{ "version": "2.0", "name": "ForeScout SecEvent Mgmt", "comment": "SecEvent Management", "type": "REST_EVENT", "event_type": [ "RPZ", "TUNNEL" ], "transport": {"path": "/fsapi/niCore/Hosts"}, "action_type": "Assets Management", "content_type": "application/xml", "vendor_identifier": "ForeScout", "quoting": "XML", "steps": [ { "name": "DebugOnStart", "operation": "NOP", "body": "${XC:DEBUG:{H:}}${XC:DEBUG:{E:}}${XC:DEBUG:{I:}}${XC:DEBUG:{L:}}${XC:DEBUG:{S:}}${XC:DEBUG:{P:}}${XC:DEBUG:{UT:}}" }, { "name": "assignRemediateTime", "operation": "NOP", "body_list": ["${XC:COPY:{L:ScanDate}:{UT:TIME}}${XC:FORMAT:TRUNCATE:{L:ScanDate}:{10t}}"] }, { "name": "check_EA_on_IP", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ {"left": "${E:A:ip.extattrs{FS_RemediateOnEvent}}", "op": "==", "right": "true"}, {"left": "${E:A:ip.extattrs{FS_RemediatedAt}}", "op": "!=", "right": "${L:A:ScanDate}"} ], "next": "Remediate_IT" } }, { "name": "check_EA_on_Net", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ {"left": "${E::network.extattrs{FS_RemediateOnEvent}}", "op": "!=", "right": "true"}, {"left": "${E:A:ip.extattrs{FS_RemediatedAt}}", "op": "==", "right": "${L:A:ScanDate}"} ], "stop": true } }, { "name": "Remediate_IT", "operation": "POST", "body_list": [ "", "", "", "", "", "", "Remediate", "", "", "" ], "parse": "XMLA" }, { "name": "check action", "operation": "CONDITION", "condition": { "statements": [{ "left": "${P:A:PARSE{FSAPI}{STATUS}{CODE}}", "op": "!=", "right": "FSAPI_OK"}],"condition_type": "OR", "error": true} }, { "name": "checkNetView", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [{"left": "${E::network.network_view}", "op": "==", "right": ""}], "eval": "${XC:ASSIGN:{L:network_view}:{S:default}}", "else_eval": "${XC:COPY:{L:network_view}:{E:network.network_view}}" } }, { "name": "Get IPv4Fixed _ref", "operation": "GET", "transport": {"path": "fixedaddress?ipv4addr=${E:U:source_ip}&network_view=${L:U:network_view}"}, "wapi": "v2.6" }, { "operation": "CONDITION", "name": "wapi_response_getIPv4Fix_ref", "condition": { "statements": [{"left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": ""}], "condition_type": "AND", "next": "Get_Objref" } }, { "name": "Get HostIPv4 _ref", "operation": "GET", "transport": {"path": "record:host?ipv4addr=${E:U:source_ip}&network_view=${L:U:network_view}"}, "wapi": "v2.6" }, { "operation": "CONDITION", "name": "wapi_response_getIPv4Host_ref", "condition": { "statements": [{"left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": ""}], "condition_type": "AND", "next": "Get_Objref" } }, { "name": "Check_if_Save", "operation": "CONDITION", "condition": { "statements": [{"left": "1", "op": "==", "right": "1"}], "condition_type": "AND", "stop": true } }, { "name": "Get_Objref", "operation": "CONDITION", "condition": { "statements": [ {"left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": ""} ], "condition_type": "AND", "eval": "${XC:COPY:{L:Obj_ref}:{P:PARSE[0]{_ref}}}" } }, { "name": "Update Remediate Time", "operation": "PUT", "transport": {"path": "${L:A:Obj_ref}"}, "wapi": "v2.6", "wapi_quoting": "JSON", "body_list": [ "{", "\"extattrs+\":{\"FS_RemediatedAt\": { \"value\": \"${L:A:ScanDate}\"}}", "}" ] } ] }