ForeScout CounterACT

ForeScout CounterACT platform provides insight into network-connected devices.

Types of Assets Fetched

This adapter fetches the following types of assets:

• Devices
• Software
• SaaS Applications

Parameters

1. ForeScout CounterACT Domain (required) – The URL for the ForeScout CounterAct domain.
2. User Name and Password (required) - The credentials for a user account that has the Required Permissions to fetch assets.
3. Admin API User Name (optional) - The ForeScout Admin API user name.
4. Admin API Password (optional) - The Forescout Admin API password.
5. Admin API Client ID (optional) - The Forescout Admin API Client ID.

6. Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

7. HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Advanced Settings

1. Do not fetch devices with no MAC address and no hostname (required, default: False) - Select whether to exclude fetching devices without MAC address and without hostname.
2. Do not fetch devices with no IP (required, default: False) - Select whether to exclude fetching devices without an IP address.
3. Ignore irrelevant device manufacturers - Select this option to ignore the device manufacturer field.
4. Number of parallel requests (required, default: 10) - Set the number of parallel requests this adapter connection will send in parallel to the ForeScout CounterAct server at any given point.
5. Re-authenticate after every X requests (required, default: 100) - Set the number of requests to allow before attempting to re-authenticate to get a new session token.
6. List of fields to be used for device "Last Seen" (optional) - Enter a list of field names to be used for determining the device's 'Last Seen' value. Items positioned earlier in the list take precedence over others. For example, if you enter online_va and then online:
   1. The adapter first searches for online_va in the device fields.
   2. If the field name is found, the 'Last Seen' value is the timestamp for online_va.
   3. If the field name is not found, the adapter searches for online in the device fields.
   4. If the field name is found, the 'Last Seen' value is the timestamp for online.
   5. If none of the field names are found, or if the list is empty (the default state), the 'Last Seen' value is the maximum timestamp from all the device fields (previously existing logic).
7. Do not fetch rule information for devices (fast mode) - Deprecated from version 6.0.14.
8. Use Azure Instance ID for Cloud ID - Select to set the device's Cloud ID field with the value of the Azure Instance ID field.
9. Fetch device segments from Admin API - Select this option to fetch device segments using Forescout Admin API. Make sure to fill in the Forescout Admin API User Name, Password, and Client ID parameters in order to use this setting.
10. Mapping of script results to aggregated fields - Click the + symbol to open the Script Result Field and the Aggregated Field.
    • Script Result Field - Enter the script result field name. The script result field name can be found in the advanced view for devices. For example: script_result.1a2b3c4d5e
    • Aggregated Field - Enter the device field name as it appears in the Axonius query. For example, if you want the script result to be parsed to the device serial, insert device_serial in the text box.

APIs

Axonius uses the following APIs:

• Forescout eyeExtend Connect Module: Web API
• Forescout Admin API
  
  

Required Permissions

The value supplied in User Name must have permissions to use the API. See Configure the Web API section in the ForeScout eyeExtend Connect Module for Web API Plugin Configuration Guide.