Forescout CounterACT
This Integration is part of the Forescout CounterACT Pack.#
Forescout CounterACT is Unified device visibility and control platform for IT and OT security.
Detailed Information
Read this section and perform all necessary steps before you configure an integration instance.
Forescout CounterACT Module Requirements
Before you can use this integration in Cortex XSOAR, you need to enable certain modules in your Forescout CounterACT environment.
- In the Forescout CounterACT console, from the navigation bar select Tools > Options .
- In the dialog that appears, from the categories section on the left, click Modules .
- In the main area of the dialog, from the drop-down menu, select Open Integration Module . Make sure that the integration module and the following submodules are installed and enabled: Data Exchange (DEX) and Web API are all installed and enabled. If they aren't, install and enable them.
Configuration Parameters
url
This is the network address of the Forescout Enterprise Manager or standalone Appliance. (The host on which the the Forescout Appliance is hosted.) For example, if the Forescout Appliance is hosted at the IP address
192.168.10.23
, then you enter
https://192.168.10.23
.
Web API Username
and
Password
The credentials entered here should be those created in the Forescout console for the
Web API
.
- In the Forescout CounterACT console, from the top navigation bar, click Tools > Options .
- From the dialog that appears, in the categories section on the left, click Web API , and select User Settings .
- Create a username and password by clicking the Add button, and completing the fields. These are the credentials that you will enter when configuring the Cortex XSOAR-Forescout integration: Web API Username and Password .
- Select Client IPs towards the top of the main area of the dialog, next to User Settings .
- Add the IP address where your Cortex XSOAR instance is hosted or allow requests from all IP addresses to make sure that requests made by the Cortex XSOAR-Forescout integration will be permitted.
- Click the Apply button to save the changes you made.
Data Exchange (DEX) Username
and
Password
The credentials entered here should be those created in the Forescout console for
Data Exchange (DEX)
.
- In the Forescout CounterACT console, from the top navigation bar, click Tools > Options .
- From the dialog that appears, in the categories section on the left, click Data Exchange (DEX) .
- Select CounterACT Web Service > Accounts .
- Create a username and password by clicking the Add button, and completing the fields. Note : The value you entered for the Name field in the account-creation pop-up window is the value that you should enter for the Data Exchange (DEX) Account configuration parameter.
- Click the Apply button to save the changes you made.
The username and password entered in the account-creation dialog are the credentials that you will enter when configuring the Cortex XSOAR-Forescout integration: Data Exchange (DEX) Username and Password .
Data Exchange (DEX) Account
The
Data Exchange (DEX)
credentials
Name
field. This can be found by navigating to
Tools > Options > Data Exchange (DEX) > CounterACT Web Service > Accounts
.
Important Usage Notes
This integration allows the user to update host properties and Forescout Lists. To create Forescout properties, which can then be updated using the Cortex XSOAR-Forescout integration, from the Forescout console, navigate to Tools > Options > Data Exchange (DEX) > CounterACT Web Console > Properties . This is where you create new properties. Make sure to associate the properties with the account you created, and which you used in the configuration parameters of the Forescout integration in Cortex XSOAR. Lists must also be defined and created in the Forescout console before you can update them using the Cortex XSOAR-Forescout integration. For more information, reference the Defining and Managing Lists section in the Forescout Administration Guide .
Configure Forescout on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Forescout.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
-
The network address of the Forescout Enterprise Manager or
standalone Appliance, e.g. ‘ https://10.0.0.8 ’. #disable-secrets-detection - Web API Username (see Detailed Instructions (?))
- Data Exchange (DEX) Username (see Detailed Instructions (?))
- Data Exchange (DEX) Account (see Detailed Instructions (?))
- HTTP Timeout (default is 60 seconds)
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. Get a list of active endpoints
Retrieves a list of active endpoints.
