Question

alert creation with ForeScout

  • 17 May 2022
  • 1 reply
  • 58 views

Hello,I would like to create several use cases for the "ForeScout" security device.Do you have any ideas how I would like to set up alerts with ForeScout?

1 reply

Userlevel 4
Badge +7

Hi,

I am not particularly familiar with ForeScout, but it looks like we use their CEF logs and have a dashboard, but don’t have prebuilt alerts. In those case there are several things we could do:

  1. Take a look at similar devices, and any prebuilt alerts that we have for them. If you switch to the “Coverage View” in the Alert Rules under “Knowledgebase” perhaps you can find some of the Mitre Techniques that would fit the Forescout functionality and see what other alerts there are for other log sources with that Technique ID to take inspiration from.
  2. Have a look at the log messages themselves, especially the “interesting fields” over a certain amount of type. For example, are there some event types or status messages, and is there anything interesting? For example, a search for “status=blocked” or event_type=”host is not compliant” etc. could be an interesting starting point. For ther other sources, I have often combined this with alerts that just populate lists - i.e. if a host is not compliant, it gets added to a list.You can then create an alert if for example more than 10 hosts are on this list, or indeed some alerts that only trigger when something else happens AND the system is on this list.

This is unfortunately the point where you probably know better what Forescout is capable of, but we’re happy to assist.

Reply