Skip to main content

Forescout EyeInspect

This Integration is part of the Forescout EyeInspect Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.1 and later.

Forescout EyeInspect#

Delivers flexible and scalable OT/ICS asset visibility. This integration was integrated and tested with version 4.2.20 of Forescout EyeInspect.

Configure Forescout EyeInspect in Cortex#

ParameterDescriptionRequired
Server URLTrue
UsernameTrue
PasswordTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse
Maximum incidents per fetchDefault is 50. Maximum is 200.False
First fetch timestamp (<number> <time unit>, like 12 hours, 7 days)False
Incident typeFalse
Fetch incidentsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

forescout-ei-host-list#


Retrieves information about the hosts in the eyeInspect CC database.

Base Command#

forescout-ei-host-list

Input#

Argument NameDescriptionRequired
pageThe page number of the results to retrieve (minimum is 1). Default is 1.Optional
limitMaximum number of records to retrieve. Default is 50.Optional
last_seenList only records with the last seen timestamp greater than or equal to the provided parameter.Optional
id_minRetrieve hosts that are equal to or greater than the specified ID.Optional
ipA comma-separated list of IP addresses. The command will filter the results from the returned page according to the provided values.Optional
vlan_idA comma-separated list of VLAN IDs. The command will filter the results from the returned page according to the provided values.Optional
mac_addressA comma-separated list of MAC addresses. The command will filter the results from the returned page according to the provided values.Optional
sensor_idA comma-separated list of sensor IDs. The command will filter the results from the returned page according to the provided values.Optional
sort_fieldList records and sort them based on the specified field, as well as on the ID. Also, the command will filter the results from the returned page. Possible values are: ip_reuse_domain_id, ip_reuse_domain, address, ip, vlan, nested_address, mac_addresses, sorted_mac_addresses, real_mac_addresses, sorted_real_mac_addresses, observed_mac_addresses, sorted_observed_mac_addresses, mac_vendors, vendor_with_real_macs, vendor_with_observed_macs, sensor_ids, is_broadcast_ip, is_multicast_ip, is_public_ip, is_learnt_host, name, all_names, description, role, all_roles, vendor_model, all_vendors_models, os_version, client_proto_port_info, server_proto_port_info, first_seen, last_seen, labels, sorted_labels, purdue_level, criticality, firmware_version, hardware_version, serial_number, project, ip_type, monitored_networks, open_ports, complex_cves, sorted_client_protocols, sorted_server_protocols, module_count, sorted_module_details, security_risk, operational_risk, alert_count.Optional
sort_ascendingIndicates whether the result list should be sorted in ascending or descending order. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.Host.idNumberThe unique ID of the host in the eyeInspect CC.
ForescoutEyeInspect.Host.ip_reuse_domain_idNumberThe unique ID of the IP Reuse Domain the host is in.
ForescoutEyeInspect.Host.ipStringThe IP address of the host.
ForescoutEyeInspect.Host.nested_addressStringIn case of a nested device host, the nested address of the host.
ForescoutEyeInspect.Host.vlanStringThe VLAN ID of the host.
ForescoutEyeInspect.Host.mac_addressesStringThe MAC addresses associated to the host.
ForescoutEyeInspect.Host.sensor_idsStringThe unique IDs of the sensors that have "seen" this host.
ForescoutEyeInspect.Host.main_nameStringThe main name of the host.
ForescoutEyeInspect.Host.descriptionStringDescription of the host.
ForescoutEyeInspect.Host.os_versionStringThe operating system version of the host.
ForescoutEyeInspect.Host.first_seenStringThe ISO-formatted timestamp of when the host was first seen.
ForescoutEyeInspect.Host.last_seenStringThe ISO-formatted timestamp of when the host was last seen.
ForescoutEyeInspect.Host.open_portsStringThe open TCP and UDP ports of the host.

Command example#

!forescout-ei-host-list page=1 limit=1

Context Example#

{
"ForescoutEyeInspect": {
"Host": {
"first_seen": "2022-03-18T00:58:27.000+01:00",
"host_mac_addresses": [],
"id": 34558,
"ip": "20.190.159.71",
"ip_reuse_domain_id": 1,
"last_seen": "2022-03-18T00:58:27.000+01:00",
"mac_addresses": [
"C4:24:56:A4:86:11"
],
"nested_address": "",
"sensor_ids": [
9
],
"vlan": ""
}
}
}

Human Readable Output#

Hosts List:#

Current page size: 1 Showing page 1 out of others that may exist. |ID|IP|MAC Addresses| |---|---|---| | 34558 | 20.190.159.71 | C4:24:56:A4:86:11 |

forescout-ei-link-list#


Retrieves information about the links in the eyeInspect CC database.

Base Command#

forescout-ei-link-list

Input#

Argument NameDescriptionRequired
pageThe page number of the results to retrieve (minimum is 1). Default is 1.Optional
limitMaximum number of records to retrieve. Default is 50.Optional
src_host_idList only records with the src_host_id property set to the specified value.Optional
dst_host_idList only records with the dst_host_id property set to the specified value.Optional
protoList only records with the proto field containing the specified value.Optional
portList only records with one of the values of the port property equal to the specified parameter.Optional
last_seenList only records with the last_seen timestamp greater than or equal to the provided parameter.Optional
id_minRetrieve links that are greater than or equal to the specified ID.Optional
sort_fieldList records and sort them based on the specified field, as well as on the ID. Possible values are: src_host_id, dst_host_id, proto, ports, tx_bytes, rx_bytes, first_seen, last_seen.Optional
sort_ascendingIndicates whether the result list should be sorted in ascending or descending order. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.Link.idNumberThe unique ID of the link in the eyeInspect CC.
ForescoutEyeInspect.Link.src_host_idNumberThe unique ID of the source host in the eyeInspect CC.
ForescoutEyeInspect.Link.dst_host_idNumberThe unique ID of the destination host in the eyeInspect CC.
ForescoutEyeInspect.Link.protoStringThe name of the protocol (application layer (L7) and transport or datalink layer (L4 or L3/L2) detected for the link.
ForescoutEyeInspect.Link.tx_bytesNumberThe total number of bytes sent upstream (i.
ForescoutEyeInspect.Link.rx_bytesNumberThe total number of bytes sent downstream (i.
ForescoutEyeInspect.Link.first_seenStringTimestamp in ISO format of when the link was first seen.
ForescoutEyeInspect.Link.last_seenStringTimestamp in ISO format of when the link was last seen.
ForescoutEyeInspect.Link.portsStringTCP or UDP ports used in the link.

