Skip to main content

Forescout CounterACT

This Integration is part of the Forescout eyeSight Pack.#

Forescout CounterACT is Unified device visibility and control platform for IT and OT security.

Detailed Information

Read this section and perform all necessary steps before you configure an integration instance.

Forescout CounterACT Module Requirements

Before you can use this integration in Cortex XSOAR, you need to enable certain modules in your Forescout CounterACT environment.

  1. In the Forescout CounterACT console, from the navigation bar select Tools > Options .
  2. In the dialog that appears, from the categories section on the left, click Modules .
  3. In the main area of the dialog, from the drop-down menu, select Open Integration Module . Make sure that the integration module and the following submodules are installed and enabled: Data Exchange (DEX) and Web API are all installed and enabled. If they aren't, install and enable them.

Configuration Parameters

url
This is the network address of the Forescout Enterprise Manager or standalone Appliance. (The host on which the the Forescout Appliance is hosted.) For example, if the Forescout Appliance is hosted at the IP address 192.168.10.23 , then you enter https://192.168.10.23 .

Web API Username and Password
The credentials entered here should be those created in the Forescout console for the Web API .

  1. In the Forescout CounterACT console, from the top navigation bar, click Tools > Options .
  2. From the dialog that appears, in the categories section on the left, click Web API , and select User Settings .
  3. Create a username and password by clicking the Add button, and completing the fields. These are the credentials that you will enter when configuring the Cortex XSOAR-Forescout integration: Web API Username and Password .
  4. Select Client IPs towards the top of the main area of the dialog, next to User Settings .
  5. Add the IP address where your Cortex XSOAR instance is hosted or allow requests from all IP addresses to make sure that requests made by the Cortex XSOAR-Forescout integration will be permitted.
  6. Click the Apply button to save the changes you made.

Data Exchange (DEX) Username and Password
The credentials entered here should be those created in the Forescout console for Data Exchange (DEX) .

  1. In the Forescout CounterACT console, from the top navigation bar, click Tools > Options .
  2. From the dialog that appears, in the categories section on the left, click Data Exchange (DEX) .
  3. Select CounterACT Web Service > Accounts .
  4. Create a username and password by clicking the Add button, and completing the fields. Note : The value you entered for the Name field in the account-creation pop-up window is the value that you should enter for the Data Exchange (DEX) Account configuration parameter.
  5. Click the Apply button to save the changes you made.

The username and password entered in the account-creation dialog are the credentials that you will enter when configuring the Cortex XSOAR-Forescout integration: Data Exchange (DEX) Username and Password .

Data Exchange (DEX) Account
The Data Exchange (DEX) credentials Name field. This can be found by navigating to Tools > Options > Data Exchange (DEX) > CounterACT Web Service > Accounts .

Important Usage Notes

This integration allows the user to update host properties and Forescout Lists. To create Forescout properties, which can then be updated using the Cortex XSOAR-Forescout integration, from the Forescout console, navigate to Tools > Options > Data Exchange (DEX) > CounterACT Web Console > Properties . This is where you create new properties. Make sure to associate the properties with the account you created, and which you used in the configuration parameters of the Forescout integration in Cortex XSOAR. Lists must also be defined and created in the Forescout console before you can update them using the Cortex XSOAR-Forescout integration. For more information, reference the Defining and Managing Lists section in the Forescout Administration Guide .

Configure Forescout on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Forescout.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • The network address of the Forescout Enterprise Manager or
      standalone Appliance, e.g. ‘ https://10.0.0.8 ’. #disable-secrets-detection
    • Web API Username (see Detailed Instructions (?))
    • Data Exchange (DEX) Username (see Detailed Instructions (?))
    • Data Exchange (DEX) Account (see Detailed Instructions (?))
    • HTTP Timeout (default is 60 seconds)
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Get a list of active endpoints


Retrieves a list of active endpoints.

