ForeScout CounterACT
Integration version: 3.0
Use Cases
Perform enrichment actions.
Configure ForeScout CounterACT integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://<ip address> |
Yes | ForeScout CounterACT API root |
| Username | String | N/A | Yes | ForeScout CounterACT API username. |
| Password | Password | N/A | Yes | ForeScout CounterACT API password. |
| CA Certificate File | String | N/A | No | Base64 encoded CA certificate file. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Armis server is valid. |
Actions
Ping
Description
Test connectivity to ForeScout CounterACT with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: The action should fail and stop a playbook execution: |
General |
Enrich Entities
Description
Enrich entities using information from ForeScout CounterACT. Supported entities: IP, Mac Address.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Create Insight | Checkbox | Checked | No | If enabled, action will create insights containing enrichment information. |
Run On
This action runs on the following entities:
- IP Address
- Mac Address
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"ip": "172.30.202.30",
"mac": "005056a2196c",
"fields": {
"channel": {
"timestamp": 1623834301,
"value": "eth1.-1"
},
"nmap_banner7": [
{
"timestamp": 1623834430,
"value": "80/tcp Apache httpd 2.4.6 (CentOS)"
},
{
"timestamp": 1623834430,
"value": "22/tcp OpenSSH 7.4 protocol 2.0"
}
],
"onsite": {
"timestamp": 1623834301,
"value": "true"
},
"classification_source_os": {
"timestamp": 1623838175,
"value": "engine"
},
"linux_manage": {
"timestamp": 1623838175,
"value": "false"
},
"access_ip": {
"timestamp": 1623838175,
"value": "172.30.202.30"
},
"classification_source_vendor": {
"timestamp": 1623838175,
"value": "engine"
},
"mac_vendor_string": {
"timestamp": 1623834302,
"value": "VMWARE, INC."
},
"openports": [
{
"timestamp": 1623834384,
"value": "22/TCP"
},
{
"timestamp": 1623834397,
"value": "161/UDP"
},
{
"timestamp": 1623834384,
"value": "80/TCP"
}
]
},
"id": 2887698974
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| ip | When available in JSON |
| mac | When available in JSON |
| onsite | When available in JSON |
| guest_corporate_state | When available in JSON |
| fingerprint | When available in JSON |
| vendor | When available in JSON |
| classification | When available in JSON |
| agent_version | When available in JSON |
| online | When available in JSON |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If didn't enrich some (is_success = true): "Action wasn't able to enrich the following entities using ForeScout CounterACT:\n".format(entity.identifier) If didn't enrich all (is_success = false): "No entities were enriched". The action should fail and stop a playbook execution: |
General |
| Entity Table | Same Columns as in the Enrichment table, but without prefix. | Entity |