Command example#

!forescout-ei-link-list page=1 limit=1

Context Example#

{
"ForescoutEyeInspect": {
"Link": {
"dst_host_id": 34555,
"first_seen": "2022-03-18T10:28:47.000+01:00",
"id": 203725,
"last_seen": "2022-03-18T10:28:56.000+01:00",
"proto": "FailedConnection (TCP)",
"src_host_id": 8
}
}
}

Human Readable Output#

Host Links List:#

Current page size: 1 Showing page 1 out of others that may exist. |ID|Source Host ID|Destination Host ID|Protocol| |---|---|---|---| | 203725 | 8 | 34555 | FailedConnection (TCP) |

forescout-ei-vulnerability-info-get#


Retrieves information about a specific vulnerability stored in the eyeInspect CC database.

Base Command#

forescout-ei-vulnerability-info-get

Input#

Argument NameDescriptionRequired
cve_idThe unique ID of the vulnerability information record to be retrieved. The CVE ID can be retrieved from public vulnerability databases, such as NVD, or from the "CVEs and IoCs" page inside Forescout EyeInspect.Required

Context Output#

PathTypeDescription
ForescoutEyeInspect.CVE.idStringThe vulnerability ID.
ForescoutEyeInspect.CVE.cve_idStringThe CVE ID from the NVD.
ForescoutEyeInspect.CVE.icsa_idStringThe ICS Cert Security Advisory ID related to the vulnerability.
ForescoutEyeInspect.CVE.vendor_specific_idStringThe vendor-specific advisory ID related to the vulnerability.
ForescoutEyeInspect.CVE.published_dateStringThe timestamp in ISO format when the vulnerability information was published.
ForescoutEyeInspect.CVE.last_modified_dateStringThe timestamp in ISO format when the vulnerability information was last modified.
ForescoutEyeInspect.CVE.cvss_scoreNumberThe CVSS score of the vulnerability.
ForescoutEyeInspect.CVE.cvss_temporal_scoreNumberThe CVSS temporal score of the vulnerability.
ForescoutEyeInspect.CVE.cvss_access_vectorStringThe CVSS access vector scoring of the vulnerability.
ForescoutEyeInspect.CVE.cvss_access_complexityStringThe CVSS access complexity scoring of the vulnerability.
ForescoutEyeInspect.CVE.cvss_authenticationStringThe CVSS authentication scoring of the vulnerability.
ForescoutEyeInspect.CVE.cvss_confidentiality_impactStringThe CVSS confidentiality impact scoring of the vulnerability.
ForescoutEyeInspect.CVE.cvss_integrity_impactStringThe CVSS integrity impact scoring of the vulnerability.
ForescoutEyeInspect.CVE.cvss_availability_impactStringThe CVSS availability impact scoring of the vulnerability.
ForescoutEyeInspect.CVE.cvss_exploitabilityStringThe CVSS exploitability scoring of the vulnerability.
ForescoutEyeInspect.CVE.cvss_remediation_levelStringThe CVSS remediation level scoring of the vulnerability.
ForescoutEyeInspect.CVE.cvss_reporting_confidenceStringThe CVSS reporting confidence scoring of the vulnerability.
ForescoutEyeInspect.CVE.referencesStringThe list of references (URLs) related to the vulnerability.
ForescoutEyeInspect.CVE.vendorStringThe vendor of the product affected by the vulnerability.
ForescoutEyeInspect.CVE.titleStringA short summary of the vulnerability.
ForescoutEyeInspect.CVE.descriptionStringDescription of the vulnerability (including list of vulnerable devices and versions).
ForescoutEyeInspect.CVE.solutionStringDescription of the proposed vulnerability solution (including to what version to update the software/firmware).

Command example#

!forescout-ei-vulnerability-info-get cve_id=CVE-2019-20218

Context Example#

{
"ForescoutEyeInspect": {
"CVE": {
"cve_id": "CVE-2019-20218",
"cvss_access_complexity": "LOW",
"cvss_access_vector": "NETWORK",
"cvss_authentication": "NONE",
"cvss_availability_impact": "PARTIAL",
"cvss_confidentiality_impact": "NONE",
"cvss_exploitability": "UNDEFINED",
"cvss_integrity_impact": "NONE",
"cvss_remediation_level": "UNAVAILABLE",
"cvss_reporting_confidence": "CONFIRMED",
"cvss_score": 5,
"cvss_temporal_score": 0,
"cvss_version": "VERSION_2",
"icsa_id": "",
"id": "CVE-2019-20218",
"last_modified_date": "2020-04-14T02:00:00.000+02:00",
"published_date": "2018-11-27T01:00:00.000+01:00",
"references": [
{
"label": "Siemens CERT",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssb-439005.pdf"
}
],
"solution": "Siemens is working on an update for the firmware, and recommends the following mitigations until an update is available:\n - Apply Defense-in-Depth: https://www.siemens.com/cert/operational-guidelines-industrial-security\n - Only build and run applications from trusted sources",
"summary": "selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.\n VULNERABLE PRODUCT\n - SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP (incl. SIPLUS variant): firmware version V2.6.1, and might also affect previous versions of the firmware",
"title": "Improper handling of exceptional conditions vulnerability in SQLite database in the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP",
"vendor": "Siemens",
"vendor_specific_id": "SSB-439005"
}
}
}

Human Readable Output#

CVE CVE-2019-20218 Information:#

IDTitlePublished DateCvss Score
CVE-2019-20218Improper handling of exceptional conditions vulnerability in SQLite database in the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP2018-11-27T01:00:00.000+01:005.0

forescout-ei-alert-list#


Retrieves information about the alerts inside eyeInspect CC.