Base Command

forescout-get-hosts

Input
Argument Name Description Required
rule_ids Filter hosts by those selected by policies or policy sub-rules. Policies and/or rules should be specified by their IDs. To find policy and rule IDs by which you can filter, run the forescout-get-policies command. If multiple policy and/or rule IDs are entered, only hosts that are selected by all of the policies and/or rules specified will be returned. Multiple policy or rule IDs should be separated by a comma. Optional
fields Filter hosts based on host field values. Enter fields with their associated values in the following format, ‘{field_1}={val_1}&{field_2}={val_2} … &{field_n}={val_n}’ where ‘{field_1}’ through ‘{field_n}’ are replaced by actual field names and ‘{val_1}’ through ‘{val_n}’ are replaced by the desired matching values. Note that a list field may be specified with the values separated by commas. Only hosts whose properties match all the specified values will be returned. For a list of potential host fields that may be specified, try executing the ‘forescout-get-hostfields’ command. A composite property may also be specified. If entered in the format where all the field-value pairs are in a single set of square brackets, for example, ‘{composite_prop}=[{field_1},{val_1},…,{field_n},{val_n}]’ then only hosts for which the specified composite property’s fields all match the values entered will be returned. If entered in the format, ‘{composite_prop}=[{field_1},{val}_1],…,[{field_n},{val_n}]’ where each field-value pair is enclosed in its own set of brackets, then hosts for which the composite property contains any of the field-values specified will be returned. Note that for composite properties, sub-fields should be entered as their internal representation in Forescout. To find internal representation for a composite property’s sub-fields try executing ‘forescout-get-host’ command with the host specified in the ‘identifier’ argument and the name of the composite property entered in the ‘fields’ argument of the command. Optional

Context Output
Path Type Description
Forescout.Host.ID Number Forescout ID for the host.
Forescout.Host.IPAddress String IP Address of the host.
Forescout.Host.MACAddress String MAC Address of the host.
Endpoint.IPAddress String IP Address of the host.
Endpoint.MACAddress String MAC Address of the host.

Command Example
forescout-get-hosts fields=online=true
Context Example
{
    "Forescout.Host": [
        {
            "MACAddress": "000c29e9e452",
            "IPAddress": "192.168.1.44",
            "ID": "3232235820"
        },
        {
            "MACAddress": "000c297cc5ae",
            "IPAddress": "192.168.1.125",
            "ID": "3232235901"
        },
        {
            "MACAddress": "005056a1ad60",
            "IPAddress": "192.168.1.52",
            "ID": "3232235828"
        },
        {
            "MACAddress": "000c29497e4e",
            "IPAddress": "192.168.1.119",
            "ID": "3232235895"
        },
        {
            "MACAddress": "000000000000",
            "IPAddress": "192.168.1.8",
            "ID": "3232235784"
        },
        {
            "MACAddress": null,
            "IPAddress": "192.168.1.1",
            "ID": "3232235777"
        },
        {
            "MACAddress": "005056b1488d",
            "IPAddress": "192.168.1.31",
            "ID": "3232235807"
        },
        {
            "MACAddress": "005056b1a93f",
            "IPAddress": "192.168.1.17",
            "ID": "3232235793"
        },
        {
            "MACAddress": null,
            "IPAddress": "192.168.1.212",
            "ID": "3232235988"
        }
    ],
    "Endpoint": [
        {
            "MACAddress": "000c29e9e452",
            "IPAddress": "192.168.1.44"
        },
        {
            "MACAddress": "000c297cc5ae",
            "IPAddress": "192.168.1.125"
        },
        {
            "MACAddress": "005056a1ad60",
            "IPAddress": "192.168.1.52"
        },
        {
            "MACAddress": "000c29497e4e",
            "IPAddress": "192.168.1.119"
        },
        {
            "MACAddress": "000000000000",
            "IPAddress": "192.168.1.8"
        },
        {
            "MACAddress": null,
            "IPAddress": "192.168.1.1"
        },
        {
            "MACAddress": "005056b1488d",
            "IPAddress": "192.168.1.31"
        },
        {
            "MACAddress": "005056b1a93f",
            "IPAddress": "192.168.1.17"
        },
        {
            "MACAddress": null,
            "IPAddress": "192.168.1.212"
        }
    ]
}
Human Readable Output

Active Endpoints

ID IPAddress MACAddress
3232235820 192.168.1.44 000c29e9e452
3232235901 192.168.1.125 000c297cc5ae
3232235828 192.168.1.52 005056a1ad60
3232235895 192.168.1.119 000c29497e4e
3232235784 192.168.1.8 000000000000
3232235777 192.168.1.1
3232235807 192.168.1.31 005056b1488d
3232235793 192.168.1.17 005056b1a93f
3232235988 192.168.1.212

2. Get an index of host fields


Retrieves an index of Forescout host fields that match the specified criteria.

Base Command

forescout-get-host-fields

Input
Argument Name Description Required
search_in Each host field has three searchable parts, the ‘name’, ‘label’, and ‘description’. By default only the ‘name’ will be searched. If you want to expand the search to include the description, you would enter ‘name,description’ for this argument. Optional
case_sensitive Determines whether to match the case of the entered search term. Optional
match_exactly Determines whether the search term is matched against the entirety of the potential host field instead of just seeing whether the host field contains the search term. Optional
search_term The term to filter host fields by. By default, the search will be case insensitive and checked to see if a host field contains the search term unless otherwise specified in the ‘case_sensitive’ and ‘match_exactly’ arguments respectively. Optional
host_field_type Limit the search to host fields whose values are of a certain type. For example, to limit the search to host properties whose values are either boolean, ip or a date enter ‘boolean,ip,date’. Optional

Context Output
Path Type Description
Forescout.HostField Unknown List index of host properties.

Command Example
forescout-get-host-fields search_term=hostname case_sensitive=false host_field_type=tree_path,string match_exactly=False search_in=name,label,description
Context Example
{
    "Forescout.HostField": [
        {
            "Name": "nbthost",
            "Type": "string",
            "Description": "Indicates the NetBIOS hostname of the host.",
            "Label": "NetBIOS Hostname"
        },
        {
            "Name": "hostname",
            "Type": "string",
            "Description": "Indicates the DNS name of the host.",
            "Label": "DNS Name"
        },
        {
            "Name": "aws_instance_public_dns",
            "Type": "string",
            "Description": "The public hostname of the EC2 instance, which resolves to the public IP address or Elastic IP address of the instance.",
            "Label": "EC2 Public DNS"
        },
        {
            "Name": "dhcp_hostname",
            "Type": "string",
            "Description": "The device Host Name as advertised by DHCP",
            "Label": "DHCP Hostname"
        },
        {
            "Name": "linux_hostname",
            "Type": "string",
            "Description": "Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely.",
            "Label": "Linux Hostname"
        },
        {
            "Name": "mac_hostname",
            "Type": "string",
            "Description": "Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely.",
            "Label": "Macintosh Hostname"
        },
        {
            "Name": "sw_hostname",
            "Type": "string",
            "Description": "The switch name as defined in the switch",
            "Label": "Switch Hostname"
        },
        {
            "Name": "wifi_end_point_host_name",
            "Type": "string",
            "Description": "",
            "Label": "WiFi End Point Hostname"
        },
        {
            "Name": "vmware_guest_host",
            "Type": "string",
            "Description": "Indicates the hostname of the guest operating system. VMware Tools must be running on the endpoint to resolve this property.",
            "Label": "Virtual Machine Guest Hostname"
        },
        {
            "Name": "vmware_esxi_hostname",
            "Type": "string",
            "Description": "Indicates the hostname of the ESXi server.",
            "Label": "VMware ESXi Server Name"
        },
        {
            "Name": "wifi_client_hostname",
            "Type": "string",
            "Description": "Indicates the user name of the client.",
            "Label": "WLAN Client Username"
        }
    ]
}
Human Readable Output

Index of Host Fields

Label Name Description Type
NetBIOS Hostname nbthost Indicates the NetBIOS hostname of the host. string
DNS Name hostname Indicates the DNS name of the host. string
EC2 Public DNS aws_instance_public_dns The public hostname of the EC2 instance, which resolves to the public IP address or Elastic IP address of the instance. string
DHCP Hostname dhcp_hostname The device Host Name as advertised by DHCP string
Linux Hostname linux_hostname Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely. string
Macintosh Hostname mac_hostname Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely. string
Switch Hostname sw_hostname The switch name as defined in the switch string
WiFi End Point Hostname wifi_end_point_host_name string
Virtual Machine Guest Hostname vmware_guest_host Indicates the hostname of the guest operating system. VMware Tools must be running on the endpoint to resolve this property. string
VMware ESXi Server Name vmware_esxi_hostname Indicates the hostname of the ESXi server. string
WLAN Client Username wifi_client_hostname Indicates the user name of the client. string

3. Get details for a host


Retrieves details of specified host.

Base Command

forescout-get-host

Input
Argument Name Description Required
fields List of host properties to include in the output for the targeted endpoint. If a specified host property is not found, the property is omitted from the outputs. For a list of potential host properties that may be specified, try executing the ‘forescout-get-host-fields’ command. Requested fields should be comma separated. Optional
ip IP (ipv4) of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when forescout-get-hosts is executed. Optional
mac MAC address of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when forescout-get-hosts is executed. Optional
id Forescout ID of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when forescout-get-hosts is executed. Optional

Context Output
Path Type Description
Forescout.Host.MatchedFingerprint Unknown An endpoint may match multiple profiles. This property indicates all the classification profiles that this endpoint matches.
Forescout.Host.EngineSeenPacket String Indicates the host was seen by CounterACT.
Forescout.Host.Online String Host is online.
Forescout.Host.PrimClassification String Indicates the most specific endpoint function detected. If CounterACT detects multiple endpoint functions, the property is resolved as the most specific value that is common to all the detected functions. If there is no common value, the property is resolved as ‘Multiple Suggestions’.
Forescout.Host.MacVendorString String Indicates a value associated with the NIC Vendor
Forescout.Host.SambaOpenPort String NetBIOS ports are open
Forescout.Host.UserDefFp String Indicates the operating system of the endpoint, as determined by classification tools.
Forescout.Host.Vendor String Network Device Vendor, Type and Model
Forescout.Host.AgentVersion String Indicates the SecureConnector version installed on a Windows host.
Forescout.Host.Fingerprint String Passive OS detection based on Syn packets
Forescout.Host.AccessIP String Indicates the last IP that was investigated for this host
Forescout.Host.VendorClassification String Indicates the most specific vendor and model detected.
Forescout.Host.ManageAgent String Indicates if the host is running SecureConnector.
Forescout.Host.Onsite String Indicates that a host is connected to the organizational network
Forescout.Host.MacPrefix32 String MAC prefix
Forescout.Host.VaNetfunc String Reported CDP VoIP device description for VA netfunc
Forescout.Host.NmapDefFp7 String Nmap-OS Fingerprint(Ver. 7.01)
Forescout.Host.NmapDefFp5 String Nmap-OS Fingerprint(Ver. 5.3)
Forescout.Host.AgentInstallMode String Indicates the SecureConnector deployment mode installed on the host.
Forescout.Host.NmapFp7 String Nmap-OS Class(Ver. 7.01) (Obsolete)
Forescout.Host.ClType String Indicates how CounterACT determines the Network Function property of the endpoint.
Forescout.Host.ClRule String Indicates the rule responsible for classifying the host
Forescout.Host.AgentVisibleMode String Indicates the SecureConnector visible mode installed on the host.
Forescout.Host.OSClassification String Operating System
Forescout.Host.ClassificationSourceOS String Indicates how the Operating System classification property was determined for this endpoint.
Forescout.Host.LastNbtReportTime String Last time when NBT name was reported
Forescout.Host.Misc String Miscellaneous
Forescout.Host.ClassificationSourceFunc String Indicates how the Function classification property was determined for this endpoint.
Forescout.Host.NmapNetfunc7 String Nmap-Network Function(Ver. 7.01)
Forescout.Host.MAC Unknown ARP Spoofing (Obsolete)
Forescout.Host.OpenPort Unknown Open Ports
Forescout.Host.GstSignedInStat String Logged In Status
Forescout.Host.DhcpClass String The device class according to the DHCP fingerprint
Forescout.Host.ADM String Admission Events.
Forescout.Host.DhcpReqFingerprint String The host DHCP request fingerprint
Forescout.Host.DhcpOptFingerprint String The host DHCP options fingerprint
Forescout.Host.Ipv4ReportTime String Indicates the last time that IPv4 reported to the infrastructure
Forescout.Host.DhcpOS String The device OS according to the DHCP fingerprint
Forescout.Host.DhcpHostname String The device Host Name as advertised by DHCP
Forescout.Host.IPAddress String Host IP address
Forescout.Host.MACAddress String Host MAC address
Forescout.Host.ID Number Forescout ID number for the host
Endpoint.IPAddress String IP Address of the host.
Endpoint.MACAddress String MAC Address of the host.
Endpoint.DHCPServer String Endpoint DHCP Server.
Endpoint.Hostname String Hostname of the endpoint.
Endpoint.OS String Endpoint Operating System.
Endpoint.Model String Vendor and Model of the endpoint.
Endpoint.Domain String Domain of the endpoint.

