Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

ForeScout

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Help with Forescout integration
New Member
Posts: 4
Registered: ‎12-03-2018
New Member
Posts: 4

Newbie here.  Have followed all instructions to integrate Infoblox/Forescout, uploaded templates, created extensible attributes, etc.

 

Debug output has a template error:

 

Variable E:values sub-addressing cannot be executed successfully. 

 

[2019/02/05 16:22:37.270467] sdsc-ddi-01.ucsf.edu (DEBUG): Executing step DebugOnStart (1)
[2019/02/05 16:22:37.270540] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace H contents are: {'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded', 'Authorization': '[*********]', 'User-Agent': 'Infoblox Security Integration'}
[2019/02/05 16:22:37.270616] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace E contents are: {u'member_ip': u'10.64.19.210', u'event_type': 'HOST_ADDRESS_IPV4', u'timestamp': u'2019-02-06T00:22:34Z', u'vnode_oid': 0, u'object_type': u'HostAddress', u'previous_values': {}, u'values': {u'host': u'test-forescout', u'ipv4addr': u'10.41.8.10', u'_ref': u'record:host_ipv4addr/ZG5zLmhvc3RfYWRkcmVzcyQubm9uX0ROU19ob3N0X3Jvb3QuMC4xNTQ5NDEyNTU0MDg3LnRlc3QtZm9yZXNjb3V0LjEwLjQxLjguMTAu:10.41.8.10/test-forescout/%20', u'network_view': u'default', u'extattrs': {u'FS_Sync': {u'inheritance_source': {u'_ref': u'network/ZG5zLm5ldHdvcmskMTAuNDEuOC4wLzI0LzA:10.41.8.0/24/default'}, u'value': u'true'}, u'FS_Site': {u'inheritance_source': {u'_ref': u'network/ZG5zLm5ldHdvcmskMTAuNDEuOC4wLzI0LzA:10.41.8.0/24/default'}, u'value': u'Lab'}, u'Change Number': {u'value': u'12345678'}}}, u'member_name': u'wtc-ddi.ucsf.edu', u'operation_type': u'INSERT'}
[2019/02/05 16:22:37.270657] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace I contents are: {}
[2019/02/05 16:22:37.270689] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace L contents are: {}
[2019/02/05 16:22:37.270724] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace S contents are: {'URI': u'https://128.218.28.162', 'TIMEOUT': 30, 'USER': u'fs_infoblox_lab@Infoblox_lab'}
[2019/02/05 16:22:37.270756] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace P contents are: {}
[2019/02/05 16:22:37.270883] sdsc-ddi-01.ucsf.edu (DEBUG): Namespace UT contents are: {'USERNAME': '[redacted]', 'PROTOCOL': u'https', 'UUID': '7df6e149-0c57-41ad-8995-c0ca3bbd75e2', 'WAPIUSERNAME': u'aa-tannenbaumr', 'URI': u'https://128.218.28.162', 'HOST': u'128.218.28.162', 'EPOCH': '1549412557', 'TIME': '2019-02-06T00:22:37Z', 'PATH': u'', 'PASSWORD': '[redacted]', 'PORT': 443}
[2019/02/05 16:22:37.270939] sdsc-ddi-01.ucsf.edu (DEBUG): Executing step assignSyncTime (1)
[2019/02/05 16:22:37.271050] sdsc-ddi-01.ucsf.edu (DEBUG): Executing step stop_if_just_changed (1)
[2019/02/05 16:22:37.271090] sdsc-ddi-01.ucsf.edu (DEBUG): Found a/an AND condition step!
[2019/02/05 16:22:37.271177] sdsc-ddi-01.ucsf.edu (DEBUG): Evaluating statement:  == 2019-02-06T00:22
[2019/02/05 16:22:37.271210] sdsc-ddi-01.ucsf.edu (DEBUG): The condition did not match!
[2019/02/05 16:22:37.271245] sdsc-ddi-01.ucsf.edu (DEBUG): Executing step check_for_not_Lease (1)
[2019/02/05 16:22:37.271279] sdsc-ddi-01.ucsf.edu (DEBUG): Found a/an AND condition step!
[2019/02/05 16:22:37.271331] sdsc-ddi-01.ucsf.edu (DEBUG): Evaluating statement: HOST_ADDRESS_IPV4 != LEASE
[2019/02/05 16:22:37.271406] sdsc-ddi-01.ucsf.edu (DEBUG): Evaluating statement: true == true
[2019/02/05 16:22:37.271438] sdsc-ddi-01.ucsf.edu (DEBUG): The condition matched!
[2019/02/05 16:22:37.271461] sdsc-ddi-01.ucsf.edu (DEBUG): Executing the eval block
[2019/02/05 16:22:37.271618] sdsc-ddi-01.ucsf.edu (DEBUG): An error has occurred while processing a template
[2019/02/05 16:22:37.271648] sdsc-ddi-01.ucsf.edu (DEBUG): Variable E:values sub-addressing cannot be executed successfully, please verify the indexes / keys passed are correct (last key tried: "<a complex substitution inner selector>" in "<a complex variable>")
[2019/02/05 16:22:37.271718] sdsc-ddi-01.ucsf.edu (DEBUG): The namespace E contains the following data {u'member_ip': u'10.64.19.210', u'event_type': 'HOST_ADDRESS_IPV4', u'timestamp': u'2019-02-06T00:22:34Z', u'vnode_oid': 0, u'object_type': u'HostAddress', u'previous_values': {}, u'values': {u'host': u'test-forescout', u'ipv4addr': u'10.41.8.10', u'_ref': u'record:host_ipv4addr/ZG5zLmhvc3RfYWRkcmVzcyQubm9uX0ROU19ob3N0X3Jvb3QuMC4xNTQ5NDEyNTU0MDg3LnRlc3QtZm9yZXNjb3V0LjEwLjQxLjguMTAu:10.41.8.10/test-forescout/%20', u'network_view': u'default', u'extattrs': {u'FS_Sync': {u'inheritance_source': {u'_ref': u'network/ZG5zLm5ldHdvcmskMTAuNDEuOC4wLzI0LzA:10.41.8.0/24/default'}, u'value': u'true'}, u'FS_Site': {u'inheritance_source': {u'_ref': u'network/ZG5zLm5ldHdvcmskMTAuNDEuOC4wLzI0LzA:10.41.8.0/24/default'}, u'value': u'Lab'}, u'Change Number': {u'value': u'12345678'}}}, u'member_name': u'wtc-ddi.ucsf.edu', u'operation_type': u'INSERT'}
[2019/02/05 16:22:37.271785] sdsc-ddi-01.ucsf.edu (DEBUG): Execution failed, retry if 0 < 0
[2019/02/05 16:22:37.271843] sdsc-ddi-01.ucsf.edu (WARNING): Template execution retry limit is reached.Event `{u'member_ip': u'10.64.19.210', u'event_type': 'HOST_ADDRESS_IPV4', u'timestamp': u'2019-02-06T00:22:34Z', u'vnode_oid': 0, u'object_type': u'HostAddress', u'previous_values': {}, u'values': {u'host': u'test-forescout', u'ipv4addr': u'10.41.8.10', u'_ref': u'record:host_ipv4addr/ZG5zLmhvc3RfYWRkcmVzcyQubm9uX0ROU19ob3N0X3Jvb3QuMC4xNTQ5NDEyNTU0MDg3LnRlc3QtZm9yZXNjb3V0LjEwLjQxLjguMTAu:10.41.8.10/test-forescout/%20', u'network_view': u'default', u'extattrs': {u'FS_Sync': {u'inheritance_source': {u'_ref': u'network/ZG5zLm5ldHdvcmskMTAuNDEuOC4wLzI0LzA:10.41.8.0/24/default'}, u'value': u'true'}, u'FS_Site': {u'inheritance_source': {u'_ref': u'network/ZG5zLm5ldHdvcmskMTAuNDEuOC4wLzI0LzA:10.41.8.0/24/default'}, u'value': u'Lab'}, u'Change Number': {u'value': u'12345678'}}}, u'member_name': u'wtc-ddi.ucsf.edu', u'operation_type': u'INSERT'}` is skipped