Base Command#

forescout-ei-alert-list

Input#

Argument NameDescriptionRequired
pageThe page number of the results to retrieve (minimum is 1). Default is 1.Optional
limitMaximum number of records to retrieve. Default is 50.Optional
start_timestampList only records with the timestamp property greater than or equal to the specified value. For example, 2020-05-26T15:00:00.000Z+01:00.Optional
end_timestampList only records with the timestamp property less than or equal to the specified value. For example, 2020-05-26T15:00:00.000Z+01:00.Optional
event_type_idList records that have the event_type_id property containing the specified parameter.Optional
l4_protoList records that have the l4_proto property equal to the specified parameter. Possible values are: TCP, UDP, ICMP, UNDEFINED.Optional
l7_protoList records that have the l7_proto property equal to the specified parameter.Optional
src_ipList records that have the src_ip property equal to the specified parameter, or contained in the given CIDR-defined network.Optional
dst_ipList records that have the dst_ip property equal to the specified parameter, or contained in the given CIDR-defined network.Optional
ipList records that have either the src_ip or the dst_ip property equal to the specified parameter, or contained in the given CIDR-defined network.Optional
severityA comma-separated list of severities. The command will filter the results from the returned page according to the provided values.Optional
vlan_idA comma-separated list of vLAN IDs. The command will filter the results from the returned page according to the provided values.Optional
statusA comma-separated list of statuses. The command will filter the results from the returned page according to the provided values. Possible values are: Not analysed, In progress, Analyzed, False alert, Relevant, Not relevant, Unknown, Trimmed.Optional
sensor_nameA comma-separated list of sensor names. The command will filter the results from the returned page according to the provided values.Optional
dst_portFetch records that have the dst_port property equal to the specified parameter.Optional
src_host_idList records that have the src_ip or src_mac property equal to the IP address or MAC address of the host with ID equal to the specified parameter.Optional
dst_host_idList records that have the dst_ip or dst_mac property equal to the IP address or MAC address of the host with ID equal to the specified parameter.Optional
host_idList records that have either the src_ip, src_mac or dst_ip, dst_mac equal to the IP address or MAC address of the host with ID equal to the specified parameter.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.Alert.alert_idNumberThe ID of the alert in the eyeInspect database.
ForescoutEyeInspect.Alert.timestampStringTimestamp of the alert in ISO format.
ForescoutEyeInspect.Alert.event_type_idsStringThe list of unique IDs identifying the type of events reported in the alert.
ForescoutEyeInspect.Alert.event_type_namesStringThe list of names of the type of events reported in the alert.
ForescoutEyeInspect.Alert.descriptionStringA description of the event types reported in the alert, as well as other details regarding the specific alert instance coming from the sensor.
ForescoutEyeInspect.Alert.notesStringNotes that a eyeInspect user may have attached to the alert.
ForescoutEyeInspect.Alert.sensor_idNumberThe unique ID of the sensor firing the Alert.
ForescoutEyeInspect.Alert.sensor_nameStringThe name of the sensor firing the alert.
ForescoutEyeInspect.Alert.engineStringThe detection engine that raised the Alert.
ForescoutEyeInspect.Alert.profile_module_nameStringThe name of the profile or module that raised the Alert.
ForescoutEyeInspect.Alert.profile_idNumberThe unique ID of the profile that raised the alert.
ForescoutEyeInspect.Alert.l2_protoStringThe layer 2 (datalink) protocol.
ForescoutEyeInspect.Alert.l3_protoStringThe layer 3 (network) protocol.
ForescoutEyeInspect.Alert.l4_protoStringThe layer 4 (transport) protocol.
ForescoutEyeInspect.Alert.l7_protoStringThe layer 7 (application) protocol.
ForescoutEyeInspect.Alert.vlanStringThe VLAN ID used in the network communication reported in the alert.
ForescoutEyeInspect.Alert.src_macStringThe MAC address of the host initiating the connection reported in the alert.
ForescoutEyeInspect.Alert.dst_macStringThe MAC address of the host receiving the connection reported in the alert.
ForescoutEyeInspect.Alert.src_ipStringThe IP address of the host initiating the connection reported in the alert.
ForescoutEyeInspect.Alert.dst_ipStringThe IP address of the host receiving the connection reported in the alert.
ForescoutEyeInspect.Alert.src_portNumberThe source TCP or UDP port used in the connection reported in the alert.
ForescoutEyeInspect.Alert.dst_portNumberThe destination TCP or UDP port used in the connection reported in the alert.
ForescoutEyeInspect.Alert.severityNumberThe severity level of the alert.
ForescoutEyeInspect.Alert.statusStringThe status of the alert.

Command example#

!forescout-ei-alert-list page=1 limit=1

Context Example#

{
"ForescoutEyeInspect": {
"Alert": {
"alert_id": 1,
"case_id": 0,
"case_name": "",
"description": "TCP portscan: the attacker sends multiple out-of-state ACK packets to scan the victim's hosts and determine the open ports. This might be intelligence gathering or (the first phase of) an attack (e.g., DoS, exploit)\n\nFailed connections:\n - (scanner) 213.8.143.143 \n - 192.168.92.12 \n * 54009 ( 1 failed connection(s) [ ACK: 1 ] )\n * 54010 ( 1 failed connection(s) [ ACK: 1 ] )\n * 54011 ( 1 failed connection(s) [ ACK: 1 ] )\n * 54013 ( 1 failed connection(s) [ ACK: 1 ] )\n * 54017 ( 1 failed connection(s) [ ACK: 1 ] )\n",
"direction_certain": false,
"dst_ip": "192.168.92.12",
"dst_mac": "",
"dst_port": 0,
"engine": "PORTSCAN",
"event_type_ids": [
"ps_tcp_ack"
],
"event_type_names": [
"TCP ACK portscan"
],
"fea_alert_count": 0,
"fea_duration_sec": 0,
"fea_start": "1970-01-01T01:00:00.000+01:00",
"fea_state": "None",
"hotstart": false,
"l2_proto": "ETHERNET",
"l3_proto": "IP",
"l4_proto": "TCP",
"l7_proto": "UNDEFINED",
"labels": "",
"link": "https://192.168.30.115/evt?id=1",
"normalized": false,
"notes": "",
"profile_id": 0,
"profile_module_name": "Portscan",
"sensor_id": 9,
"sensor_name": "Test1",
"severity": 2,
"src_ip": "213.8.143.143",
"src_mac": "",
"src_port": 0,
"status": "Not analyzed",
"timestamp": "2022-02-03T07:49:50.092+01:00",
"vlan": "",
"xsoar_severity": 1
}
}
}

Human Readable Output#

Alerts List:#

Current page size: 1 Showing page 1 out of others that may exist. |Alert ID|Description|Timestamp|Source IP|Destination IP| |---|---|---|---|---| | 1 | TCP portscan: the attacker sends multiple out-of-state ACK packets to scan the victim's hosts and determine the open ports. This might be intelligence gathering or (the first phase of) an attack (e.g., DoS, exploit)

Failed connections:
- (scanner) 213.8.143.143
- 192.168.92.12
54009 ( 1 failed connection(s) [ ACK: 1 ] )
54010 ( 1 failed connection(s) [ ACK: 1 ] )
54011 ( 1 failed connection(s) [ ACK: 1 ] )
54013 ( 1 failed connection(s) [ ACK: 1 ] )
* 54017 ( 1 failed connection(s) [ ACK: 1 ] )
| 2022-02-03T07:49:50.092+01:00 | 213.8.143.143 | 192.168.92.12 |

forescout-ei-alert-pcap-get#


Retrieves the PCAP file associated to a given alert.

Base Command#

forescout-ei-alert-pcap-get

Input#

Argument NameDescriptionRequired
alert_idThe unique ID of the alert to get the PCAP of.Required

Context Output#

PathTypeDescription
InfoFile.SizeNumberThe size of the file.
InfoFile.NameStringThe name of the file.
InfoFile.EntryIDStringThe entry ID of the file.
InfoFile.InfoStringFile information.
InfoFile.TypeStringThe file type.
InfoFile.ExtensionStringThe file extension.

Command example#

!forescout-ei-alert-pcap-get alert_id=1

Context Example#

{
"InfoFile": {
"EntryID": "3111@8479e914-8493-4968-8f32-78852375d17b",
"Extension": "pcap",
"Info": "application/vnd.tcpdump.pcap",
"Name": "alert_1_sniff.pcap",
"Size": 424,
"Type": "tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)"
}
}

Human Readable Output#

forescout-ei-sensor-list#


Retrieves information about the sensors associated to the eyeInspect CC.

Base Command#

forescout-ei-sensor-list

Input#

Argument NameDescriptionRequired
pageThe page number of the results to retrieve (minimum is 1). Default is 1.Optional
limitMaximum number of records to retrieve. Default is 50.Optional
all_sensorsWhether to retrieve all the sensors (ICS Patrol and passive) or only the passive ones. Possible values are: true, false.Optional
nameA comma-separated list of sensor names. The command will filter the results from the returned page according to the provided values.Optional
addressA comma-separated list of IP addresses or domain names. The command will filter the results from the returned page according to the provided values.Optional
portA comma-separated list of listening ports. The command will filter the results from the returned page according to the provided values.Optional
typeA comma-separated list of sensor types. The command will filter the results according to the provided values. Possible values are: PASSIVE, PATROL.Optional
stateA comma-separated list of sensor states. The command will filter the results from the returned page according to the provided values. Possible values are: OPERATIVE_ON, OPERATIVE_OFF, DISCONNECTED, LICENSE_EXPIRED, LICENSE_INVALID, UNKNOWN.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.Sensor.idNumberUnique ID of the sensor in the eyeInspect CC.
ForescoutEyeInspect.Sensor.nameStringName of the sensor.
ForescoutEyeInspect.Sensor.addressStringIP address or domain name of the sensor's management interface.
ForescoutEyeInspect.Sensor.portNumberTCP port number on which the sensor is listening for incoming CC connections.
ForescoutEyeInspect.Sensor.typeStringType of the sensor (PASSIVE / PATROL).
ForescoutEyeInspect.Sensor.sensor_versionStringVersion of the eyeInspect sensor software.
ForescoutEyeInspect.Sensor.stateStringCurrent status of the sensor.
ForescoutEyeInspect.Sensor.health_statusStringCurrent health status of the sensor.

Command example#

!forescout-ei-sensor-list page=1 limit=1

Context Example#

{
"ForescoutEyeInspect": {
"Sensor": {
"address": "127.0.0.1",
"health_status": {
"cpu_load_avg_1_min": {
"current_value": "8.5%",
"level": "NORMAL",
"name": ""
},
"disk_usage": [
{
"current_value": "8%",
"level": "NORMAL",
"name": "/"
}
],
"dropped_packets": {
"current_value": "0%",
"level": "NORMAL",
"name": ""
},
"license_status": {
"current_value": "VALID",
"level": "NORMAL",
"name": ""
},
"memory_usage": {
"current_value": "84.62%",
"level": "WARNING",
"name": ""
},
"net_if_status": [
{
"current_value": "Running",
"level": "NORMAL",
"name": "br-1b1f2d7e6a87"
},
{
"current_value": "Running",
"level": "NORMAL",
"name": "ens160"
},
{
"current_value": "Running",
"level": "NORMAL",
"name": "ens192"
},
{
"current_value": "Running",
"level": "NORMAL",
"name": "veth24fab08"
},
{
"current_value": "Running",
"level": "NORMAL",
"name": "vethf0fd758"
},
{
"current_value": "Running",
"level": "NORMAL",
"name": "vethfb6c608"
}
],
"services": [],
"throughput": {
"current_value": "0.0 bps",
"level": "CRITICAL",
"name": ""
}
},
"id": 2,
"name": "sensor1",
"port": 9999,
"sensor_version": "4.3.21",
"state": "OPERATIVE_ON",
"type": "PASSIVE"
}
}
}

Human Readable Output#

Sensors List:#

Current page size: 1 Showing page 1 out of others that may exist. |ID|Name|Address|Port|Type| |---|---|---|---|---| | 2 | sensor1 | 127.0.0.1 | 9999 | PASSIVE |

forescout-ei-sensor-module-list#


Retrieves information about the modules of the specified sensor.

Base Command#

forescout-ei-sensor-module-list

Input#

Argument NameDescriptionRequired
sensor_idThe unique ID of the sensor to query for modules.Required
pageThe page number of the results to retrieve (minimum is 1). Default is 1.Optional
limitMaximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.SensorModule.idNumberUnique ID of the module in the eyeInspect CC.
ForescoutEyeInspect.SensorModule.sensor_idNumberUnique ID of the sensor the module is deployed in, in the eyeInspect CC.
ForescoutEyeInspect.SensorModule.engineStringName of the engine powering the module in the sensor.
ForescoutEyeInspect.SensorModule.singletonBooleanWhether the module can only have one single instance or can have multiple instances in the sensor.
ForescoutEyeInspect.SensorModule.nameStringThe name of the module.
ForescoutEyeInspect.SensorModule.descriptionStringThe description of the module.
ForescoutEyeInspect.SensorModule.startedBooleanWhether the module is started or paused in the sensor.
ForescoutEyeInspect.SensorModule.operational_modeStringOperational mode of the module in the sensor.
ForescoutEyeInspect.SensorModule.date_last_updateStringTimestamp in ISO format of when the module was last updated.

Command example#

!forescout-ei-sensor-module-list sensor_id=2 page=1 limit=1

Context Example#

{
"ForescoutEyeInspect": {
"SensorModule": {
"date_last_update": "2022-03-18T11:13:09.898+01:00",
"description": "",
"engine": "THREAT_LIBRARY",
"id": 1,
"name": "Industrial threat library (ITL)",
"operational_mode": "",
"sensor_id": 2,
"singleton": true,
"started": true
}
}
}

Human Readable Output#

Sensor 2 Modules List:#

Current page size: 1 Showing page 1 out of others that may exist. |ID|Name|Engine|Started| |---|---|---|---| | 1 | Industrial threat library (ITL) | THREAT_LIBRARY | true |

forescout-ei-sensor-module-update#


Changes the specified properties of the specified module.

Base Command#

forescout-ei-sensor-module-update

Input#

Argument NameDescriptionRequired
sensor_idThe unique ID of the sensor that has the module to update.Required
module_idThe unique ID of the module to update.Required
nameName of the module.Optional
descriptionDescription of the module.Optional
startedIf set to true, the module will be started. If set to false, the module will be paused. Possible values are: true, false.Optional
operational_modeChanges the operational mode of the module to the specified value. Possible values are: Learning, Detecting.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.SensorModule.idNumberUnique ID of the module in the eyeInspect CC.
ForescoutEyeInspect.SensorModule.sensor_idNumberUnique ID of the sensor the module is deployed in, in the eyeInspect CC.
ForescoutEyeInspect.SensorModule.engineStringName of the engine powering the module in the sensor.
ForescoutEyeInspect.SensorModule.singletonBooleanWhether the module can only have one single instance or can have multiple instances in the sensor.
ForescoutEyeInspect.SensorModule.nameStringThe name of the module.
ForescoutEyeInspect.SensorModule.descriptionStringThe description of the module.
ForescoutEyeInspect.SensorModule.startedBooleanWhether the module is started or paused in the sensor.
ForescoutEyeInspect.SensorModule.operational_modeStringOperational mode of the module in the sensor.
ForescoutEyeInspect.SensorModule.date_last_updateStringTimestamp in ISO format of when the module was last updated.

Command example#

!forescout-ei-sensor-module-update sensor_id=2 module_id=5 started=true

Context Example#

{
"ForescoutEyeInspect": {
"SensorModule": {
"date_last_update": "1970-01-01T01:00:00.000+01:00",
"description": "",
"engine": "PORTSCAN",
"id": 5,
"name": "Portscan",
"operational_mode": "",
"sensor_id": 2,
"singleton": true,
"started": true
}
}
}

Human Readable Output#

Updated Module 5 of Sensor 2:#

NameEngineStarted
PortscanPORTSCANtrue

forescout-ei-sensor-module-delete#


Deletes the specified module from the specified sensor and from the eyeInspect CC database.

Base Command#

forescout-ei-sensor-module-delete

Input#

Argument NameDescriptionRequired
sensor_idThe unique ID of the sensor of the module to delete.Required
module_idThe unique ID of the module to delete.Required

Context Output#

There is no context output for this command.

Command example#

!forescout-ei-sensor-module-delete sensor_id=2 module_id=8

Human Readable Output#

The module 8 of sensor 2 was successfully deleted!#

forescout-ei-ip-blacklist-get#


Retrieves the IP blacklist from the Industrial Threat Library of the specified sensor.

Base Command#

forescout-ei-ip-blacklist-get

Input#

Argument NameDescriptionRequired
sensor_idThe unique ID of the sensor for which to retrieve the IP blacklist.Required
pageThe page number of the results to retrieve (minimum is 1). Default is 1.Optional
limitMaximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.IPBlacklist.addressStringA blacklisted IP address.
ForescoutEyeInspect.IPBlacklist.commentStringA comment provided by the user. The comment might be empty.

Command example#

!forescout-ei-ip-blacklist-get sensor_id=2 page=1 limit=1

Context Example#

{
"ForescoutEyeInspect": {
"IPBlacklist": {
"address": "1.1.1.5",
"comment": "demo test",
"sensor_id": 2
}
}
}

Human Readable Output#

IP Blacklist of Sensor 2:#

Current page size: 1 Showing page 1 out of others that may exist. |Address|Comment| |---|---| | 1.1.1.5 | demo test |

forescout-ei-ip-blacklist-add#


Adds a new entry to the IP blacklist from the Industrial Threat Library of the specified sensor.

Base Command#

forescout-ei-ip-blacklist-add

Input#

Argument NameDescriptionRequired
sensor_idThe unique ID of the sensor for which to update the IP blacklist.Required
addressThe IP address to add to the blacklist.Required
commentA comment about the blacklisted IP address.Optional

Context Output#

There is no context output for this command.

Command example#

!forescout-ei-ip-blacklist-add sensor_id=2 address=3.4.5.6 comment=Malicious

Human Readable Output#

New IP Blacklist Entry of Sensor 2:#

AddressComment
3.4.5.6Malicious

forescout-ei-domain-blacklist-get#


Retrieves the domain name blacklist from the Industrial Threat Library of the specified sensor.

Base Command#

forescout-ei-domain-blacklist-get

Input#

Argument NameDescriptionRequired
sensor_idThe unique ID of the sensor that contains the domain blacklist.Required
pageThe page number of the results to retrieve (minimum is 1). Default is 1.Optional
limitMaximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.DomainBlacklist.domain_nameStringA blacklisted domain name.
ForescoutEyeInspect.DomainBlacklist.commentStringA comment provided by the user. The comment might be empty.

Command example#

!forescout-ei-domain-blacklist-get sensor_id=2 page=1 limit=1

Context Example#

{
"ForescoutEyeInspect": {
"DomainBlacklist": {
"comment": "demo command",
"domain_name": "028xmz.com",
"sensor_id": 2
}
}
}

Human Readable Output#

Domain Blacklist of Sensor 2:#

Current page size: 1 Showing page 1 out of others that may exist. |Domain Name|Comment| |---|---| | 028xmz.com | demo command |

forescout-ei-domain-blacklist-add#


Adds a new entry to the domain name blacklist from the Industrial Threat Library of the specified sensor.

Base Command#

forescout-ei-domain-blacklist-add

Input#

Argument NameDescriptionRequired
sensor_idThe unique ID of the sensor of which the domain to be updated.Required
domain_nameThe domain name to add to the blacklist.Required
commentA comment about the domain name. Default is Command and Control server.Optional

Context Output#

There is no context output for this command.

Command example#

!forescout-ei-domain-blacklist-add sensor_id=2 domain_name=malicious.xyz comment=Maleware

Human Readable Output#

New Domain Blacklist Entry of Sensor 2#

Domain NameComment
malicious.xyzMaleware

forescout-ei-ssl-client-blacklist-get#


Retrieves the SSL client application blacklist from the Industrial Threat Library of the specified sensor.

Base Command#

forescout-ei-ssl-client-blacklist-get

Input#

Argument NameDescriptionRequired
sensor_idThe unique ID of the sensor for which to retrieve the SSL client blacklist.Required
pageThe page number of the results to retrieve (minimum is 1). Default is 1.Optional
limitMaximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.SSLClientBlacklist.sensor_idNumberThe unique ID of the sensor for which to retrieve the SSL client.
ForescoutEyeInspect.SSLClientBlacklist.application_nameStringThe application name related to the entry.
ForescoutEyeInspect.SSLClientBlacklist.ja3_hashStringThe JA3 hash of a blacklisted client application.
ForescoutEyeInspect.SSLClientBlacklist.commentStringA comment provided by the user. The comment might be empty.

Command example#

!forescout-ei-ssl-client-blacklist-get sensor_id=2 page=1 limit=1

Context Example#

{
"ForescoutEyeInspect": {
"SSLClientBlacklist": {
"application_name": "Potential malware: eitest-hoeflertext-chrome-popup-traffic-4-of-6",
"comment": "Generated from all PCAPs on https://www.malware-traffic-analysis.net",
"ja3_hash": "098f55e27d8c4b0a590102cbdb3a5f3a",
"sensor_id": 2
}
}
}

Human Readable Output#

SSL Client Applications Blacklist of Sensor 2:#

Current page size: 1 Showing page 1 out of others that may exist. |Application Name|Ja3 Hash|Comment| |---|---|---| | Potential malware: eitest-hoeflertext-chrome-popup-traffic-4-of-6 | 098f55e27d8c4b0a590102cbdb3a5f3a | Generated from all PCAPs on https://www.malware-traffic-analysis.net |

forescout-ei-ssl-client-blacklist-add#


Adds a new entry to the SSL client application blacklist from the Industrial Threat Library of the specified sensor.

Base Command#

forescout-ei-ssl-client-blacklist-add

Input#

Argument NameDescriptionRequired
sensor_idThe unique ID of the sensor of which the SSL client.Required
application_nameThe related application name to add to the blacklist.Required
ja3_hashThe JA3 hash of a blacklisted client application.Required
commentComment about the SSL client application.Optional

Context Output#

There is no context output for this command.

Command example#

!forescout-ei-ssl-client-blacklist-add sensor_id=2 application_name=Shodan ja3_hash=0ad94fcb7d3a2c56679fbd004f6b12cd comment=Malicious

Human Readable Output#

New SSL Client Blacklist Entry of Sensor 2:#

Application NameJa3 HashComment
Shodan0ad94fcb7d3a2c56679fbd004f6b12cdMalicious

forescout-ei-file-operation-blacklist-get#


Retrieves the file operation blacklist from the Industrial Threat Library of the specified sensor.

Base Command#

forescout-ei-file-operation-blacklist-get

Input#

Argument NameDescriptionRequired
sensor_idThe unique ID of the sensor for which to retrieve the file operation blacklist.Required
pageThe page number of the results to retrieve (minimum is 1). Default is 1.Optional
limitMaximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.FileOperationBlacklist.matching_typeStringThe way file or folder should be matched.
ForescoutEyeInspect.FileOperationBlacklist.file_or_folderStringThe name of the file or folder the entry applies to.
ForescoutEyeInspect.FileOperationBlacklist.operationStringThe name of the file operation.
ForescoutEyeInspect.FileOperationBlacklist.commentStringA comment provided by the user. The comment might be empty.

Command example#

!forescout-ei-file-operation-blacklist-get sensor_id=2 page=1 limit=1

Context Example#

{
"ForescoutEyeInspect": {
"FileOperationBlacklist": {
"comment": "Access 2007 Database File. A database file created with Microsoft Access 2007 or later. It typically contains data organized into tables and fields. (default blacklist entry).",
"file_or_folder": "\\.accdb$",
"matching_type": "REGEX",
"operation": "WRITE",
"sensor_id": 2
}
}
}

Human Readable Output#

File Operation Blacklist of Sensor 2:#

Current page size: 1 Showing page 1 out of others that may exist. |Matching Type|File Or Folder|Operation|Comment| |---|---|---|---| | REGEX | .accdb$ | WRITE | Access 2007 Database File. A database file created with Microsoft Access 2007 or later. It typically contains data organized into tables and fields. (default blacklist entry). |

forescout-ei-file-operation-blacklist-add#


Adds entries to the file operation blacklist from the Industrial Threat Library of the specified sensor.

Base Command#

forescout-ei-file-operation-blacklist-add

Input#

Argument NameDescriptionRequired
sensor_idThe unique ID of the sensor for which to update the file operation blacklist.Required
matching_typeThe way file or folder should be matched. Possible values are: CONTAINS, STARTS_WITH, ENDS_WITH, MATCHES, REGEX.Required
file_or_folderThe name of the file or folder the entry applies to.Required
operationThe name of the file operation. Possible values are: WRITE, READWRITE.Required
commentA comment provided by the user.Optional

Context Output#

There is no context output for this command.

Command example#

!forescout-ei-file-operation-blacklist-add sensor_id=2 matching_type=REGEX file_or_folder=\\.mal$ operation=WRITE comment=Virus

Human Readable Output#

New File Operation Blacklist Entry of Sensor 2:#

Matching TypeFile Or FolderOperationComment
REGEX.mal$WRITEVirus

forescout-ei-diagnostics-information-get#


Retrieves information about all monitored Command Center resources and their health status excluding the logs.

Base Command#

forescout-ei-diagnostics-information-get

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
ForescoutEyeInspect.CCInfo.ip_addressStringIP address of the Command Center.
ForescoutEyeInspect.CCInfo.hostnameStringHostname of the Command Center.
ForescoutEyeInspect.CCInfo.open_portsStringTCP open port number of the Command Center.
ForescoutEyeInspect.CCInfo.cc_versionStringVersion of the Command Center software.
ForescoutEyeInspect.CCInfo.health_statusStringCurrent health status of the Command Center.

Command example#

!forescout-ei-diagnostics-information-get

Context Example#

{
"ForescoutEyeInspect": {
"CCInfo": {
"cc_version": "4.3.21",
"health_status": {
"analytics_db_used_mem": {
"current_value": "4.3 GiB",
"name": ""
},
"cpu_load_avg_1_min": {
"current_value": "5.5%",
"level": "NORMAL",
"name": ""
},
"disk_usage": [
{
"current_value": "8%",
"level": "NORMAL",
"name": "/"
}
],
"memory_usage": {
"current_value": "84.56%",
"level": "WARNING",
"name": ""
},
"message_queue_used_mem": {
"current_value": "602.4 MiB",
"name": ""
},
"net_if_status": [
{
"current_value": "Running",
"level": "NORMAL",
"name": "ens160"
},
{
"current_value": "Not running",
"level": "NORMAL",
"name": "docker0"
},
{
"current_value": "Running",
"level": "NORMAL",
"name": "br-1b1f2d7e6a87"
},
{
"current_value": "Running",
"level": "NORMAL",
"name": "ens192"
},
{
"current_value": "Running",
"level": "NORMAL",
"name": "vethf0fd758"
},
{
"current_value": "Running",
"level": "NORMAL",
"name": "veth24fab08"
},
{
"current_value": "Running",
"level": "NORMAL",
"name": "vethfb6c608"
}
],
"relational_db_used_mem": {
"current_value": "3.4 GiB",
"name": "silentdefense"
},
"web_server_used_mem": {
"current_value": "4.4 GiB",
"name": ""
}
},
"hostname": "4321-bundle-16g",
"ip_address": "192.168.30.115",
"open_ports": [
"443"
]
}
}
}

Human Readable Output#

Command Center Diagnostics Information:#

IP AddressHostnameOpen PortsCc Version
192.168.30.1154321-bundle-16g4434.3.21

forescout-ei-diagnostic-logs-get#


Download the ZIP file which contains diagnostic logs of the Command Center.

Base Command#

forescout-ei-diagnostic-logs-get

Input#

Argument NameDescriptionRequired
cc_infoWhether to include Command Center diagnostic logs inside the downloaded zip, in addition to sensors logs. If this value is false, the downloaded zip won't contain the general server logs, but only the logs about the sensors. Possible values are: true, false. Default is True.Optional
sensor_idInclude logs from a specific sensor by its ID, or all sensors (by specifying All).Optional

Context Output#

PathTypeDescription
InfoFile.SizeNumberThe size of the file.
InfoFile.NameStringThe name of the file.
InfoFile.EntryIDStringThe entry ID of the file.
InfoFile.InfoStringFile information.
InfoFile.TypeStringThe file type.
InfoFile.ExtensionStringThe file extension.

