout.Host.DhcpOptFingerprint | String | The host DHCP options fingerprint |
| Forescout.Host.Ipv4ReportTime | String | Indicates the last time that IPv4 reported to the infrastructure |
| Forescout.Host.DhcpOS | String | The device OS according to the DHCP fingerprint |
| Forescout.Host.DhcpHostname | String | The device Host Name as advertised by DHCP |
| Forescout.Host.IPAddress | String | Host IP address |
| Forescout.Host.MACAddress | String | Host MAC address |
| Forescout.Host.ID | Number | Forescout ID number for the host |
| Endpoint.IPAddress | String | IP Address of the host. |
| Endpoint.MACAddress | String | MAC Address of the host. |
| Endpoint.DHCPServer | String | Endpoint DHCP Server. |
| Endpoint.Hostname | String | Hostname of the endpoint. |
| Endpoint.OS | String | Endpoint Operating System. |
| Endpoint.Model | String | Vendor and Model of the endpoint. |
| Endpoint.Domain | String | Domain of the endpoint. |
Endpoint Details for IP=192.168.1.212
4. Get a list of policies
Retrieves a list of all policies defined in the Forescout platform and
their sub-rules.
forescout-get-policies
There are no input arguments for this command.
| Path | Type | Description |
|---|---|---|
| Forescout.Policy.ID | String | Forescout ID for the policy. |
| Forescout.Policy.Name | String | Forescout name of the policy. |
| Forescout.Policy.Description | String | Description of the policy. |
| Forescout.Policy.Rule | Unknown | List of rules that make up the policy. |
Forescout Policies
| ID | Name | Description | Rule |
|---|---|---|---|
| 2101168655015691125 | Primary Classification | ID: -1203369125012565008, Name: CounterACT Devices, Description: , ID: -5021668745466479821, Name: NAT Devices, Description: When a device is NAT, its other classifications may be inaccurate. Therefore, we put the NAT detection first., ID: -275357014618763061, Name: Printers, Description: , ID: 4202614624411873493, Name: VoIP Devices, Description: , ID: 195929949297431248, Name: Networking Equipment, Description: , ID: -6750955562195414496, Name: Storage, Description: , ID: -6030907744367556977, Name: Windows, Description: , ID: 2278199708439440583, Name: Macintosh, Description: , ID: -7562731206926229799, Name: LinuxUnix, Description: , ID: 4030118542035508409, Name: Mobile Devices, Description: , ID: 168049340370707647, Name: Approved Misc Devices, Description: , ID: 8701509617393717735, Name: Multiple Profile Matches, Description: Endpoints matching this sub-rule could not have either their Function or Operating System determined due to conflicting profile matches.nnInvestigate the devices in this sub-rule and either manually classify them or build additional sub-rules to classify them based on patterns you observe. View the values Suggested Function and Suggested Operating System properties to discover the conflicting profile matches., ID: -642863379250182254, Name: Other Known Function, Description: , ID: -4200038946418694277, Name: Other Known Operating System, Description: , ID: 150826048313755731, Name: Other Known Vendor, Description: , ID: -8959326502596556700, Name: Unclassified, Description: | |
| -7733328397206852516 | Corporate/Guest Control | ID: 2240420499151482925, Name: Corporate Hosts, Description: , ID: 1248354759835029874, Name: Signed-in Guests, Description: , ID: 9151906460028315616, Name: Guest Hosts, Description: | |
| -4928940807449738209 | Antivirus Compliance | ID: 7661917523791823306, Name: Not Manageable, Description: Optional step: Make Windows machines managable by installing the Secure Connector, ID: -2012169476997908764, Name: AV Not Installed, Description: Antivirus is not installed., ID: 8013197435392890209, Name: AV Not Running, Description: Antivirus is not running., ID: 6048295467368903309, Name: AV Not Updated, Description: Antivirus is not updated., ID: -7389372863827790785, Name: Compliant, Description: | |
| 267720461254861999 | sadfsafg | asdf |
Update a host’s field. Note that if a List field or Composite field has not been defined in Forescout to ‘Aggregate new values from each update’ that performing an update operation on a field will overwrite previous data written to that field.
forescout-update-host-fields
| Argument Name | Description | Required |
|---|---|---|
| update_type | The type of update to perform on a host field. | Optional |
| host_ip | The IP address of the target host. Required if ‘updated_type’ is ‘update’ or ‘delete’. | Required |
| field | Enter the the name of the field to update. Composite fields should be updated using the ‘fields_json’ command argument. | Optional |
| value | Value to be assigned to the field specified in the ‘field’ argument. If the value is a list of items, then items should be separated using a comma. | Optional |
| fields_json | One may perform multiple field-value assignments using this command argument. The argument should be entered in valid JSON format. This argument is useful for setting composite fields although other fields may be entered as well. For example, ‘{“Example_Composite”: [{“Shape”: “Triangle”, “Color”: “Beige”}, {“Shape”: “Square”, “Color”: “Violet”}], “String_Field”: “Example”}’ where ‘Example_Composite’ is the name of the Composite field in Forescout and ‘Shape’ and ‘Color’ are sub fields. In the example, ‘String_Field’ is a regular host field of type string whose value will be assigned ‘Example’. If the composite field was defined in Forescout as an aggregate property then additional records will be appended, otherwise they will be overwritten. | Optional |
There is no context output for this command.