Command Example
forescout-get-host ip=192.168.1.212 fields=fsapi_DemistoTest,fsapi_demisto_composite,fsapi_demisto_list,fsapi_composite_1
Context Example
{
    "Forescout.Host": {
        "MACAddress": null,
        "IPAddress": "192.168.1.212",
        "ID": "3232235988"
    },
    "Endpoint": {
        "MACAddress": null,
        "IPAddress": "192.168.1.212"
    }
}
Human Readable Output

Endpoint Details for IP=192.168.1.212

ID IPAddress
3232235988 192.168.1.212

4. Get a list of policies


Retrieves a list of all policies defined in the Forescout platform and
their sub-rules.

Base Command

forescout-get-policies

Input

There are no input arguments for this command.

Context Output
Path Type Description
Forescout.Policy.ID String Forescout ID for the policy.
Forescout.Policy.Name String Forescout name of the policy.
Forescout.Policy.Description String Description of the policy.
Forescout.Policy.Rule Unknown List of rules that make up the policy.

Command Example
forescout-get-policies
Context Example
{
    "Forescout.Policy": [
        {
            "Name": "Primary Classification",
            "Description": "",
            "Rule": [
                {
                    "Name": "CounterACT Devices",
                    "Description": "",
                    "ID": "-1203369125012565008"
                },
                {
                    "Name": "NAT Devices",
                    "Description": "When a device is NAT, its other classifications may be inaccurate. Therefore, we put the NAT detection first.",
                    "ID": "-5021668745466479821"
                },
                {
                    "Name": "Printers",
                    "Description": "",
                    "ID": "-275357014618763061"
                },
                {
                    "Name": "VoIP Devices",
                    "Description": "",
                    "ID": "4202614624411873493"
                },
                {
                    "Name": "Networking Equipment",
                    "Description": "",
                    "ID": "195929949297431248"
                },
                {
                    "Name": "Storage",
                    "Description": "",
                    "ID": "-6750955562195414496"
                },
                {
                    "Name": "Windows",
                    "Description": "",
                    "ID": "-6030907744367556977"
                },
                {
                    "Name": "Macintosh",
                    "Description": "",
                    "ID": "2278199708439440583"
                },
                {
                    "Name": "Linux\\Unix",
                    "Description": "",
                    "ID": "-7562731206926229799"
                },
                {
                    "Name": "Mobile Devices",
                    "Description": "",
                    "ID": "4030118542035508409"
                },
                {
                    "Name": "Approved Misc Devices",
                    "Description": "",
                    "ID": "168049340370707647"
                },
                {
                    "Name": "Multiple Profile Matches",
                    "Description": "Endpoints matching this sub-rule could not have either their Function or Operating System determined due to conflicting profile matches.\n\nInvestigate the devices in this sub-rule and either manually classify them or build additional sub-rules to classify them based on patterns you observe. View the values Suggested Function and Suggested Operating System properties to discover the conflicting profile matches.",
                    "ID": "8701509617393717735"
                },
                {
                    "Name": "Other Known Function",
                    "Description": "",
                    "ID": "-642863379250182254"
                },
                {
                    "Name": "Other Known Operating System",
                    "Description": "",
                    "ID": "-4200038946418694277"
                },
                {
                    "Name": "Other Known Vendor",
                    "Description": "",
                    "ID": "150826048313755731"
                },
                {
                    "Name": "Unclassified",
                    "Description": "",
                    "ID": "-8959326502596556700"
                }
            ],
            "ID": "2101168655015691125"
        },
        {
            "Name": "Corporate/Guest Control",
            "Description": "",
            "Rule": [
                {
                    "Name": "Corporate Hosts",
                    "Description": "",
                    "ID": "2240420499151482925"
                },
                {
                    "Name": "Signed-in Guests",
                    "Description": "",
                    "ID": "1248354759835029874"
                },
                {
                    "Name": "Guest Hosts",
                    "Description": "",
                    "ID": "9151906460028315616"
                }
            ],
            "ID": "-7733328397206852516"
        },
        {
            "Name": "Antivirus Compliance",
            "Description": "",
            "Rule": [
                {
                    "Name": "Not Manageable",
                    "Description": "Optional step: Make Windows machines managable by installing the Secure Connector",
                    "ID": "7661917523791823306"
                },
                {
                    "Name": "AV Not Installed",
                    "Description": "Antivirus is not installed.",
                    "ID": "-2012169476997908764"
                },
                {
                    "Name": "AV Not Running",
                    "Description": "Antivirus is not running.",
                    "ID": "8013197435392890209"
                },
                {
                    "Name": "AV Not Updated",
                    "Description": "Antivirus is not updated.",
                    "ID": "6048295467368903309"
                },
                {
                    "Name": "Compliant",
                    "Description": "",
                    "ID": "-7389372863827790785"
                }
            ],
            "ID": "-4928940807449738209"
        },
        {
            "Name": "sadfsafg",
            "Description": "asdf",
            "Rule": [],
            "ID": "267720461254861999"
        }
    ]
}
Human Readable Output

Forescout Policies

ID Name Description Rule
2101168655015691125 Primary Classification ID: -1203369125012565008, Name: CounterACT Devices, Description: ,
ID: -5021668745466479821, Name: NAT Devices, Description: When a device is NAT, its other classifications may be inaccurate. Therefore, we put the NAT detection first.,
ID: -275357014618763061, Name: Printers, Description: ,
ID: 4202614624411873493, Name: VoIP Devices, Description: ,
ID: 195929949297431248, Name: Networking Equipment, Description: ,
ID: -6750955562195414496, Name: Storage, Description: ,
ID: -6030907744367556977, Name: Windows, Description: ,
ID: 2278199708439440583, Name: Macintosh, Description: ,
ID: -7562731206926229799, Name: Linux\Unix, Description: ,
ID: 4030118542035508409, Name: Mobile Devices, Description: ,
ID: 168049340370707647, Name: Approved Misc Devices, Description: ,
ID: 8701509617393717735, Name: Multiple Profile Matches, Description: Endpoints matching this sub-rule could not have either their Function or Operating System determined due to conflicting profile matches.\n\nInvestigate the devices in this sub-rule and either manually classify them or build additional sub-rules to classify them based on patterns you observe. View the values Suggested Function and Suggested Operating System properties to discover the conflicting profile matches.,
ID: -642863379250182254, Name: Other Known Function, Description: ,
ID: -4200038946418694277, Name: Other Known Operating System, Description: ,
ID: 150826048313755731, Name: Other Known Vendor, Description: ,
ID: -8959326502596556700, Name: Unclassified, Description:
-7733328397206852516 Corporate/Guest Control ID: 2240420499151482925, Name: Corporate Hosts, Description: ,
ID: 1248354759835029874, Name: Signed-in Guests, Description: ,
ID: 9151906460028315616, Name: Guest Hosts, Description:
-4928940807449738209 Antivirus Compliance ID: 7661917523791823306, Name: Not Manageable, Description: Optional step: Make Windows machines managable by installing the Secure Connector,
ID: -2012169476997908764, Name: AV Not Installed, Description: Antivirus is not installed.,
ID: 8013197435392890209, Name: AV Not Running, Description: Antivirus is not running.,
ID: 6048295467368903309, Name: AV Not Updated, Description: Antivirus is not updated.,
ID: -7389372863827790785, Name: Compliant, Description:
267720461254861999 sadfsafg asdf

5. Update host fields


Update a host’s field. Note that if a List field or Composite field has not been defined in Forescout to ‘Aggregate new values from each update’ that performing an update operation on a field will overwrite previous data written to that field.

Base Command

forescout-update-host-fields

Input
Argument Name Description Required
update_type The type of update to perform on a host field. Optional
host_ip The IP address of the target host. Required if ‘updated_type’ is ‘update’ or ‘delete’. Required
field Enter the the name of the field to update. Composite fields should be updated using the ‘fields_json’ command argument. Optional
value Value to be assigned to the field specified in the ‘field’ argument. If the value is a list of items, then items should be separated using a comma. Optional
fields_json One may perform multiple field-value assignments using this command argument. The argument should be entered in valid JSON format. This argument is useful for setting composite fields although other fields may be entered as well. For example, ‘{“Example_Composite”: [{“Shape”: “Triangle”, “Color”: “Beige”}, {“Shape”: “Square”, “Color”: “Violet”}], “String_Field”: “Example”}’ where ‘Example_Composite’ is the name of the Composite field in Forescout and ‘Shape’ and ‘Color’ are sub fields. In the example, ‘String_Field’ is a regular host field of type string whose value will be assigned ‘Example’. If the composite field was defined in Forescout as an aggregate property then additional records will be appended, otherwise they will be overwritten. Optional

Context Output

There is no context output for this command.

Command Example
forescout-update-host-fields host_ip=192.168.1.212 field=fsapi_DemistoTest value="Testing new Arguments" fields_json={“fsapi_demisto_composite”:
    {“age”: “900”, “name”: “Ignatio Permutti”, “alive”: “false”}, “fsapi_demisto_list”:
    [“Hey1”, “Hey2”, “Hey3”], “fsapi_composite_1”: [{“animal”: “mongoose”, “sound”:
    “squeak”, “lifespan”: “10”, “region”: “North America”}, {“animal”: “squirrel”,
    “sound”: “pip”, “lifespan”: “5”, “region”: “Everywher”}]}update_type=update
  
Human Readable Output

Successfully updated 4 properties for host ip=192.168.1.212

6. Update lists


Updates Forescout lists.

Base Command

forescout-update-lists

Input
Argument Name Description Required
update_type The type of update to perform on a Forescout list. Optional
list_names Names of lists defined in the Forescout platform that you wish to update. If the ‘update_type’ is set to ‘delete_all_list_values’ then it is unnecessary to fill in the ‘values’ command argument. Multiple list names should be separated by a comma. To find names of lists that may be updated, navigate to Tools > Options > Lists in the Forescout platform. Required
values The values to add or delete from the lists entered in the ‘list_names’ command argument. Multiple values should separated by a comma. Note that the values entered here will be updated for all of the lists entered in the ‘list_names’ command argument. Optional

Context Output

There is no context output for this command.

Command Example
forescout-update-lists list_names=disallowed_names,creatures update_type=add_list_values values="ignatius,devon"
Human Readable Output

Successfully added values to the 2 lists.