Command example#

!forescout-ei-diagnostic-logs-get sensor_id=2

Context Example#

{
"InfoFile": {
"EntryID": "3167@8479e914-8493-4968-8f32-78852375d17b",
"Extension": "zip",
"Info": "application/zip",
"Name": "command_center_diagnostic_logs.zip",
"Size": 26280500,
"Type": "Zip archive data, at least v2.0 to extract"
}
}

Human Readable Output#

forescout-ei-group-policy-list#


Get all group policies.

Base Command#

forescout-ei-group-policy-list

Input#

Argument NameDescriptionRequired
pageThe page number of the results to retrieve (minimum is 1). Default is 1.Optional
limitMaximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.GroupPolicy.idNumberThe ID of the policy.
ForescoutEyeInspect.GroupPolicy.nameStringThe name of the group policy.
ForescoutEyeInspect.GroupPolicy.descriptionStringThe description of the group policy.
ForescoutEyeInspect.GroupPolicy.constraintsUnknownList of constraints of the policy.

Command example#

!forescout-ei-group-policy-list page=1 limit=1

Context Example#

{
"ForescoutEyeInspect": {
"GroupPolicy": {
"constraints": [
{
"operator": "equals",
"os_version": "Windows 10",
"type": "os_version"
}
],
"description": "Test",
"id": 8,
"name": "Test Playbook Policy"
}
}
}

Human Readable Output#

Group Policies List:#

Current page size: 1 Showing page 1 out of others that may exist. |ID|Name|Description| |---|---|---| | 8 | Test Playbook Policy | Test |

forescout-ei-group-policy-create#


Create a new group policy.

Base Command#

forescout-ei-group-policy-create

Input#

Argument NameDescriptionRequired
nameThe name of the group policy.Required
descriptionThe description of the group policy.Required
constraintsList of constraints of the policy.

Each policy constraint is an object that includes the following fields:
type: The type of the constraint. Possible values are os_version, firmware_version, open_ports.
operator: The operator of the constraint. Possible values are equals (all types), allowed (open_ports) and contains (os_version, firmware_version).
os_version: The value of the OS version for the os_version type.
firmware_version: The value of the firmware version for the firmware_version type.
open_ports_tcp: Comma-separated list of ports or range of ports for the open_ports type. Example: "10, 20-30".
open_ports_udp: Comma-separated list of ports or range of ports for the open_ports type. Example: "10, 20-30".

Example for list of policy constraints: [{ "type": "os_version", "operator": "contains", "os_version": "Windows" }]. .
Required

Context Output#

PathTypeDescription
ForescoutEyeInspect.GroupPolicy.idNumberThe ID of the policy.
ForescoutEyeInspect.GroupPolicy.nameStringThe name of the group policy.
ForescoutEyeInspect.GroupPolicy.descriptionStringThe description of the group policy.
ForescoutEyeInspect.GroupPolicy.constraintsUnknownList of constraints of the policy.

Command example#

!forescout-ei-group-policy-create name="example policy" description="policy" constraints="[{\"type\": \"os_version\", \"operator\": \"equals\", \"os_version\": \"Windows 10\"}]"

Context Example#

{
"ForescoutEyeInspect": {
"GroupPolicy": {
"constraints": [
{
"operator": "equals",
"os_version": "Windows 10",
"type": "os_version"
}
],
"description": "policy",
"id": 20,
"name": "example policy"
}
}
}

Human Readable Output#

Group Policy Information:#

IDNameDescription
20example policypolicy

Group Policy Constraints:#

TypeOperatorOs Version
os_versionequalsWindows 10

forescout-ei-group-policy-update#


Update a group policy. Note: the whole policy will be overridden, therefore all fields are required.

Base Command#

forescout-ei-group-policy-update

Input#

Argument NameDescriptionRequired
policy_idThe unique ID of the policy to be updated.Required
nameThe name of the group policy.Required
descriptionThe description of the group policy.Required
constraintsList of constraints of the policy.

Each policy constraint is an object that includes the following fields:
type: The type of the constraint. Possible values are os_version, firmware_version, open_ports.
operator: The operator of the constraint. Possible values are equals (all types), allowed (open_ports) and contains (os_version, firmware_version).
os_version: The value of the OS version for the os_version type.
firmware_version: The value of the firmware version for the firmware_version type.
open_ports_tcp: Comma-separated list of ports or range of ports for the open_ports type. Example: "10, 20-30".
open_ports_udp: Comma-separated list of ports or range of ports for the open_ports type. Example: "10, 20-30".

Example for list of policy constraints: [{ "type": "os_version", "operator": "contains", "os_version": "Windows" }].
Required

Context Output#

PathTypeDescription
ForescoutEyeInspect.GroupPolicy.idNumberThe ID of the policy.
ForescoutEyeInspect.GroupPolicy.nameStringThe name of the group policy.
ForescoutEyeInspect.GroupPolicy.descriptionStringThe description of the group policy.
ForescoutEyeInspect.GroupPolicy.constraintsUnknownList of constraints of the policy.

Command example#

!forescout-ei-group-policy-update policy_id=20 name="example policy" description="policy" constraints="[{\"type\": \"os_version\", \"operator\": \"equals\", \"os_version\": \"Windows 10\"}]"

Context Example#

{
"ForescoutEyeInspect": {
"GroupPolicy": {
"constraints": [
{
"operator": "equals",
"os_version": "Windows 10",
"type": "os_version"
}
],
"description": "policy",
"id": 20,
"name": "example policy"
}
}
}

Human Readable Output#

Updated Group Policy:#

IDNameDescription
20example policypolicy

Group Policy Constraints:#

TypeOperatorOs Version
os_versionequalsWindows 10

forescout-ei-group-policy-delete#


Delete a group policy.

Base Command#

forescout-ei-group-policy-delete

Input#

Argument NameDescriptionRequired
policy_idThe unique ID of the policy for which the hosts will be added to.Required

Context Output#

There is no context output for this command.

Command example#

!forescout-ei-group-policy-delete policy_id=20

Human Readable Output#

The group policy 20 was successfully deleted!#

forescout-ei-group-policy-hosts-assign#


Add all hosts not assigned to any policy (individual or group) matching the filter to the group policy.

Base Command#

forescout-ei-group-policy-hosts-assign

Input#

Argument NameDescriptionRequired
policy_idThe unique ID of the policy for which the hosts will be added to.Required
filter_typeThe type of the filter. Possible values are: address, host_mac_address_exact, vendor_model, os_version, firmware_version, ip_reuse_domain.Required
filter_valueThe value of the filter.Required

Context Output#

There is no context output for this command.

Command example#

!forescout-ei-group-policy-hosts-assign policy_id=20 filter_type=address filter_value=192.168.1.1

Human Readable Output#

1 Additional Hosts Were Assigned to Group Policy 20!#

forescout-ei-group-policy-hosts-unassign#


Unassign all hosts assigned to the group policy matching the filter.

