Set up Forescout for Integration
Set up Forescout for integration with IoT Security through Cortex XSOAR.
Configure the following on Forescout:
- A Forescout Data Exchange (DEX) account
- Host properties that IoT Security can populate with device attributes
- An IP address, range, or subnet from which Forescout accepts communications
The PanwIoTQuarantine host property will receive data that IoT Security submits for use in Forescout policies that quarantine devices and release them from quarantine. Therefore, you must also configure these policies on Forescout:
- A quarantine policy with its condition set asPanwIoTQuarantine = on
- A policy that releases devices from quarantine with the condition set asPanwIoTQuarantine = off
- Add a Data Exchange account.
- Log in to the Forescout console and click.ToolsOptionsData Exchange (DEX)To access the console, use a remote desktop application such as the Remote Desktop Connection application on Windows or Microsoft Remote Desktop for Mac.
- In the Data Exchange (DEX) section, clickand thenCounterACT Web ServiceAccountsAdd.
- Enter the following in the Add Account dialog box that appears and then clickOK:Name: Enter a name for the web service account.Description: Enter a note about the user account for future reference.Username: Enter a username that an XSOAR engine will use when authenticating itself to Forescout when interacting with it.Password: Enter a password for the user account.
- Create host properties.
- ClickPropertiesand then clickAdd.
- Complete the three-part wizard that appears to add host properties such as the following:PanwIoTIP, PanwIoTProfile, PanwIoTCategory, PanwIoTRiskScore, PanwIoTConfidence, PanwIoTTag, PanwIoTHostname, PanwIoTOS, PanwIoTModel, PanwIoTVendor, PanwIoTSerial, PanwIoTEPP, PanwIoTInternetAccess, PanwIoTAET, PanwIoTQuarantineIf you want to enter different host property names than those shown here, change the default names for their corresponding attributes in Cortex XSOAR so they match each other. The attribute names are editable in the incremental and bulk export job settings for Forescout in the Cortex XSOAR module. See Configure IoT Security and Cortex XSOAR for Forescout.Host Property NameDescriptionPanwIoTIPDevice IP addressPanwIoTProfileDevice profilePanwIoTCategoryCategory of devicePanwIoTRiskScoreRisk score of device calculated by IoT SecurityPanwIoTConfidenceIoT Security device identification confidence levelPanwIoTTagUser-defined tag applied to device in IoT SecurityPanwIoTHostnameDevice hostnamePanwIoTOSDevice operating systemPanwIoTModelDevice modelPanwIoTVendorDevice vendorPanwIoTSerialDevice serial numberPanwIoTEPPIf device has endpoint protection (EPP)PanwIoTInternetAccessIf device has Internet accessPanwIoTAETApplication entity title (for DICOM devices)PanwIoTQuarantinePut device in quarantine when the value ison; remove from quarantine when the value isoffThe next steps explain how to add a host property. Repeat them to add all the host properties described above.
- On the General tab, enter the following and then clickNext:Property Name:PanwIoTIPProperty Tag (ASCII only):PanwIoTIP(automatically fills based on the Property Name)Description: Enter a note about the host property for future reference.Account: Choose the same web service account name you entered in the Name field in the Add Account dialog box.
- On the Map Data panel, selectSingle Value Property, chooseStringin the Data Type drop-down list, and then clickNext.
- On the Display/Track panel, select the places in the Forescout UI where you want the host property to appear and then clickFinish.When done, the Properties page will have a complete set of host properties.
- Set an IP address, range of addresses, or subnet from which allow connections to Forescout.
- ClickSecurity Settingsand then clickAdd.
- Select eitherAll IPv4orIPv4 Range. If you selectIPv4 Range, enter the IP address, range, or subnet from which Forescout will accept connections and then clickOK. Make sure it includes the XSOAR engine IP address.
- ClickApplyto save the configuration of your account, host properties, and security settings.
- Configure policies to quarantine devices and release them from quarantine.One policy has a condition set asPanwIoTQuarantine = onand quarantines devices when the value of their PanwIoTQuarantine host property ison.The other policy has a condition set asPanwIoTQuarantine = offand releases devices when the value of their PanwIoTQuarantine host property isoff.
Recommended For You
Recommended videos not found.