Set up Forescout for Integration

Set up Forescout for integration with IoT Security through Cortex XSOAR.
Configure the following on Forescout:
  • A Forescout Data Exchange (DEX) account
  • Host properties that IoT Security can populate with device attributes
  • An IP address, range, or subnet from which Forescout accepts communications
The PanwIoTQuarantine host property will receive data that IoT Security submits for use in Forescout policies that quarantine devices and release them from quarantine. Therefore, you must also configure these policies on Forescout:
  • A quarantine policy with its condition set as
    PanwIoTQuarantine = on
  • A policy that releases devices from quarantine with the condition set as
    PanwIoTQuarantine = off
  1. Add a Data Exchange account.
    1. Log in to the Forescout console and click
      Tools
      Options
      Data Exchange (DEX)
      .
      To access the console, use a remote desktop application such as the Remote Desktop Connection application on Windows or Microsoft Remote Desktop for Mac.
    2. In the Data Exchange (DEX) section, click
      CounterACT Web Service
      Accounts
      and then
      Add
      .
    3. Enter the following in the Add Account dialog box that appears and then click
      OK
      :
      Name
      : Enter a name for the web service account.
      Description
      : Enter a note about the user account for future reference.
      Username
      : Enter a username that an XSOAR engine will use when authenticating itself to Forescout when interacting with it.
      Password
      : Enter a password for the user account.
  2. Create host properties.
    1. Click
      Properties
      and then click
      Add
      .
    2. Complete the three-part wizard that appears to add host properties such as the following:
      PanwIoTIP, PanwIoTProfile, PanwIoTCategory, PanwIoTRiskScore, PanwIoTConfidence, PanwIoTTag, PanwIoTHostname, PanwIoTOS, PanwIoTModel, PanwIoTVendor, PanwIoTSerial, PanwIoTEPP, PanwIoTInternetAccess, PanwIoTAET, PanwIoTQuarantine
      If you want to enter different host property names than those shown here, change the default names for their corresponding attributes in Cortex XSOAR so they match each other. The attribute names are editable in the incremental and bulk export job settings for Forescout in the Cortex XSOAR module. See Configure IoT Security and Cortex XSOAR for Forescout.
      Host Property Name
      Description
      PanwIoTIP
      Device IP address
      PanwIoTProfile
      Device profile
      PanwIoTCategory
      Category of device
      PanwIoTRiskScore
      Risk score of device calculated by IoT Security
      PanwIoTConfidence
      IoT Security device identification confidence level
      PanwIoTTag
      User-defined tag applied to device in IoT Security
      PanwIoTHostname
      Device hostname
      PanwIoTOS
      Device operating system
      PanwIoTModel
      Device model
      PanwIoTVendor
      Device vendor
      PanwIoTSerial
      Device serial number
      PanwIoTEPP
      If device has endpoint protection (EPP)
      PanwIoTInternetAccess
      If device has Internet access
      PanwIoTAET
      Application entity title (for DICOM devices)
      PanwIoTQuarantine
      Put device in quarantine when the value is
      on
      ; remove from quarantine when the value is
      off
      The next steps explain how to add a host property. Repeat them to add all the host properties described above.
    3. On the General tab, enter the following and then click
      Next
      :
      Property Name
      :
      PanwIoTIP
      Property Tag (ASCII only)
      :
      PanwIoTIP
      (automatically fills based on the Property Name)
      Description
      : Enter a note about the host property for future reference.
      Account
      : Choose the same web service account name you entered in the Name field in the Add Account dialog box.
    4. On the Map Data panel, select
      Single Value Property
      , choose
      String
      in the Data Type drop-down list, and then click
      Next
      .
    5. On the Display/Track panel, select the places in the Forescout UI where you want the host property to appear and then click
      Finish
      .
      When done, the Properties page will have a complete set of host properties.
  3. Set an IP address, range of addresses, or subnet from which allow connections to Forescout.
    1. Click
      Security Settings
      and then click
      Add
      .
    2. Select either
      All IPv4
      or
      IPv4 Range
      . If you select
      IPv4 Range
      , enter the IP address, range, or subnet from which Forescout will accept connections and then click
      OK
      . Make sure it includes the XSOAR engine IP address.
    3. Click
      Apply
      to save the configuration of your account, host properties, and security settings.
  4. Configure policies to quarantine devices and release them from quarantine.
    One policy has a condition set as
    PanwIoTQuarantine = on
    and quarantines devices when the value of their PanwIoTQuarantine host property is
    on
    .
    The other policy has a condition set as
    PanwIoTQuarantine = off
    and releases devices when the value of their PanwIoTQuarantine host property is
    off
    .

Recommended For You