ForeScout COUNTERACT

Summary:

The "Common Event Format Configuration Guide for ForeScout CounterACT, Version 6.3.4" is a document that explains how to set up the CEF (Common Event Format) connector on ForeScout CounterACT devices to send events to ArcSight SmartConnector using the CounterACT ArcSight plugin. This setup supports devices running version 6.3.4 and above. Key configuration elements include entering the IP address of the ArcSight server, adjusting optional parameters for port settings and update frequency, and mapping vendor-specific event definitions to ArcSight data fields through CEF Header and Extension mappings. CounterACT functions as an out-of-band, clientless network access control appliance that manages device detection, policy compliance checks, and enforces security policies without network disruption. It integrates with ArcSight to provide direct visibility of network compliance state within the ArcSight console. The document also explains how specific device compliance information is standardized and integrated into the broader ArcSight system via vendor-specific event definitions mapped to ArcSight data fields.

Details:

"Common Event Format Configuration Guide for ForeScout CounterACT, Version 6.3.4, dated September 19, 2010, outlines instructions for configuring the CEF (Common Event Format) connector to collect events from the device. This guide supports devices running version 6.3.4 and above, detailing how to set up communication with ArcSight SmartConnector via the CounterACT ArcSight plugin. Essential configuration includes inputting the IP address of the ArcSight server, while optional parameters can be adjusted for port settings and update frequency. The document explains that CounterACT acts as an out-of-band, clientless network access control appliance, managing device detection, policy compliance checks, and enforcing security policies without network disruption. It also integrates with ArcSight to view network compliance state directly from the ArcSight console." The information provided outlines the mapping of vendor-specific event definitions to ArcSight data fields through the CounterACT Connector Field Mappings (CEF Header and CEF Extension). This includes details about compliance events, such as whether a device is compliant or noncompliant, mapped to specific signatures in the ArcSight system. The table presents mappings from ArcSight data fields to vendor-specific event definitions used by devices like the CounterACT, which is a product of ForeScout Technologies. The key information includes: 1. **Device Event Mapping**: This involves sending vendor-specific event details to the ArcSight SmartConnector and mapping these events to appropriate ArcSight data fields based on their content. 2. **ArcSight Data Fields**: These are specific categories within the ArcSight system where the received vendor-specific event data is stored after mapping. The table lists how various pieces of information from the CEF (Common Event Format) header and extension, such as device vendor, product, version, compliance events, and policy details, map to these fields. 3. **Compliance Events**: There are two types of compliance events tracked: "Host is compliant" with a signature ID COMPLIANCE, and "Host non-compliant" with a signature ID NONCOMPLIANCE. These events have associated names and severities that help in understanding the importance or criticality of the event within the organizational context. 4. **Compliance Policy**: Details about compliance policies are also mapped, including the policy name (cs1) and subrule name (cs2) which classify hosts as compliant or noncompliant. The status field (cs3) indicates whether a host is compliant ("yes") or noncompliant ("no"). This summary provides a clear understanding of how specific device compliance information is standardized and integrated into the broader ArcSight system, facilitating better management and monitoring of compliance policies across various devices and systems. The provided text describes a series of data fields associated with an event related to the compliance status of a host. Here's a summary of each field mentioned in the context: 1. **Trigger**: This is when the system detects a change in compliancy status for a host, which triggers further actions or updates based on this new information. 2. **Compliancy Event**: It refers to an event where the compliance status of a host changes. This could be due to various reasons such as software installations, configurations, patches applied, etc., that affect the compliance with defined standards or policies. 3. **New Host for Compliantity Event**: This field indicates a newly discovered host whose compliancy status has been changed and needs further action based on its new compliance status. 4. **Compliance Status Changed for a Host**: Indicates that there's a change in the compliance status of an existing host, which triggers this event to notify about updates related to configuration or software usage changes affecting compliance. 5. **Periodical Check**: This is an automatic check performed on hosts where no status changes have occurred within a predefined time interval, ensuring ongoing compliance with standards and policies set by relevant authorities or internal policies. 6. **Host Details**:

• **IP Address (dst)**: The numeric IP address of the host, formatted in dot notation.

• **MAC Address (dmac)**: The hardware address assigned to the network interface card of the host, displayed with colons separating each byte.

• **User Name (duser)**: The name of the user who was logged onto the host at the time the event occurred.

• **Host Name (dhost)**: The hostname of the device, which is used to identify and reference it within a local network or environment.

• **NT Domain Name (dntdom)**: The domain name associated with the Windows NT operating system on the host, indicating its organizational context within an IT infrastructure.

7. **Device Details**:

• **IP Address of Device (dvc)**: Similar to the host IP address but refers specifically to a device connected or interacting with the host under observation.

• **Host Name of Device (dvchost)**: The hostname associated with the device having the specific IP address mentioned in `dvc`.

8. **Event Detection Time (rt)**: This field indicates the time at which the event was detected, measured as the number of milliseconds that have elapsed since January 1, 1970 (Unix epoch time). These fields are crucial for understanding and analyzing the compliance status changes in various hosts within an IT infrastructure, aiding in decision-making processes and ensuring adherence to established policies.