Base Command#

forescout-ei-group-policy-hosts-unassign

Input#

Argument NameDescriptionRequired
policy_idThe unique ID of the policy for which the hosts will be removed.Required
filter_typeThe type of the filter. Possible values are: address, host_mac_address_exact, vendor_model, os_version, firmware_version, ip_reuse_domain.Required
filter_valueThe value of the filter.Required

Context Output#

There is no context output for this command.

Command example#

!forescout-ei-group-policy-hosts-unassign policy_id=20 filter_type=address filter_value=192.168.1.1

Human Readable Output#

1 Additional Hosts Were Unassigned from Group Policy 20!#

forescout-ei-ip-reuse-domain-list#


Get all IP reuse domains.

Base Command#

forescout-ei-ip-reuse-domain-list

Input#

Argument NameDescriptionRequired
pageThe page number of the results to retrieve (minimum is 1). Default is 1.Optional
limitMaximum number of records to retrieve. Default is 50.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.IPReuseDomain.idNumberThe ID of the IP reuse domain.
ForescoutEyeInspect.IPReuseDomain.nameStringThe name of the IP reuse domain.
ForescoutEyeInspect.IPReuseDomain.descriptionStringThe description of the IP reuse domain.
ForescoutEyeInspect.IPReuseDomain.addressStringThe address of the IP reuse domain.
ForescoutEyeInspect.IPReuseDomain.maskNumberThe number of bits in the mask.
ForescoutEyeInspect.IPReuseDomain.vlan_idsStringVLAN IDs of the IP reuse domain.

Command example#

!forescout-ei-ip-reuse-domain-list page=2 limit=1

Context Example#

{
"ForescoutEyeInspect": {
"IPReuseDomain": {
"address": "192.168.99.0",
"description": "Servers IP Reuse",
"id": 2,
"mask": 0,
"name": "servers",
"vlan_ids": "any"
}
}
}

Human Readable Output#

IP Reuse Domains List:#

Current page size: 1 Showing page 2 out of others that may exist. |ID|Name|Description|Address| |---|---|---|---| | 2 | servers | Servers IP Reuse | 192.168.99.0 |

forescout-ei-hosts-changelog-list#


Retrieves information about the changes of host properties and configuration from the eyeInspect CC database.

Base Command#

forescout-ei-hosts-changelog-list

Input#

Argument NameDescriptionRequired
pageThe page number of the results to retrieve (minimum is 1). Default is 1.Optional
limitMaximum number of records to retrieve. Default is 50.Optional
host_idList only records with the host_id property equal to the provided parameter.Optional
start_timestampList only records with the timestamp property greater than or equal to the specified value. For example, 2020-05-26T15:00:00.000Z+01:00.Optional
end_timestampList only records with the timestamp property less than or equal to the specified value. 2020-05-26T15:00:00.000Z+01:00.Optional
event_type_idList only records with the event_type_id property equal to the specified value. Possible values are: hostcl_new_host, hostcl_new_mac, hostcl_new_name, hostcl_new_role, hostcl_new_vendor_model, hostcl_new_os_version, hostcl_changed_os_version, hostcl_new_client_proto, hostcl_new_client_port, hostcl_new_server_proto, hostcl_new_server_port, hostcl_new_label, hostcl_new_fw_version, hostcl_changed_fw_version, hostcl_new_hw_version, hostcl_changed_hw_version, hostcl_changed_serial, hostcl_new_project, hostcl_changed_project, hostcl_new_module, hostcl_changed_module_name, hostcl_changed_module_type, hostcl_changed_module_vendor.Optional
event_categoryList only records with the event_type_id property equal to the specified value. Possible values are: PROPERTIES, CONFIGURATION, ALL.Optional

Context Output#

PathTypeDescription
ForescoutEyeInspect.HostChangeLog.idNumberThe unique ID of the HostChangeLog in the eyeInspect CC.
ForescoutEyeInspect.HostChangeLog.timestampStringTimestamp in ISO format of when the host change was detected.
ForescoutEyeInspect.HostChangeLog.event_type_idStringAn identifier of the type of change detected.
ForescoutEyeInspect.HostChangeLog.event_type_nameStringA more human readable representation of the type of change detected.
ForescoutEyeInspect.HostChangeLog.event_categoryStringA more general type of the change detected.
ForescoutEyeInspect.HostChangeLog.host_idNumberThe unique ID of the host in the eyeInspect CC database in which the change was detected.
ForescoutEyeInspect.HostChangeLog.information_sourceStringThe source of information for the detected change.
ForescoutEyeInspect.HostChangeLog.sensor_idNumberIn case the detected change was reported from a sensor, the unique ID in the eyeInspect CC database of the sensor reporting the information.
ForescoutEyeInspect.HostChangeLog.sensor_idNumberIn case the detected change was reported from a sensor, the unique ID in the eyeInspect CC database of the sensor reporting the information.
ForescoutEyeInspect.HostChangeLog.usernameStringIn case the detected change was reported from a eyeInspect user, the username of the user reporting the information.
ForescoutEyeInspect.HostChangeLog.old_valueStringThe old value of the host property.
ForescoutEyeInspect.HostChangeLog.new_valueStringThe new value of the host property.
ForescoutEyeInspect.HostChangeLog.host_addressStringThe IP address, or nested address (in case of a nested device) of the host.
ForescoutEyeInspect.HostChangeLog.host_vlanStringThe VLAN ID of the host (only present if the process_vlan_tags option is enabled in the sensor).
ForescoutEyeInspect.HostChangeLog.host_nameStringThe main name of the host.
ForescoutEyeInspect.HostChangeLog.host_ip_reuse_domain_idStringThe unique ID of the IP Reuse Domain the host is in.
ForescoutEyeInspect.HostChangeLog.host_mac_addressesStringThe MAC addresses associated to the host.

Command example#

!forescout-ei-hosts-changelog-list page=1 limit=1

Context Example#

{
"ForescoutEyeInspect": {
"HostChangeLog": {
"event_category": "PROPERTIES",
"event_type_id": "hostcl_new_host",
"event_type_name": "New host",
"host_address": "192.168.30.82",
"host_id": 1,
"host_ip_reuse_domain_id": 1,
"host_mac_addresses": [
"00:50:56:A6:41:89",
"C4:24:56:A4:86:11"
],
"host_name": "",
"host_vlan": "",
"id": 1,
"information_source": "USER",
"new_value": "",
"old_value": "",
"sensor_id": 0,
"timestamp": "2022-01-16T17:38:41.505+01:00",
"username": "admin"
}
}
}

Human Readable Output#

Hosts Changes List:#

Current page size: 1 Showing page 1 out of others that may exist. |ID|Host ID|Event Type Name| |---|---|---| | 1 | 1 | New host |