Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

ForeScout

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
[ Edited ]
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Hi there,

Infoblox and ForeScout CounterACT together enable security and incident response teams to leverage the integration of NAC, IPAM and DNS security to enhance visibility, manage assets, ease compliance and automate remediation. This video shows how the integration with ForeScout CounterACT works using Outbound API NIOS 8.1 feature.

 

 

All necessary templates are attached to this post. The templates are provided “as-is”, please check them in you Lab environment and modify for your needs before implementing them in production.

 

The templates require Extensible Attributes, described in the table below. It is recommended to inherit attributes with the default values from the network view level

Extensible Attribute

Description

FS_Sync

Defines if an object should be synced with ForeScout. Possible values: true, false

FS_SyncedAt

Contains date/time when the object was synchronized, updated by the assets management template

FS_RemediateOnEvent

Defines if a remediation task/policy should be executed for RPZ or DNS Tunneling events that are triggered

 

You can use attached PHP script to create these EAs (do not forget to update $NIOS_baseURL, $NIOS_User, $NIOS_PWD, $data variables based on your configuration)

 

The detailed description how the templates work and how to configure it you can find in these posts:

Any feedback and/or questions are much appreciated.

BR,

Vadim Pavlov.

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
Techie
Posts: 9
Registered: ‎08-10-2017
Techie
Posts: 6

When I try to add the two Forescout templates, I get this error:

 

         The template is not validated correctly with the schema. Unsupported template version 2.0

 

Running latest code- should I be using a different template version number?

 

TIA for any suggestions.

 

 

gary

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Hi,

 

Which NIOS version are you running? Templates version 2.0 are supported starting NIOS 8.1.

You said that you are running the lattest code but it seems like lattest NIOS 8.0 branch.

 

BR,

Vadim

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
Techie
Posts: 9
Registered: ‎08-10-2017
Techie
Posts: 6

You're correct. I'm running a POC, but it's at 8.0.3 instead of 8.1.  Do I need to upgrade to 8.1, first?

 

Thanks for your assistance.

 

 

gary

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Yep. Some new features were implemented in NIOS 8.1 which are used in the templates, so 8.1 is required.

Of cource you can "downgrade" (rewrite) the templates to be supported on NIOS 8.0 but anyway I do recommend use 8.1 minimum.

 

Vadim

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

The assets management template was updated to address some copy/past bugs with leases management.

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

The assets management template was updated:

- check for discovery data;

- FS_RemediateOnEvent EA was removed.

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
New Member
Posts: 0
Registered: ‎06-13-2016
New Member
Posts: 3

Hello,

 

Are these templates support for NIOS version 8.3?

 

Regards

Thierry

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Yes

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
New Member
Posts: 0
Registered: ‎06-13-2016
New Member
Posts: 3

When I try to import the Forescout assets template (FS_Assets.json.txt) in Infoblox (version 8.2 and 8.3) , I get an error indicating that the json file is malformed.

The exact error:

The template contains invalid JSON. Expecting property name : line 175 column 5 (char 5261).

 

Another thing is that I can’t select a template in the outbound endpoint – Rest API configuration. Probably, this problem is linked to the previous.

How can i solve this? Can you check the json template?

 

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69
Hello steirtet,

I'll take a look today and get back to you soon with a solution. Thank you for letting me know!

Thank you
Kevin Zettel
Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
New Member
Posts: 0
Registered: ‎06-13-2016
New Member
Posts: 3

Any update?

Thierry

Re: DEMO VIDEO & TEMPLATES. INTEGRATION WITH FORESCOUT
Techie
Posts: 13
Registered: ‎06-20-2013
Techie
Posts: 4

The block opening at line 165 does not seam to close properly.

Adding a close of the curly bracket gets the syntax error out of the script.

Also the indentation of that block seams to be off, so it could be there is some other stuff missing in the template.

I did not test that the json file is now working, but can you try the attached one?

 

this is the unclosed block which I closed with "},"

 

{
  "name": "check_For_Discovery_Information",
  "operation": "CONDITION",
  "condition": {
    "condition_type": "AND",
    "statements": [{"left": "${P::discovered_data}","op": "!=","right": ""}],
    "eval": "${XC:COPY:{L:discovered_data}:{P:discovered_data}}",
    "else_eval": "${XC:ASSIGN:{L:discovered_data}:{S:.}}"
  }
},

Showing results for 
Search instead for 
Did you mean: