ForeScout CounterACT
Integration version: 3.0
Use Cases
Perform enrichment actions.
Configure ForeScout CounterACT integration in Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
API Root
|
String | https://<ip address> |
Yes | ForeScout CounterACT API root |
|
Username
|
String | N/A | Yes | ForeScout CounterACT API username. |
|
Password
|
Password | N/A | Yes | ForeScout CounterACT API password. |
|
CA Certificate File
|
String | N/A | No | Base64 encoded CA certificate file. |
|
Verify SSL
|
Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Armis server is valid. |
Actions
Ping
Description
Test connectivity to ForeScout CounterACT with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution: The action should fail and stop a playbook execution: |
General |
Enrich Entities
Description
Enrich entities using information from ForeScout CounterACT. Supported entities: IP, Mac Address.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Create Insight
|
Checkbox | Checked | No | If enabled, action will create insights containing enrichment information. |
Run On
This action runs on the following entities:
- IP Address
- Mac Address
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"ip"
:
"172.30.202.30"
,
"mac"
:
"005056a2196c"
,
"fields"
:
{
"channel"
:
{
"timestamp"
:
1623834301
,
"value"
:
"eth1.-1"
},
"nmap_banner7"
:
[
{
"timestamp"
:
1623834430
,
"value"
:
"80/tcp Apache httpd 2.4.6 (CentOS)"
},
{
"timestamp"
:
1623834430
,
"value"
:
"22/tcp OpenSSH 7.4 protocol 2.0"
}
],
"onsite"
:
{
"timestamp"
:
1623834301
,
"value"
:
"true"
},
"classification_source_os"
:
{
"timestamp"
:
1623838175
,
"value"
:
"engine"
},
"linux_manage"
:
{
"timestamp"
:
1623838175
,
"value"
:
"false"
},
"access_ip"
:
{
"timestamp"
:
1623838175
,
"value"
:
"172.30.202.30"
},
"classification_source_vendor"
:
{
"timestamp"
:
1623838175
,
"value"
:
"engine"
},
"mac_vendor_string"
:
{
"timestamp"
:
1623834302
,
"value"
:
"VMWARE, INC."
},
"openports"
:
[
{
"timestamp"
:
1623834384
,
"value"
:
"22/TCP"
},
{
"timestamp"
:
1623834397
,
"value"
:
"161/UDP"
},
{
"timestamp"
:
1623834384
,
"value"
:
"80/TCP"
}
]
},
"id"
:
2887698974
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| ip | When available in JSON |
| mac | When available in JSON |
| onsite | When available in JSON |
| guest_corporate_state | When available in JSON |
| fingerprint | When available in JSON |
| vendor | When available in JSON |
| classification | When available in JSON |
| agent_version | When available in JSON |
| online | When available in JSON |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution: If didn't enrich some (is_success = true):"Action wasn't able to enrich the following entities using ForeScout CounterACT:\n".format(entity.identifier) If didn't enrich all (is_success = false):"No entities were enriched". The action should fail and stop a playbook execution: |
General |
|
Entity Table
|
Same Columns as in the Enrichment table, but without prefix. | Entity |
Need more help? Get answers from Community members and Google SecOps professionals.