Successfully updated 4 properties for host ip=192.168.1.212
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| update_type | The type of update to perform on a Forescout list. | Optional |
| list_names | Names of lists defined in the Forescout platform that you wish to update. If the ‘update_type’ is set to ‘delete_all_list_values’ then it is unnecessary to fill in the ‘values’ command argument. Multiple list names should be separated by a comma. To find names of lists that may be updated, navigate to Tools > Options > Lists in the Forescout platform. | Required |
| values | The values to add or delete from the lists entered in the ‘list_names’ command argument. Multiple values should separated by a comma. Note that the values entered here will be updated for all of the lists entered in the ‘list_names’ command argument. | Optional |
There is no context output for this command.
Successfully added values to the 2 lists.
What is Forescout CounterACT?
ForeScout CounterACT® is an agentless security appliance that dynamically identifies and evaluates network endpoints and applications the instant they connect to your network.
How does Forescout CounterACT work?
CounterACT discovers and classifies devices without requiring agents. Based on its classification, CounterACT then assesses the device’s security posture and applies policies that enforce the specific behavior the device is allowed to have while connected to a network. See More.
What is a NAC solution?
Network Access Control (NAC) is a computer networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network.
What is the best NAC solution?
Top NAC solutions
- Extreme Networks ExtremeControl.
- Auconet BICS.
- ForeScout CounterACT.
- Pulse Policy Secure.
- HPE Aruba ClearPass.
- FortiNAC.
- Cisco Identity Services Engine.
- InfoExpress CyberGatekeeper.
Why do we need a NAC solution?
NAC systems can play a vital role in automatically identifying devices as they connect to the network and providing access that does not potentially compromise security. For example, when a personal mobile device connects, it can be granted access only to the Internet and not to any corporate resources.
What are the three key activities performed by NAC nse2?
What are the three key activities performed by NAC? (Choose three.) Discover all devices on the network. Profile all devices to identify what access they should have. Provide appropriate network access to devices.
What is extreme NAC assessment agent?
Extreme Networks NAC provides agent-based or agent-less endpoint assessment capabilities to determine the security posture of connecting devices.
Can ExtremeControl provide visibility and control on non extreme network devices?
ExtremeControl unifies the security of wired and wireless networks, providing visibility and control over users, devices and applications. It enables granular policy controls to help users comply with policies and compliance obligations in heterogeneous endpoint environments.
What is port-based access control?
Port-based network access control regulates access to the network, guarding against transmission and reception by unidentified or unauthorized parties, and consequent network disruption, theft of service, or data loss. Data frames are transmitted and received using the MAC Service specified in IEEE Std 802.1AC.
What is Cisco NAC?
Cisco Network Admission Control (NAC) is a set of technologies and solutions that uses the infrastructure of a computer network for network access control (NAC) and network protection. All access methods are monitored, including wireless devices, local area networks (LAN) and remote access wide area networks (WAN).
How do I give someone access to my network?
Network Administration: Granting Share Permissions
- Open Windows Explorer by pressing the Windows key and clicking Computer; then browse to the folder whose permissions you want to manage.
- Right-click the folder you want to manage and then choose Properties from the contextual menu.
- Click the Sharing tab; then click Advanced Sharing.
- Click Permissions.
What is Cisco NAC agent used for?
The Cisco NAC Web Agent provides temporal posture assessment for client machines. Users launch the Cisco NAC Web Agent executable, which installs the Web Agent files in a temporary directory on the client machine via ActiveX control or Java applet.
What is CCAAgent?
The application listens for or sends data on open ports to a LAN or the Internet. CCAAgent.exe is able to monitor applications.
Is Cisco ISE an appliance?
Cisco ISE comes preinstalled on a range of physical appliances with various performance characteristics. The Cisco Application Deployment Engine (ADE) and Cisco ISE software run on either a dedicated Cisco ISE 3300 Series appliance or on a VMware server (Cisco ISE VM).
Is Eapol secure?
Digital certificates are an essential part of 802.1x authentication. Certificates are shared, checked, and verified before any device is allowed to connect to the network. A secure channel is used during the negotiations, so all credentials are safe from prying eyes.
What is port security on a switch?
Port security is a layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port.
Which subcommand overrides the default action to take upon a security violation?
4. (Optional) Use the switchport port-security violation {protect | restrict | shutdown} interface subcommand to override the default action to take upon a security violation (shutdown).
What is the default port security violation mode?
Switchport Violations These are described in more detail below: Shutdown – When a violation occurs in this mode, the switchport will be taken out of service and placed in the err-disabled state. The switchport will remain in this state until manually removed; this is the default switchport security violation mode.
Forescout Secureconnector Windows Download
How do I check my port security violations?
Here is a useful command to check your port security configuration. Use show port-security interface to see the port security details per interface. You can see the violation mode is shutdown and that the last violation was caused by MAC address 0090.
Which action will bring an error disabled switch port back to an operational state?
Forescout Secure Connector Mac
Which action will bring an error-disabled switch port back to an operational state? Clear the MAC address table on the switch. Remove and reconfigure port security on the interface. Issue the switchport mode access command on the interface.