Base Command
forescout-get-hosts
Input
| Argument Name | Description | Required |
|---|---|---|
| rule_ids | Filter hosts by those selected by policies or policy sub-rules. Policies and/or rules should be specified by their IDs. To find policy and rule IDs by which you can filter, run the forescout-get-policies command. If multiple policy and/or rule IDs are entered, only hosts that are selected by all of the policies and/or rules specified will be returned. Multiple policy or rule IDs should be separated by a comma. | Optional |
| fields | Filter hosts based on host field values. Enter fields with their associated values in the following format, ‘{field_1}={val_1}&{field_2}={val_2} … &{field_n}={val_n}’ where ‘{field_1}’ through ‘{field_n}’ are replaced by actual field names and ‘{val_1}’ through ‘{val_n}’ are replaced by the desired matching values. Note that a list field may be specified with the values separated by commas. Only hosts whose properties match all the specified values will be returned. For a list of potential host fields that may be specified, try executing the ‘forescout-get-hostfields’ command. A composite property may also be specified. If entered in the format where all the field-value pairs are in a single set of square brackets, for example, ‘{composite_prop}=[{field_1},{val_1},…,{field_n},{val_n}]’ then only hosts for which the specified composite property’s fields all match the values entered will be returned. If entered in the format, ‘{composite_prop}=[{field_1},{val}_1],…,[{field_n},{val_n}]’ where each field-value pair is enclosed in its own set of brackets, then hosts for which the composite property contains any of the field-values specified will be returned. Note that for composite properties, sub-fields should be entered as their internal representation in Forescout. To find internal representation for a composite property’s sub-fields try executing ‘forescout-get-host’ command with the host specified in the ‘identifier’ argument and the name of the composite property entered in the ‘fields’ argument of the command. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Forescout.Host.ID | Number | Forescout ID for the host. |
| Forescout.Host.IPAddress | String | IP Address of the host. |
| Forescout.Host.MACAddress | String | MAC Address of the host. |
| Endpoint.IPAddress | String | IP Address of the host. |
| Endpoint.MACAddress | String | MAC Address of the host. |
Command Example
forescout-get-hosts fields=online=true
Context Example
{
"Forescout.Host": [
{
"MACAddress": "000c29e9e452",
"IPAddress": "192.168.1.44",
"ID": "3232235820"
},
{
"MACAddress": "000c297cc5ae",
"IPAddress": "192.168.1.125",
"ID": "3232235901"
},
{
"MACAddress": "005056a1ad60",
"IPAddress": "192.168.1.52",
"ID": "3232235828"
},
{
"MACAddress": "000c29497e4e",
"IPAddress": "192.168.1.119",
"ID": "3232235895"
},
{
"MACAddress": "000000000000",
"IPAddress": "192.168.1.8",
"ID": "3232235784"
},
{
"MACAddress": null,
"IPAddress": "192.168.1.1",
"ID": "3232235777"
},
{
"MACAddress": "005056b1488d",
"IPAddress": "192.168.1.31",
"ID": "3232235807"
},
{
"MACAddress": "005056b1a93f",
"IPAddress": "192.168.1.17",
"ID": "3232235793"
},
{
"MACAddress": null,
"IPAddress": "192.168.1.212",
"ID": "3232235988"
}
],
"Endpoint": [
{
"MACAddress": "000c29e9e452",
"IPAddress": "192.168.1.44"
},
{
"MACAddress": "000c297cc5ae",
"IPAddress": "192.168.1.125"
},
{
"MACAddress": "005056a1ad60",
"IPAddress": "192.168.1.52"
},
{
"MACAddress": "000c29497e4e",
"IPAddress": "192.168.1.119"
},
{
"MACAddress": "000000000000",
"IPAddress": "192.168.1.8"
},
{
"MACAddress": null,
"IPAddress": "192.168.1.1"
},
{
"MACAddress": "005056b1488d",
"IPAddress": "192.168.1.31"
},
{
"MACAddress": "005056b1a93f",
"IPAddress": "192.168.1.17"
},
{
"MACAddress": null,
"IPAddress": "192.168.1.212"
}
]
}
Human Readable Output
Active Endpoints
| ID | IPAddress | MACAddress |
|---|---|---|
| 3232235820 | 192.168.1.44 | 000c29e9e452 |
| 3232235901 | 192.168.1.125 | 000c297cc5ae |
| 3232235828 | 192.168.1.52 | 005056a1ad60 |
| 3232235895 | 192.168.1.119 | 000c29497e4e |
| 3232235784 | 192.168.1.8 | 000000000000 |
| 3232235777 | 192.168.1.1 | |
| 3232235807 | 192.168.1.31 | 005056b1488d |
| 3232235793 | 192.168.1.17 | 005056b1a93f |
| 3232235988 | 192.168.1.212 |
2. Get an index of host fields
Retrieves an index of Forescout host fields that match the specified criteria.
Base Command
forescout-get-host-fields
Input
| Argument Name | Description | Required |
|---|---|---|
| search_in | Each host field has three searchable parts, the ‘name’, ‘label’, and ‘description’. By default only the ‘name’ will be searched. If you want to expand the search to include the description, you would enter ‘name,description’ for this argument. | Optional |
| case_sensitive | Determines whether to match the case of the entered search term. | Optional |
| match_exactly | Determines whether the search term is matched against the entirety of the potential host field instead of just seeing whether the host field contains the search term. | Optional |
| search_term | The term to filter host fields by. By default, the search will be case insensitive and checked to see if a host field contains the search term unless otherwise specified in the ‘case_sensitive’ and ‘match_exactly’ arguments respectively. | Optional |
| host_field_type | Limit the search to host fields whose values are of a certain type. For example, to limit the search to host properties whose values are either boolean, ip or a date enter ‘boolean,ip,date’. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Forescout.HostField | Unknown | List index of host properties. |
Command Example
forescout-get-host-fields search_term=hostname case_sensitive=false host_field_type=tree_path,string match_exactly=False search_in=name,label,description
Context Example
{
"Forescout.HostField": [
{
"Name": "nbthost",
"Type": "string",
"Description": "Indicates the NetBIOS hostname of the host.",
"Label": "NetBIOS Hostname"
},
{
"Name": "hostname",
"Type": "string",
"Description": "Indicates the DNS name of the host.",
"Label": "DNS Name"
},
{
"Name": "aws_instance_public_dns",
"Type": "string",
"Description": "The public hostname of the EC2 instance, which resolves to the public IP address or Elastic IP address of the instance.",
"Label": "EC2 Public DNS"
},
{
"Name": "dhcp_hostname",
"Type": "string",
"Description": "The device Host Name as advertised by DHCP",
"Label": "DHCP Hostname"
},
{
"Name": "linux_hostname",
"Type": "string",
"Description": "Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely.",
"Label": "Linux Hostname"
},
{
"Name": "mac_hostname",
"Type": "string",
"Description": "Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely.",
"Label": "Macintosh Hostname"
},
{
"Name": "sw_hostname",
"Type": "string",
"Description": "The switch name as defined in the switch",
"Label": "Switch Hostname"
},
{
"Name": "wifi_end_point_host_name",
"Type": "string",
"Description": "",
"Label": "WiFi End Point Hostname"
},
{
"Name": "vmware_guest_host",
"Type": "string",
"Description": "Indicates the hostname of the guest operating system. VMware Tools must be running on the endpoint to resolve this property.",
"Label": "Virtual Machine Guest Hostname"
},
{
"Name": "vmware_esxi_hostname",
"Type": "string",
"Description": "Indicates the hostname of the ESXi server.",
"Label": "VMware ESXi Server Name"
},
{
"Name": "wifi_client_hostname",
"Type": "string",
"Description": "Indicates the user name of the client.",
"Label": "WLAN Client Username"
}
]
}
Human Readable Output
Index of Host Fields
| Label | Name | Description | Type |
|---|---|---|---|
| NetBIOS Hostname | nbthost | Indicates the NetBIOS hostname of the host. | string |
| DNS Name | hostname | Indicates the DNS name of the host. | string |
| EC2 Public DNS | aws_instance_public_dns | The public hostname of the EC2 instance, which resolves to the public IP address or Elastic IP address of the instance. | string |
| DHCP Hostname | dhcp_hostname | The device Host Name as advertised by DHCP | string |
| Linux Hostname | linux_hostname | Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely. | string |
| Macintosh Hostname | mac_hostname | Indicates a hostname. Use of this property requires that the host is managed by CounterACT via SecureConnector or remotely. | string |
| Switch Hostname | sw_hostname | The switch name as defined in the switch | string |
| WiFi End Point Hostname | wifi_end_point_host_name | string | |
| Virtual Machine Guest Hostname | vmware_guest_host | Indicates the hostname of the guest operating system. VMware Tools must be running on the endpoint to resolve this property. | string |
| VMware ESXi Server Name | vmware_esxi_hostname | Indicates the hostname of the ESXi server. | string |
| WLAN Client Username | wifi_client_hostname | Indicates the user name of the client. | string |
3. Get details for a host
Retrieves details of specified host.
Base Command
forescout-get-host
Input
| Argument Name | Description | Required |
|---|---|---|
| fields | List of host properties to include in the output for the targeted endpoint. If a specified host property is not found, the property is omitted from the outputs. For a list of potential host properties that may be specified, try executing the ‘forescout-get-host-fields’ command. Requested fields should be comma separated. | Optional |
| ip |
IP (ipv4) of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when
forescout-get-hosts
is executed.
|
Optional |
| mac |
MAC address of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when
forescout-get-hosts
is executed.
|
Optional |
| id |
Forescout ID of the desired endpoint. Endpoint identifiers - IPs, MAC addresses and object IDs - can be found in the returned outputs when
forescout-get-hosts
is executed.
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Forescout.Host.MatchedFingerprint | Unknown | An endpoint may match multiple profiles. This property indicates all the classification profiles that this endpoint matches. |
| Forescout.Host.EngineSeenPacket | String | Indicates the host was seen by CounterACT. |
| Forescout.Host.Online | String | Host is online. |
| Forescout.Host.PrimClassification | String | Indicates the most specific endpoint function detected. If CounterACT detects multiple endpoint functions, the property is resolved as the most specific value that is common to all the detected functions. If there is no common value, the property is resolved as ‘Multiple Suggestions’. |
| Forescout.Host.MacVendorString | String | Indicates a value associated with the NIC Vendor |
| Forescout.Host.SambaOpenPort | String | NetBIOS ports are open |
| Forescout.Host.UserDefFp | String | Indicates the operating system of the endpoint, as determined by classification tools. |
| Forescout.Host.Vendor | String | Network Device Vendor, Type and Model |
| Forescout.Host.AgentVersion | String | Indicates the SecureConnector version installed on a Windows host. |
| Forescout.Host.Fingerprint | String | Passive OS detection based on Syn packets |
| Forescout.Host.AccessIP | String | Indicates the last IP that was investigated for this host |
| Forescout.Host.VendorClassification | String | Indicates the most specific vendor and model detected. |
| Forescout.Host.ManageAgent | String | Indicates if the host is running SecureConnector. |
| Forescout.Host.Onsite | String | Indicates that a host is connected to the organizational network |
| Forescout.Host.MacPrefix32 | String | MAC prefix |
| Forescout.Host.VaNetfunc | String | Reported CDP VoIP device description for VA netfunc |
| Forescout.Host.NmapDefFp7 | String | Nmap-OS Fingerprint(Ver. 7.01) |
| Forescout.Host.NmapDefFp5 | String | Nmap-OS Fingerprint(Ver. 5.3) |
| Forescout.Host.AgentInstallMode | String | Indicates the SecureConnector deployment mode installed on the host. |
| Forescout.Host.NmapFp7 | String | Nmap-OS Class(Ver. 7.01) (Obsolete) |
| Forescout.Host.ClType | String | Indicates how CounterACT determines the Network Function property of the endpoint. |
| Forescout.Host.ClRule | String | Indicates the rule responsible for classifying the host |
| Forescout.Host.AgentVisibleMode | String | Indicates the SecureConnector visible mode installed on the host. |
| Forescout.Host.OSClassification | String | Operating System |
| Forescout.Host.ClassificationSourceOS | String | Indicates how the Operating System classification property was determined for this endpoint. |
| Forescout.Host.LastNbtReportTime | String | Last time when NBT name was reported |
| Forescout.Host.Misc | String | Miscellaneous |
| Forescout.Host.ClassificationSourceFunc | String | Indicates how the Function classification property was determined for this endpoint. |
| Forescout.Host.NmapNetfunc7 | String | Nmap-Network Function(Ver. 7.01) |
| Forescout.Host.MAC | Unknown | ARP Spoofing (Obsolete) |
| Forescout.Host.OpenPort | Unknown | Open Ports |