 

Appreciate any help.

Thanks.

 

 

 

Re: Help with Forescout integration
New Member
Posts: 4
Registered: ‎12-03-2018
New Member
Posts: 4

Turned out to be a missing Extensible Attribute.

 

No need to reply.

 

 

Re: Help with Forescout integration
Adviser
Posts: 171
Registered: ‎09-09-2015
Adviser
Posts: 81

Superb!

Re: Help with Forescout integration
New Member
Posts: 4
Registered: ‎12-03-2018
New Member
Posts: 4

Hi,

 

Great integration.  Are dhcp lease actions also supposed to generate IB_Location and IB_Delete events in Counteract?  Debug log shows the dhcp events but no match on any action.

 

Debug log attached showing dhcp request and dhcp release.

 

 

Thanks.

Robert

 

 

 

Re: Help with Forescout integration
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69

Hello Robert,

 

They do not.

 

if the asset is a lease then the asset does not sync.

 

Step: check_for_not_Lease (assigns false to sync variable)

${XC:ASSIGN:{LSmiley Frustratedync}:{S:false}}

 

Step: stop_if_no_sync (stops the template if sync is equat to false)

{"left": "${L:Smiley Frustratedync}", "op": "==", "right": "false"}

"stop": true

 

Let me know if this answer the question or if you need more help.

 

Hope this helps,

Kevin Zettel

Re: Help with Forescout integration
Moderator
Posts: 84
Registered: ‎06-21-2017
Moderator
Moderator
Posts: 69

Hello Robert,

 

It does however it looks like the Extensible attribute "FS_Sync" is set to an empty value.

 

Executing step check_for_Lease

Found a/an AND condition step!

Evaluating statement: LEASE == LEASE

Evaluating statement: == true <-- (this empty variable on the left is the "FS_Sync" Extensible attribute)

 

Hope this helps,

 

Kevin Zettel

Showing results for 
Search instead for 
Did you mean: