Re: Integration issues with CounterAct
[ Edited ]
New Member
msilva
Posts: 16
Registered: ‎04-26-2018

‎06-12-2018 12:45 PM - edited ‎06-12-2018 02:18 PM

msilva
New Member
Posts: 16

I think I may see one of the issues.  If you look at the attached Debug file you will see that  at 2018/06/12 01:20:33.159917 that the event contains u'ip.extattrs': {u'FS_Site': u'Lab', u'FS_Sync': u'true'}.

 

When it populates Namespace E at 2018/06/12 01:20:33.191681 that contains  u'ip.extattrs': {u'FS_Site': u'Lab', u'FS_Sync': u'true'}

 

When it errors out at 2018/06/12 01:20:33.195228 it is because "Key FS_RemediateOnEvent in dictionary variable E:ip.extattrs was not found ({u'FS_Site': u'Lab', u'FS_Sync': u'true'}:

 

The variable FS_RemediateOnEvent actually show up under the network.extattrs area on 2018/06/12 01:20:33.159917

 

 

I noticed that in the FS_Asset template that I was using there are two seperate areas that contain RemediateOnEvent.  One area is for the Lease action and is written as:

 

"name": "check_for_Lease",
      "operation": "CONDITION",
      "condition": {
        "condition_type": "AND",
        "statements": [
            {"left": "${E::event_type}", "op": "==", "right": "LEASE"},
            {"left": "${E:A:ip.extattrs{FS_Sync}}", "op": "==", "right": "true"}
        ],
        "eval": "${XC:ASSIGN:{LSmiley Frustratedync}:{S:true}}${XC:COPY:{LSmiley Frustratedite}:{E:ip.extattrs{FS_Site}}}${XC:COPY:{L:RemediateOnEvent}:{E:ip.extattrs{FS_RemediateOnEvent}}}${XC:COPY:{L:IP}:{E:address}}${XC:COPY:{L:NV}:{E:network_view}}${XC:COPY:{L:MAC}:{E:hardware}}"

 

 

The area for Fixed Addresses and Hosts is written as:

 

"name": "check_for_not_Lease",
      "operation": "CONDITION",
      "condition": {
        "condition_type": "AND",
        "statements": [
            {"left": "${E::event_type}", "op": "!=", "right": "LEASE"},
            {"left": "${E:A:values{extattrs}{FS_Sync}{value}}", "op": "==", "right": "true"}
        ],
        "eval": "${XC:ASSIGN:{LSmiley Frustratedync}:{S:true}}${XC:COPY:{LSmiley Frustratedite}:{E:values{extattrs}{FS_Site}{value}}}${XC:COPY:{L:RemediateOnEvent}:{E:values{extattrs}{FS_RemediateOnEvent}{value}}}${XC:COPY:{LSmiley Surprisedbj_ref}:{E:values{_ref}}}${XC:COPY:{L:IP}:{E:values{ipv4addr}}}${XC:COPY:{L:NV}:{E:values{network_view}}}${XC:ASSIGN:{LSmiley Surprisedbj_Ref_Add}:{S:}}",
        "else_eval": "${XC:ASSIGN:{LSmiley Frustratedync}:{S:false}}"

 

 

For the Fix Address, Hosts should they be E:ip.extattrs instead of E:values{extattrs}?

 

Below is the legend for the appliances that I used to blank out the first two octets.

 

yyy.yyyy.182.73 - ForeScout
yyy.yyy.181.22  - Infoblox GM
yyy.yyy.181.25  - Infoblox DNS/DHCP

 

V/r

 

Marc

images.icon_attachment.alt
FS_Asset_New.txt ‏17 KB
images.icon_attachment.alt
infobloxDebug12Jun181233a.txt ‏7143 KB