| Forescout.Host.GstSignedInStat | String | Logged In Status |
| Forescout.Host.DhcpClass | String | The device class according to the DHCP fingerprint |
| Forescout.Host.ADM | String | Admission Events. |
| Forescout.Host.DhcpReqFingerprint | String | The host DHCP request fingerprint |
| Forescout.Host.DhcpOptFingerprint | String | The host DHCP options fingerprint |
| Forescout.Host.Ipv4ReportTime | String | Indicates the last time that IPv4 reported to the infrastructure |
| Forescout.Host.DhcpOS | String | The device OS according to the DHCP fingerprint |
| Forescout.Host.DhcpHostname | String | The device Host Name as advertised by DHCP |
| Forescout.Host.IPAddress | String | Host IP address |
| Forescout.Host.MACAddress | String | Host MAC address |
| Forescout.Host.ID | Number | Forescout ID number for the host |
| Endpoint.IPAddress | String | IP Address of the host. |
| Endpoint.MACAddress | String | MAC Address of the host. |
| Endpoint.DHCPServer | String | Endpoint DHCP Server. |
| Endpoint.Hostname | String | Hostname of the endpoint. |
| Endpoint.OS | String | Endpoint Operating System. |
| Endpoint.Model | String | Vendor and Model of the endpoint. |
| Endpoint.Domain | String | Domain of the endpoint. |
Command Example
forescout-get-host ip=192.168.1.212 fields=fsapi_DemistoTest,fsapi_demisto_composite,fsapi_demisto_list,fsapi_composite_1
Context Example
{
"Forescout.Host": {
"MACAddress": null,
"IPAddress": "192.168.1.212",
"ID": "3232235988"
},
"Endpoint": {
"MACAddress": null,
"IPAddress": "192.168.1.212"
}
}
Human Readable Output
Endpoint Details for IP=192.168.1.212
| ID | IPAddress |
|---|---|
| 3232235988 | 192.168.1.212 |
4. Get a list of policies
Retrieves a list of all policies defined in the Forescout platform and
their sub-rules.
Base Command
forescout-get-policies
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Forescout.Policy.ID | String | Forescout ID for the policy. |
| Forescout.Policy.Name | String | Forescout name of the policy. |
| Forescout.Policy.Description | String | Description of the policy. |
| Forescout.Policy.Rule | Unknown | List of rules that make up the policy. |
Command Example
forescout-get-policies
Context Example
{
"Forescout.Policy": [
{
"Name": "Primary Classification",
"Description": "",
"Rule": [
{
"Name": "CounterACT Devices",
"Description": "",
"ID": "-1203369125012565008"
},
{
"Name": "NAT Devices",
"Description": "When a device is NAT, its other classifications may be inaccurate. Therefore, we put the NAT detection first.",
"ID": "-5021668745466479821"
},
{
"Name": "Printers",
"Description": "",
"ID": "-275357014618763061"
},
{
"Name": "VoIP Devices",
"Description": "",
"ID": "4202614624411873493"
},
{
"Name": "Networking Equipment",
"Description": "",
"ID": "195929949297431248"
},
{
"Name": "Storage",
"Description": "",
"ID": "-6750955562195414496"
},
{
"Name": "Windows",
"Description": "",
"ID": "-6030907744367556977"
},
{
"Name": "Macintosh",
"Description": "",
"ID": "2278199708439440583"
},
{
"Name": "Linux\\Unix",
"Description": "",
"ID": "-7562731206926229799"
},
{
"Name": "Mobile Devices",
"Description": "",
"ID": "4030118542035508409"
},
{
"Name": "Approved Misc Devices",
"Description": "",
"ID": "168049340370707647"
},
{
"Name": "Multiple Profile Matches",
"Description": "Endpoints matching this sub-rule could not have either their Function or Operating System determined due to conflicting profile matches.\n\nInvestigate the devices in this sub-rule and either manually classify them or build additional sub-rules to classify them based on patterns you observe. View the values Suggested Function and Suggested Operating System properties to discover the conflicting profile matches.",
"ID": "8701509617393717735"
},
{
"Name": "Other Known Function",
"Description": "",
"ID": "-642863379250182254"
},
{
"Name": "Other Known Operating System",
"Description": "",
"ID": "-4200038946418694277"
},
{
"Name": "Other Known Vendor",
"Description": "",
"ID": "150826048313755731"
},
{
"Name": "Unclassified",
"Description": "",
"ID": "-8959326502596556700"
}
],
"ID": "2101168655015691125"
},
{
"Name": "Corporate/Guest Control",
"Description": "",
"Rule": [
{
"Name": "Corporate Hosts",
"Description": "",
"ID": "2240420499151482925"
},
{
"Name": "Signed-in Guests",
"Description": "",
"ID": "1248354759835029874"
},
{
"Name": "Guest Hosts",
"Description": "",
"ID": "9151906460028315616"
}
],
"ID": "-7733328397206852516"
},
{
"Name": "Antivirus Compliance",
"Description": "",
"Rule": [
{
"Name": "Not Manageable",
"Description": "Optional step: Make Windows machines managable by installing the Secure Connector",
"ID": "7661917523791823306"
},
{
"Name": "AV Not Installed",
"Description": "Antivirus is not installed.",
"ID": "-2012169476997908764"
},
{
"Name": "AV Not Running",
"Description": "Antivirus is not running.",
"ID": "8013197435392890209"
},
{
"Name": "AV Not Updated",
"Description": "Antivirus is not updated.",
"ID": "6048295467368903309"
},
{
"Name": "Compliant",
"Description": "",
"ID": "-7389372863827790785"
}
],
"ID": "-4928940807449738209"
},
{
"Name": "sadfsafg",
"Description": "asdf",
"Rule": [],
"ID": "267720461254861999"
}
]
}
Human Readable Output
Forescout Policies
| ID | Name | Description | Rule |
|---|---|---|---|
| 2101168655015691125 | Primary Classification |
ID: -1203369125012565008, Name: CounterACT Devices, Description: ,
ID: -5021668745466479821, Name: NAT Devices, Description: When a device is NAT, its other classifications may be inaccurate. Therefore, we put the NAT detection first., ID: -275357014618763061, Name: Printers, Description: , ID: 4202614624411873493, Name: VoIP Devices, Description: , ID: 195929949297431248, Name: Networking Equipment, Description: , ID: -6750955562195414496, Name: Storage, Description: , ID: -6030907744367556977, Name: Windows, Description: , ID: 2278199708439440583, Name: Macintosh, Description: , ID: -7562731206926229799, Name: Linux\Unix, Description: , ID: 4030118542035508409, Name: Mobile Devices, Description: , ID: 168049340370707647, Name: Approved Misc Devices, Description: , ID: 8701509617393717735, Name: Multiple Profile Matches, Description: Endpoints matching this sub-rule could not have either their Function or Operating System determined due to conflicting profile matches.\n\nInvestigate the devices in this sub-rule and either manually classify them or build additional sub-rules to classify them based on patterns you observe. View the values Suggested Function and Suggested Operating System properties to discover the conflicting profile matches., ID: -642863379250182254, Name: Other Known Function, Description: , ID: -4200038946418694277, Name: Other Known Operating System, Description: , ID: 150826048313755731, Name: Other Known Vendor, Description: , ID: -8959326502596556700, Name: Unclassified, Description: |
|
| -7733328397206852516 | Corporate/Guest Control |
ID: 2240420499151482925, Name: Corporate Hosts, Description: ,
ID: 1248354759835029874, Name: Signed-in Guests, Description: , ID: 9151906460028315616, Name: Guest Hosts, Description: |
|
| -4928940807449738209 | Antivirus Compliance |
ID: 7661917523791823306, Name: Not Manageable, Description: Optional step: Make Windows machines managable by installing the Secure Connector,
ID: -2012169476997908764, Name: AV Not Installed, Description: Antivirus is not installed., ID: 8013197435392890209, Name: AV Not Running, Description: Antivirus is not running., ID: 6048295467368903309, Name: AV Not Updated, Description: Antivirus is not updated., ID: -7389372863827790785, Name: Compliant, Description: |
|
| 267720461254861999 | sadfsafg | asdf |
5. Update host fields
Update a host’s field. Note that if a List field or Composite field has not been defined in Forescout to ‘Aggregate new values from each update’ that performing an update operation on a field will overwrite previous data written to that field.
Base Command
forescout-update-host-fields
Input
| Argument Name | Description | Required |
|---|---|---|
| update_type | The type of update to perform on a host field. | Optional |
| host_ip | The IP address of the target host. Required if ‘updated_type’ is ‘update’ or ‘delete’. | Required |
| field | Enter the the name of the field to update. Composite fields should be updated using the ‘fields_json’ command argument. | Optional |
| value | Value to be assigned to the field specified in the ‘field’ argument. If the value is a list of items, then items should be separated using a comma. | Optional |
| fields_json | One may perform multiple field-value assignments using this command argument. The argument should be entered in valid JSON format. This argument is useful for setting composite fields although other fields may be entered as well. For example, ‘{“Example_Composite”: [{“Shape”: “Triangle”, “Color”: “Beige”}, {“Shape”: “Square”, “Color”: “Violet”}], “String_Field”: “Example”}’ where ‘Example_Composite’ is the name of the Composite field in Forescout and ‘Shape’ and ‘Color’ are sub fields. In the example, ‘String_Field’ is a regular host field of type string whose value will be assigned ‘Example’. If the composite field was defined in Forescout as an aggregate property then additional records will be appended, otherwise they will be overwritten. | Optional |
Context Output
There is no context output for this command.
Command Example
forescout-update-host-fields host_ip=192.168.1.212 field=fsapi_DemistoTest value="Testing new Arguments" fields_json={“fsapi_demisto_composite”:
{“age”: “900”, “name”: “Ignatio Permutti”, “alive”: “false”}, “fsapi_demisto_list”:
[“Hey1”, “Hey2”, “Hey3”], “fsapi_composite_1”: [{“animal”: “mongoose”, “sound”:
“squeak”, “lifespan”: “10”, “region”: “North America”}, {“animal”: “squirrel”,
“sound”: “pip”, “lifespan”: “5”, “region”: “Everywher”}]}update_type=update
Human Readable Output
Successfully updated 4 properties for host ip=192.168.1.212
6. Update lists
Updates Forescout lists.
Base Command
forescout-update-lists
Input
| Argument Name | Description | Required |
|---|---|---|
| update_type | The type of update to perform on a Forescout list. | Optional |
| list_names | Names of lists defined in the Forescout platform that you wish to update. If the ‘update_type’ is set to ‘delete_all_list_values’ then it is unnecessary to fill in the ‘values’ command argument. Multiple list names should be separated by a comma. To find names of lists that may be updated, navigate to Tools > Options > Lists in the Forescout platform. | Required |
| values | The values to add or delete from the lists entered in the ‘list_names’ command argument. Multiple values should separated by a comma. Note that the values entered here will be updated for all of the lists entered in the ‘list_names’ command argument. | Optional |
Context Output
There is no context output for this command.
Command Example
forescout-update-lists list_names=disallowed_names,creatures update_type=add_list_values values="ignatius,devon"
Human Readable Output
Successfully added values to the 2 lists.