Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

ForeScout

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Integration issues with CounterAct
[ Edited ]
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

I have read and followed the deployment guide and watched the video and have run into several issues on three different enclaves:

 

It was installed the same way on two seperate enclaves.

 

Enclave 1.

 

1. After installing the EcoSystem license and then adding in the templates, creating the notifications, and creating the Endpoint. I tried the last item to check the configuration and when go to view the log I get the error "Endpoint file has not be created. Check the endpoint Configuration."  I have verified that it is built correctly and have gone as far asdeleting and reinstalling the Endpoint, Notifications, and Templates.  I have not deleted the EcoSystem license and reinstalled it.

 

2.  Also noticed in reviewing the infoblox logs that the OutboundAPIServiceManager starts and the OutboundAPIWorker does not start.

 

 

Enclave 2.

 

1. Dosen't have and issuse with viewing the debug log and the OutboundAPIServiceManager and OutboundAPIWorker both start.

 

2. One issue I'm seeing is that there are problems parsing the json output.  Can be seen in the attached syslog.  I am not sure what needs to be adjusted.

 

3. Te other issue is that the Template execution retry limit has been reached.  Can be seen in the attached syslog.  I have not been able to find the setting to reset this.

 

 

 

V/r

 

 

Marc

 

 

Re: Integration issues with CounterAct
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Hi Marc,

 

1. I'm not sure what was going here. I need to take a look on the debug logs and infoblox.log.

2. Please turn on the debug log. Edit the endpoint, switch to "Session management" and set "Log level" to "Debug".

What I see right now probably the issue is with authorisation. You can check it using curl or postman.

You can set the # of retry in a session management template which is not provided for the integration because it is not required. You can check the admin guide and use Rapid7 session management template as a reference (you'll need to remove some params which are not applicable e.g. login template)

 

Vadim

 

Re: Integration issues with CounterAct
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Vadim,

 

 

Thank you for the quick response and the suggestions.

 

 I have the debug.log , for the infoblox.log do you mean the audit.log or the sys.log.  I have both of those also that cover the same timespan as debug.log.

 

 

Marc

Re: Integration issues with CounterAct
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Just in case I mean the worker's debug.log. You can get the infoblox.log from a support bundle. 

But if the configuration is the same like on the second Grid it will be better to open a support ticket.

 

Vadim

Re: Integration issues with CounterAct
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Working on getting the logs sanitized so I can post them.  Also am pulling down the new updates to the template.

 

On the first Grid I am creating a support ticket for that one as it has a different issue than the second Grid.

 

Marc

 

 

Re: Integration issues with CounterAct
[ Edited ]
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

I think I may see one of the issues.  If you look at the attached Debug file you will see that  at 2018/06/12 01:20:33.159917 that the event contains u'ip.extattrs': {u'FS_Site': u'Lab', u'FS_Sync': u'true'}.

 

When it populates Namespace E at 2018/06/12 01:20:33.191681 that contains  u'ip.extattrs': {u'FS_Site': u'Lab', u'FS_Sync': u'true'}

 

When it errors out at 2018/06/12 01:20:33.195228 it is because "Key FS_RemediateOnEvent in dictionary variable E:ip.extattrs was not found ({u'FS_Site': u'Lab', u'FS_Sync': u'true'}:

 

The variable FS_RemediateOnEvent actually show up under the network.extattrs area on 2018/06/12 01:20:33.159917

 

 

I noticed that in the FS_Asset template that I was using there are two seperate areas that contain RemediateOnEvent.  One area is for the Lease action and is written as:

 

"name": "check_for_Lease",
      "operation": "CONDITION",
      "condition": {
        "condition_type": "AND",
        "statements": [
            {"left": "${E::event_type}", "op": "==", "right": "LEASE"},
            {"left": "${E:A:ip.extattrs{FS_Sync}}", "op": "==", "right": "true"}
        ],
        "eval": "${XC:ASSIGN:{LSmiley Frustratedync}:{S:true}}${XC:COPY:{LSmiley Frustratedite}:{E:ip.extattrs{FS_Site}}}${XC:COPY:{L:RemediateOnEvent}:{E:ip.extattrs{FS_RemediateOnEvent}}}${XC:COPY:{L:IP}:{E:address}}${XC:COPY:{L:NV}:{E:network_view}}${XC:COPY:{L:MAC}:{E:hardware}}"

 

 

The area for Fixed Addresses and Hosts is written as:

 

"name": "check_for_not_Lease",
      "operation": "CONDITION",
      "condition": {
        "condition_type": "AND",
        "statements": [
            {"left": "${E::event_type}", "op": "!=", "right": "LEASE"},
            {"left": "${E:A:values{extattrs}{FS_Sync}{value}}", "op": "==", "right": "true"}
        ],
        "eval": "${XC:ASSIGN:{LSmiley Frustratedync}:{S:true}}${XC:COPY:{LSmiley Frustratedite}:{E:values{extattrs}{FS_Site}{value}}}${XC:COPY:{L:RemediateOnEvent}:{E:values{extattrs}{FS_RemediateOnEvent}{value}}}${XC:COPY:{LSmiley Surprisedbj_ref}:{E:values{_ref}}}${XC:COPY:{L:IP}:{E:values{ipv4addr}}}${XC:COPY:{L:NV}:{E:values{network_view}}}${XC:ASSIGN:{LSmiley Surprisedbj_Ref_Add}:{S:}}",
        "else_eval": "${XC:ASSIGN:{LSmiley Frustratedync}:{S:false}}"

 

 

For the Fix Address, Hosts should they be E:ip.extattrs instead of E:values{extattrs}?

 

Below is the legend for the appliances that I used to blank out the first two octets.

 

yyy.yyyy.182.73 - ForeScout
yyy.yyy.181.22  - Infoblox GM
yyy.yyy.181.25  - Infoblox DNS/DHCP

 

V/r

 

Marc

Re: Integration issues with CounterAct
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69

Hello Marc,

 

1. (Error)

your exactly correct on the error being that "Key FS_RemediateOnEvent in dictionary variable E:ip.extattrs was not found"

 

Its set at the network level but you will need to add it so that the IP can inherit the extensible attribute at the IP level.

 

2. (host vs lease)

"For the Fix Address, Hosts should they be E:ip.extattrs instead of E:values{extattrs}?"

No it shouldn't. Host events and lease events store the information differently in the E namespace.

 

Hope this helps,

Kevin Zettel

 

Re: Integration issues with CounterAct
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Goodday Kevin,

 

I opened the Extensable Attribute RemediateOnEvent and saw that there was no checkmark in the box for Enable Inheritance. So now I am just waiting for a Lease event to happen to see if that fixes it.

 

I tired putting in a host and in the attached file I received

 

[2018/06/13 08:59:50.887348] ipam.mqt.maple.waffle.com (DEBUG): Invalid variable P:discovered_data
[2018/06/13 08:59:50.887443] ipam.mqt.maple.waffle.com (DEBUG): The namespace P contains the following data {u'_ref': u'record:host_ipv4addr/ZG5zLmhvc3RfYWRkcmVzcyQuOS5taWwubmF2eS5zcGF3YXIub21hLmZzdGVzdGhvc3QuMTk4LjI1My4xNzYuMTEu:yyy.yyy.176.11/fstesthost.mqt.maple.waffle.com/mqt'}

 

V/r

 

Marc Silva

 

Re: Integration issues with CounterAct
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69

Hello Marc,

 

The issue with the template. for a quick fix, do the following:

 

 

replace:

 

{
"name": "Copy discovery_data for other records",
"operation": "NOP",
"body_list": [
"${XC:COPY:{L:discovered_data}:{P:discovered_data}}"
]
},

 

with:

 

{ "name": "check_For_Discovery_Information", "operation": "CONDITION",
"condition": {"condition_type": "AND", "statements": [{"left": "$P::discovered_data}", "op": "!=", "right": ""}],
"eval": "${XC:COPY:{L:discovered_data}:{P:discovered_data}}"},"else_eval": "${XC:ASSIGN:{L:discoverer}:{S:.}}"},

 

the new step does the same thing as the replaced step except it checks if the discovery data is available and puts a place holder into the variable to keep an error from occurring.

 

Hope this helps,

Kevin Zettel

Re: Integration issues with CounterAct
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Hi Kevin,

 

When I tried that I received the error "The template is not validated correctly with the schema. Additional properties are not allowed (u'else_eval' was unexpected)".

 

Should the L:discoverer in the else_eval portion be L:discovered:data ?

 

I've attached my current FS_Assets template and a screenshot of the error.

 

 

Regards,

 

Marc

Re: Integration issues with CounterAct
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69

Hello Marc,

 

more then likly it is a typo, I attached the full template for you copy and past from. You can look at the step: "check_For_Discovery_Information" and see where it is in the template. 

 

If this isn't a template then it could be a version error where you need at least NIOS version 8.1 for it to work.

 

Also I did a small typo because I was typing it out rather then copying and pasting but it does not relate to this problem... you can copy and past the step: "check_For_Discovery_Information" from the attached file.

 

Hope this helps,

Kevin Zettel

Re: Integration issues with CounterAct
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Hello Kevin,

 

Currently we are running NIOS 8.1.7.

 

I tried just putting that section in and it still gives me the same error. Also tired copying the whole txt file in and I received the same error.

 

 

V/r

 

Marc

Re: Integration issues with CounterAct
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69

Hello Marc,

 

I just checked it on my instance, it's a formating error on my part. somehow the "else_eval" was put on the outside of the bracket.

 

I reatached the file and you can use this and it should work.

 

hope this helps,

 

Kevin Zettel

Re: Integration issues with CounterAct
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

+ there is a little delay between uploading a template and it became internally updated (a worker started used an updated version)

 

Vadim

Re: Integration issues with CounterAct
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16
Hey Kevin,

I just saw the same thing also. Trying to match brackets is always fun.

Will try again after meeting.


Marc

Sent from my iPhone
Re: Integration issues with CounterAct
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Hello Kevin,

 

Was able to cut and pates the section in without any errors about an hour ago.  Forescout Enginner is out at the moment, so I am not able to see if things are flowing over.

 

Will update

 

 

V/r

 

Marc

Re: Integration issues with CounterAct
[ Edited ]
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Kevin,

 

Still getting an error "Invalid variable P:discovered_data".

 

In the FS_Asset file where is has this:

 

{
            "name": "check_For_Discovery_Information",
            "operation": "CONDITION",
            "condition": {
                "condition_type": "AND",
                "statements": [{"left": "$P::discovered_data}","op": "!=","right": ""}],
                "eval": "${XC:COPY:{L:discovered_data}:{P:discovered_data}}",
                "else_eval": "${XC:ASSIGN:{L:discovered_data}:{S:.}}"
            }

 

 

I added an opening parenthesis before the P to change [{"left": "$P::discovered_data}","op": "!=","right": ""}] to [{"left": "${P::discovered_data}","op": "!=","right": ""}]

 

 

{
            "name": "check_For_Discovery_Information",
            "operation": "CONDITION",
            "condition": {
                "condition_type": "AND",
                "statements": [{"left": "${P::discovered_data}","op": "!=","right": ""}],
                "eval": "${XC:COPY:{L:discovered_data}:{P:discovered_data}}",
                "else_eval": "${XC:ASSIGN:{L:discovered_data}:{S:.}}"
            }

 

 

Now able to add a Fixed Address or Host in IPAM and have it flow to ForeScout.  I have included the working FS_ASSET file.

 

 

 

V/r

 

 

Marc

Re: Integration issues with CounterAct
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Hi Marc,

 

Could you please share the debug log (only this execution)?

 

Vadim

Re: Integration issues with CounterAct
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Evening Vadim,

 

Will grab in the morning.

 

V/r 

 

Marc J Silva

Re: Integration issues with CounterAct
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Attached is the debug log.

 

Here is a legend of the IPs I used.

 

yyy.yyyy.182.73 - ForeScout
yyy.yyy.181.22  - Infoblox GM
yyy.yyy.181.25  - Infoblox DNS/DHCP

 

aa.bb.160.7 - Test IP for Host and Fixed Address record

aa.bb.160.8 - Test IP for Host and Fixed Address record

aa.bb.160.9 - Test IP for Host and Fixed Address record

yyy.yyy.176.19 - Test IP for Host and Fixed Address record

yyy.yyy.176.1 - Test IP for Host and Fixed Address record (Unmanaged/Discovered data)

 

Still have an issue with leases and the RemediateOnEvent failing. There are some of those intermixed in the file.

 

 

V/r

 

 

Marc J. Silva

Re: Integration issues with CounterAct
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69

Hello Marc,

 

For the lease events there doesn't seem to be any "FS_Sync" extensible attribute set or inherited for the lease events. this seems to be the issue you can see this at time stamp [2018/06/14 14:12:18.263342] to time stamp 2018/06/14 14:12:18.263831]. As for the Remediation events I don't see any RPZ or Tunnel events in the debug file you provided.

 

Thank you,

 

Kevin Zettel

Re: Integration issues with CounterAct
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Hi Marc,

 

1. Regarding the FS_RemediateOnEvent EA and a Lease event. When you change the inhiritance flag, probably it was not automatically iherited (it offers such option). So:

- please check if the EA was inherited on the Range.

- you may remove all references to RemediateOnEvent from the assets template. It is not used in this template.

 

2. You had issues with adding a host. This is also related to missing FS_RemediateOnEvent EA

[2018/06/14 15:14:02.885821] ipam.mqt.maple.waffle.com (DEBUG): Variable E:values sub-addressing cannot be executed successfully, please verify the indexes / keys passed are correct (last key tried: "<a complex substitution inner selector>" in "<a complex variable>")

 

BR,

Vadim

Re: Integration issues with CounterAct
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Kevin,

 

On this installation they did not purchase the RPZ License, so I didn't been installed the Security Events template.

 

I will work on adding the template anyhow and then notifications for it.

 

 

V/r

 

Marc

Re: Integration issues with CounterAct
[ Edited ]
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Hey Vadim,

 

1.  - It was not set on the range to inherit from parent. I corrected that.

     - If it dosent affect the other parts of the FS_Assets I'll remove it.

 

2.  So If I remove it then it will aso fix that error?

 

V/r

 

 

Marc

Re: Integration issues with CounterAct
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Yep. There are a few places where it is "used" so you need to clean up it correctly.

I'll take a look on it today and publish the updated template.

 

Vadim

Re: Integration issues with CounterAct
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Vadim,

 

That worked perfectly.  Saw several leases show up.

 

Thanks and have a great weekend.

 

Marc

Re: Integration issues with CounterAct
New Member
Posts: 16
Registered: ‎04-26-2018
New Member
Posts: 16

Vadim and Kevin,

 

 

The other 4 network enclaves have come back online and I have migrated the updated FS_Assets.json to them and now have it working on 4 seperate networks.

 

Thank you for the fixes.

 

V/r

 

Marc

Re: Integration issues with CounterAct
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

You are very welcome!

 

Vadim

Showing results for 
Search instead for 
Did you mean: