Skip to content

[forescout] Initial release of Forescout with Event and Host data streams#18493

Draft
janvi-elastic wants to merge 2 commits intomainfrom
feature/forescout-0.1.0
Draft

[forescout] Initial release of Forescout with Event and Host data streams#18493
janvi-elastic wants to merge 2 commits intomainfrom
feature/forescout-0.1.0

Conversation

@janvi-elastic
Copy link
Copy Markdown
Contributor

@janvi-elastic janvi-elastic commented Apr 17, 2026

Proposed commit message

The initial release includes event and host data stream, associated dashboard
and visualizations.

forescout fields are mapped to their corresponding ECS fields where possible.

Test samples were derived from live data samples, which were subsequently
sanitized.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

To test the forescout package:

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/forescout directory.
  • Run the following command to run tests.

elastic-package test

Run asset tests for the package
2026/04/17 14:21:54  INFO elastic-package v0.122.0 version-hash 0d1afec6 (build time: 2026-03-31T23:02:11+05:30)
2026/04/17 14:21:54  INFO elastic-stack: 8.18.0
--- Test results for package: forescout - START ---
╭───────────┬─────────────┬───────────┬────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE   │ DATA STREAM │ TEST TYPE │ TEST NAME                                                          │ RESULT │ TIME ELAPSED │
├───────────┼─────────────┼───────────┼────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ forescout │             │ asset     │ dashboard forescout-4b5d6ae2-9ce2-4e57-b922-3fe79be2e0a0 is loaded │ PASS   │      1.095µs │
│ forescout │             │ asset     │ dashboard forescout-52ac29ab-2ce2-4d68-937d-cac1cb92ab47 is loaded │ PASS   │        239ns │
│ forescout │             │ asset     │ search forescout-09d5d60b-1995-4851-b518-9337a4761cae is loaded    │ PASS   │        169ns │
│ forescout │ event       │ asset     │ index_template logs-forescout.event is loaded                      │ PASS   │        222ns │
│ forescout │ event       │ asset     │ ingest_pipeline logs-forescout.event-0.1.0 is loaded               │ PASS   │        115ns │
│ forescout │ host        │ asset     │ index_template logs-forescout.host is loaded                       │ PASS   │        140ns │
│ forescout │ host        │ asset     │ ingest_pipeline logs-forescout.host-0.1.0 is loaded                │ PASS   │        121ns │
╰───────────┴─────────────┴───────────┴────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: forescout - END   ---
Done
Run pipeline tests for the package
2026/04/17 14:22:00  INFO elastic-package v0.122.0 version-hash 0d1afec6 (build time: 2026-03-31T23:02:11+05:30)
2026/04/17 14:22:00  INFO elastic-stack: 8.18.0
--- Test results for package: forescout - START ---
╭───────────┬─────────────┬───────────┬────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE   │ DATA STREAM │ TEST TYPE │ TEST NAME                                          │ RESULT │ TIME ELAPSED │
├───────────┼─────────────┼───────────┼────────────────────────────────────────────────────┼────────┼──────────────┤
│ forescout │ event       │ pipeline  │ (ingest pipeline warnings test-pipeline-event.log) │ PASS   │ 701.006657ms │
│ forescout │ event       │ pipeline  │ test-pipeline-event.log                            │ PASS   │ 289.610064ms │
│ forescout │ host        │ pipeline  │ (ingest pipeline warnings test-host.log)           │ PASS   │ 345.604382ms │
│ forescout │ host        │ pipeline  │ test-host.log                                      │ PASS   │ 151.467954ms │
╰───────────┴─────────────┴───────────┴────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: forescout - END   ---
Done
Run policy tests for the package
2026/04/17 14:22:01  INFO elastic-package v0.122.0 version-hash 0d1afec6 (build time: 2026-03-31T23:02:11+05:30)
2026/04/17 14:22:01  INFO elastic-stack: 8.18.0
--- Test results for package: forescout - START ---
No test results
--- Test results for package: forescout - END   ---
Done
Run script tests for the package
PKG forescout
[no test files]
--- Test results for package: forescout - START ---
No test results
--- Test results for package: forescout - END   ---
Done
Run static tests for the package
2026/04/17 14:22:02  INFO elastic-package v0.122.0 version-hash 0d1afec6 (build time: 2026-03-31T23:02:11+05:30)
--- Test results for package: forescout - START ---
╭───────────┬─────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE   │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├───────────┼─────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ forescout │ event       │ static    │ Verify sample_event.json │ PASS   │ 158.443786ms │
╰───────────┴─────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: forescout - END   ---
Done
Run system tests for the package
2026/04/17 14:22:02  INFO elastic-package v0.122.0 version-hash 0d1afec6 (build time: 2026-03-31T23:02:11+05:30)
2026/04/17 14:22:02  INFO elastic-stack: 8.18.0
2026/04/17 14:22:02  INFO Installing package...
2026/04/17 14:22:15  INFO Running test for data_stream "event" with configuration 'udp'
2026/04/17 14:22:25  INFO Setting up independent Elastic Agent...
2026/04/17 14:22:32  INFO Setting up service...
2026/04/17 14:23:06  INFO Validating test case...
2026/04/17 14:23:07  INFO Tearing down service...
2026/04/17 14:23:08  INFO Write container logs to file: /root/integrations/build/container-logs/forescout-event-udp-1776415988367988862.log
2026/04/17 14:23:10  INFO Tearing down agent...
2026/04/17 14:23:10  INFO Write container logs to file: /root/integrations/build/container-logs/elastic-agent-1776415990560876506.log
2026/04/17 14:23:20  INFO Running test for data_stream "event" with configuration 'tcp'
2026/04/17 14:23:29  INFO Setting up independent Elastic Agent...
2026/04/17 14:23:42  INFO Setting up service...
2026/04/17 14:24:04  INFO Validating test case...
2026/04/17 14:24:05  INFO Tearing down service...
2026/04/17 14:24:06  INFO Write container logs to file: /root/integrations/build/container-logs/forescout-event-tcp-1776416046181677612.log
2026/04/17 14:24:08  INFO Tearing down agent...
2026/04/17 14:24:08  INFO Write container logs to file: /root/integrations/build/container-logs/elastic-agent-1776416048547828035.log
2026/04/17 14:24:17  INFO Uninstalling package...
--- Test results for package: forescout - START ---
╭───────────┬─────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE   │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├───────────┼─────────────┼───────────┼───────────┼────────┼───────────────┤
│ forescout │ event       │ system    │ tcp       │ PASS   │ 44.920083407s │
│ forescout │ event       │ system    │ udp       │ PASS   │ 52.745603505s │
╰───────────┴─────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: forescout - END   ---
Done

Related issues

Screenshots

image image (1)

Implementation details

Host Data is sent by the Forescout EyeExtend Connect app, and this integration package includes an ingest pipeline along with the associated dashboards.

Event data is sent over TCP and UDP.

Note: This integration follows a phased development process where individual data streams were reviewed and merged into a feature branch through separate PRs:

All PR's have been reviewed and merged in this feature branch, which is now ready for integration into the main branch.

@janvi-elastic janvi-elastic requested review from a team as code owners April 17, 2026 09:00
macroscopeapp[bot]
macroscopeapp bot reviewed Apr 17, 2026
View reviewed changes
Comment thread packages/forescout/data_stream/host/fields/base-fields.yml
Comment on lines +1 to +9
- name: data_stream.dataset
external: ecs
value: forescout.host
- name: data_stream.namespace
external: ecs
value: default
- name: data_stream.type
external: ecs
value: logs
Copy link
Copy Markdown

@macroscopeapp macroscopeapp bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 High fields/base-fields.yml:1

Lines 3, 6, and 9 hardcode value entries for data_stream.dataset, data_stream.namespace, and data_stream.type. Since these are constant_keyword fields defined in ECS, hardcoding values forces the index mapping to expect those specific values. If a user configures a custom namespace in their agent policy, documents will fail to index due to mapping conflicts. Remove the value entries to allow runtime configuration, matching the standard pattern used across other integrations.

- name: data_stream.dataset
-  external: ecs
-  value: forescout.host
+- name: data_stream.dataset
+  external: ecs
- name: data_stream.namespace
-  external: ecs
-  value: default
+- name: data_stream.namespace
+  external: ecs
- name: data_stream.type
-  external: ecs
-  value: logs
+- name: data_stream.type
+  external: ecs
🚀 Reply "fix it for me" or copy this AI Prompt for your agent: 
In file packages/forescout/data_stream/host/fields/base-fields.yml around lines 1-9:

Lines 3, 6, and 9 hardcode `value` entries for `data_stream.dataset`, `data_stream.namespace`, and `data_stream.type`. Since these are `constant_keyword` fields defined in ECS, hardcoding values forces the index mapping to expect those specific values. If a user configures a custom namespace in their agent policy, documents will fail to index due to mapping conflicts. Remove the `value` entries to allow runtime configuration, matching the standard pattern used across other integrations.

Comment thread packages/forescout/data_stream/host/elasticsearch/ingest_pipeline/default.yml
- forescout.host.timestamp
ignore_missing: true

# Remove `event.original` if `preserve_original_event` is not enabled
Copy link
Copy Markdown

@macroscopeapp macroscopeapp bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Medium ingest_pipeline/default.yml:209

When an inline on_failure handler appends to error.message, the pipeline later sets event.kind to pipeline_error and appends preserve_original_event to tags at lines 244-254 — but event.original has already been removed at lines 210-215 because the tag wasn't present yet. The original event is lost when errors occur, defeating the purpose of preservation. Move the error-detection block (lines 244-254) before the event.original removal (lines 209-215).

🚀 Reply "fix it for me" or copy this AI Prompt for your agent: 
In file packages/forescout/data_stream/host/elasticsearch/ingest_pipeline/default.yml around line 209:

When an inline `on_failure` handler appends to `error.message`, the pipeline later sets `event.kind` to `pipeline_error` and appends `preserve_original_event` to `tags` at lines 244-254 — but `event.original` has already been removed at lines 210-215 because the tag wasn't present yet. The original event is lost when errors occur, defeating the purpose of preservation. Move the error-detection block (lines 244-254) before the `event.original` removal (lines 209-215).

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 17, 2026

💔 Build Failed

Failed CI Steps

@andrewkroh andrewkroh added New Integration Issue or pull request for creating a new integration package. dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:forescout [Integration not found in source] Crest Contributions from Crest developement team. labels Apr 17, 2026
@janvi-elastic janvi-elastic marked this pull request as draft April 19, 2026 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macroscopeapp macroscopeapp[bot] macroscopeapp[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Crest Contributions from Crest developement team. dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:forescout [Integration not found in source] New Integration Issue or pull request for creating a new integration package.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@janvi-elastic @elasticmachine @andrewkroh @sharadcrest @akshraj-crest