Forescout Eyesight

Visualize Forescout Eyesight hosts, policies, users and vulnerabilities, map Forescout hosts to its matching policies, assigned user and identified vulnerabilities, and monitor changes through queries and alerts.

Installation
Authorization
Data Model
Types
Release Notes

Installation

To initiate this integration in JupiterOne, you will first need to create a Web API token within Forescout to use in JupiterOne.

Configuration in Forescout Eyesight

Creating a Web API Token:

Log in to the Forescout Console and navigate to Settings > Modules. Search for "Web API".
If the "Web API" module is not already started, start it, and click the "Configure" button.
Under "User Settings", create a new user.
Save the username and password you created. Enter these credentials in the "Web API Username" and "Web API Password" fields in JupiterOne.

Optional: Creating an Admin API User for Ingesting Network Segment Entities

Log in to the Forescout Console and navigate to Settings > Modules. Search for "Core Extensions > Admin API".
If the "Admin API" module is not already started, start it.
Use the "Settings" search to find and select the "CounterACT User Profiles" option.
Click the "Add" button and create a new user with the "User Type" set to "Single - Password".
Enter the username and password you create in the "Admin API Username" and "Admin API Password" fields in JupiterOne.
Assign the user "Group Management" and "Policy Management" permissions with the "View" scope.

:::

Configuration in JupiterOne

To install the Forescout Eyesight integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select "Forescout Eyesight". Click New Instance to begin configuring your integration.

Creating an instance requires the following:

The Account Name used to identify the Forescout Eyesight account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.
Description to assist in identifying the integration instance, if desired.
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.
Your Hostname.
The Web API Username and Web API Password.
The Admin API Username and Admin API Password if you want to ingest the Ip Ranges.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Entities

The following entities are created:

Resources	Entity `_type`	Entity `_class`
Account	`forescout_eyesight_account`	Account
Host	`forescout_eyesight_host`	Host
Ip Range	`forescout_eyesight_ip_range`	IpRange
Policy	`forescout_eyesight_policy`	Policy
Policy Rule	`forescout_eyesight_policy_rule`	Rule
Scanner	`forescout_eyesight_scanner`	Scanner
User	`forescout_eyesight_user`	User
Vulnerability	`forescout_eyesight_vulnerability`	Vulnerability, Finding
Vulnerability	`forescout_eyesight_vulnerability`	Finding

Relationships

The following relationships are created:

Source Entity `_type`	Relationship `_class`	Target Entity `_type`
`forescout_eyesight_account`	HAS	`forescout_eyesight_scanner`
`forescout_eyesight_host`	HAS	`forescout_eyesight_vulnerability`
`forescout_eyesight_ip_range`	CONTAINS	`forescout_eyesight_host`
`forescout_eyesight_policy`	HAS	`forescout_eyesight_policy_rule`
`forescout_eyesight_scanner`	ASSIGNED	`forescout_eyesight_policy`
`forescout_eyesight_scanner`	IDENTIFIED	`forescout_eyesight_host`
`forescout_eyesight_user`	USES	`forescout_eyesight_host`