diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 0443979fc69..f1f1fda8594 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -246,6 +246,7 @@ /packages/first_epss @elastic/security-service-integrations /packages/fleet_server @elastic/fleet /packages/forcepoint_web @elastic/integration-experience +/packages/forescout @elastic/integration-experience /packages/forgerock @elastic/security-service-integrations /packages/fortinet_forticlient @elastic/integration-experience /packages/fortinet_fortiedr @elastic/integration-experience diff --git a/.github/ISSUE_TEMPLATE/integration_bug.yml b/.github/ISSUE_TEMPLATE/integration_bug.yml index e3924cac34e..6aa761564f3 100644 --- a/.github/ISSUE_TEMPLATE/integration_bug.yml +++ b/.github/ISSUE_TEMPLATE/integration_bug.yml @@ -192,6 +192,7 @@ body: - Flashpoint [ti_flashpoint] - Fleet Server [fleet_server] - Forcepoint Web Security [forcepoint_web] + - Forescout [forescout] - ForgeRock [forgerock] - Fortinet FortiClient Logs (Deprecated) [fortinet_forticlient] - Fortinet FortiEDR Logs [fortinet_fortiedr] diff --git a/.github/ISSUE_TEMPLATE/integration_feature_request.yml b/.github/ISSUE_TEMPLATE/integration_feature_request.yml index dc6a9216bc3..e5e1f1699fd 100644 --- a/.github/ISSUE_TEMPLATE/integration_feature_request.yml +++ b/.github/ISSUE_TEMPLATE/integration_feature_request.yml @@ -192,6 +192,7 @@ body: - Flashpoint [ti_flashpoint] - Fleet Server [fleet_server] - Forcepoint Web Security [forcepoint_web] + - Forescout [forescout] - ForgeRock [forgerock] - Fortinet FortiClient Logs (Deprecated) [fortinet_forticlient] - Fortinet FortiEDR Logs [fortinet_fortiedr] diff --git a/packages/forescout/_dev/build/build.yml b/packages/forescout/_dev/build/build.yml new file mode 100644 index 00000000000..32921896292 --- /dev/null +++ b/packages/forescout/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v9.3.0 diff --git a/packages/forescout/_dev/build/docs/README.md b/packages/forescout/_dev/build/docs/README.md new file mode 100644 index 00000000000..e6eebb7eb2a --- /dev/null +++ b/packages/forescout/_dev/build/docs/README.md @@ -0,0 +1,115 @@ +# Forescout Integration for Elastic + +## Overview +[Forescout](https://www.forescout.com) is a leading device visibility and control platform that enables organizations to continuously identify, classify, and enforce security policies across all connected devices. It provides real-time visibility into IT, IoT, OT, and unmanaged devices across enterprise networks. + +The Forescout integration for Elastic enables you to ingest host data from the Forescout eyeExtend Connect app and event data using TCP and UDP, then visualize it in Kibana. + +### Compatibility +The Forescout integration is compatible with Forescout product version **8.5.2** and the Elastic eyeExtend Connect app version **0.2.0**. + +### How it works +This integration receives host data sent directly by the Forescout eyeExtend Connect app to Elastic, as well as real-time syslog events sent by the Forescout platform over TCP and UDP. + +The Elastic Agent listens on the configured network port for syslog messages and receives host data from the eyeExtend Connect app. The integration processes the incoming data using ingest pipelines to parse, normalize, and map the information to Elastic Common Schema (ECS). + +## What data does this integration collect? +This integration collects log messages of the following type: + +- `host`: Collect host information sent by the Forescout eyeExtend Connect app from the Forescout platform. +- `event`: collect event messages forwarded by the [syslog plugin](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.How-to-Work-with-the-Syslog-Plugin.html) from Forescout platform. These events are categorized into following groups: + - **NAC Events**: These event messages contain information on all policy event logs. + - **Threat Protection**: These event messages contain information on intrusion-related activity, including bite events, scan events, lockdown events and manual events. + - **System Logs and Events**: These event messages contain information about the Forescout platform system events. + - **User Operations**: These event messages are generated when a user operation takes place, and they are included in the Audit Trail. + - **Operating System Messages**: These event messages are generated by the operating system. + +**Note**: Logs other than those from the fsservice are ingested as-is. These logs can be excluded from being ingested into Elastic, you can configure this behavior using the Syslog plugin on the Forescout platform. Refer to the configuration steps [here](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Syslog-Triggers.html#pID0E0UC0HA). + +### Supported use cases + +Integrating Forescout with Elastic SIEM delivers centralized, real-time visibility into network access control, device posture, and security enforcement across IT, IoT, and OT environments by transforming Forescout's device intelligence and policy enforcement events into actionable SIEM data. + +For **Host Data**, the dashboard provides detailed breakdowns by compliance state and network segments, enabling rapid asset discovery and inventory management across managed and unmanaged devices. + +For **Events**, the dashboard presents key metrics with breakdowns by `Severity`, `Facility`, `Priority`, `Hosts`, and `Applications`, helping analysts quickly triage security events and assess risk levels. + +Time-based visualizations such as `Events over Time by Priority` reveal trends and abnormal spikes in access or security activity, supporting proactive threat detection and continuous monitoring. + +Interactive filtering controls allow analysts to drill down across hosts and events, supporting streamlined investigation, threat hunting, and accelerated incident response within a unified Elastic environment. + +## What do I need to use this integration? +### From Elastic +- Elastic Stack with ingest pipelines capability to process incoming host data. +- Elastic Agent installed on a host that is reachable by the Forescout syslog sender. +- Ensure the required TCP/UDP ports are open to receive data. + +### From Forescout +- [Forescout eyeExtend Connect app](https://docs.forescout.com/bundle/connect-1-4-1-h/page/connect-1-4-1-h.About-the-Connect-Plugin.html) configured to send host data to Elastic. +- [Configure the syslog plugin](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Configure-the-Syslog-Plugin.html) in Forescout to continuously send the event message over either TCP or UDP. + +## How do I deploy this integration? + +### Agent-based deployment + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + +Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. + +This integration does not include a data collector for host data. Host data is sent directly by the Forescout eyeExtend Connect app to Elastic. The integration provides the necessary ingest pipelines and Kibana dashboards for processing and visualizing both host and event data. + +## Setup +1. In the top search bar in Kibana, search for **Integrations**. +2. In the search bar, type **Forescout**. +3. Select the **Forescout** integration from the search results. +4. Select **Add Forescout** to add the integration. +5. Enable and configure only the collection methods which you will use. + + * To **Collect Forescout events via syslog**, you'll need to: + + - Configure **Listen Address**, **Listen Port**. + - Additionally, **Timezone**, **Custom TCP/UDP options** and **tags** can be provided. + +6. Select **Save and continue** to save the integration. + +> **Note**: The configured timezone is added to the `event.timezone` field for each event and is used to accurately build the `@timestamp` for syslog messages that lack a year value. The default is UTC, and if no value is provided, the system timezone of the Elastic Agent host is used. + +> **Note**: This integration does not include a data collector for host data. It provides ingest pipelines and Kibana dashboards to process host data sent directly by the Forescout eyeExtend Connect app to Elastic. + +### Validation +#### Dashboards populated + +1. In the top search bar in Kibana, search for **Dashboards**. +2. In the search bar, type **Forescout**. +3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated. + +## Troubleshooting + +For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems). + +If host data is not appearing in Elastic, verify that the Forescout eyeExtend Connect app is properly configured to send data to your Elastic instance. + +A known data-corruption issue affects the TCP input in Elastic Stack versions 9.2.0 and 9.2.1, so these releases should be avoided for TCP-based data collection. + +## Scaling + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. + +## Reference + +### ECS field reference + +#### Event +{{fields "event"}} + +### Example event + +#### Event +{{event "event"}} + + +### Inputs used +These inputs are used in this integration: +- [TCP](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-tcp) +- [UDP](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-udp) +- [Forescout eyeExtend Connect Plugin](https://docs.forescout.com/bundle/connect-1-4-1-h/page/connect-1-4-1-h.About-the-Connect-Plugin.html) diff --git a/packages/forescout/_dev/deploy/docker/docker-compose.yml b/packages/forescout/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..daa410dc032 --- /dev/null +++ b/packages/forescout/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,12 @@ +version: '2.3' +services: + forescout-event-tcp: + image: docker.elastic.co/observability/stream:v0.20.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9532 -p=tcp /sample_logs/forescout-event.log + forescout-event-udp: + image: docker.elastic.co/observability/stream:v0.20.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9533 -p=udp /sample_logs/forescout-event.log diff --git a/packages/forescout/_dev/deploy/docker/sample_logs/forescout-event.log b/packages/forescout/_dev/deploy/docker/sample_logs/forescout-event.log new file mode 100644 index 00000000000..e7274d191f2 --- /dev/null +++ b/packages/forescout/_dev/deploy/docker/sample_logs/forescout-event.log @@ -0,0 +1,17 @@ +<85>Nov 22 18:31:08 azure-app01 sudo: _fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status +<86>Nov 22 18:31:11 azure-app01 sshd[27818]: Accepted publickey for root from 1.128.0.1 port 46124 ssh2: RSA SHA256:WokXPUll0YJnJwbfeK1xYfYR+DaVN2RVFEyK6lMW78c +<38>Nov 22 18:31:11 azure-app01 systemd-logind: New session 14909 of user root. +<86>Nov 22 18:31:11 azure-app01 sshd[27818]: pam_unix(sshd:session): session opened for user root by (uid=0) +<85>Nov 22 18:31:12 azure-app01 sudo: _fsservice : TTY=pts/0 ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool model +<86>Nov 22 18:31:13 azure-app01 sshd[27818]: Received disconnect from 1.128.0.0 port 46124:11: disconnected by user +<85>Nov 22 18:31:13 azure-app01 sudo: _fsservice : TTY=pts/0 ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool serial +<166>Nov 22 18:32:50 azure-app01 Forescout[2819]: Uptime 2234274 seconds +<86>Nov 22 18:36:13 azure-app01 sshd[2965]: pam_unix(sshd:session): session closed for user root +<38>Nov 22 18:36:13 azure-app01 systemd-logind: Removed session 14910. +<30>Nov 22 18:36:13 azure-app01 systemd: Removed slice User Slice of root. +<85>Nov 22 18:37:00 azure-em sudo: _fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool lsif +<85>Nov 22 18:37:26 azure-em sudo: _fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status +<85>Nov 22 18:37:26 azure-em sudo: _fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool netflowtool netflow_init_softflow +<30>Nov 22 18:40:01 azure-em systemd: Created slice User Slice of root. +<38>Nov 22 18:41:13 azure-app01 systemd-logind: Removed session 14913. +<30>Nov 22 18:41:13 azure-app01 systemd: Removed slice User Slice of root. diff --git a/packages/forescout/changelog.yml b/packages/forescout/changelog.yml new file mode 100644 index 00000000000..b8a42a40f23 --- /dev/null +++ b/packages/forescout/changelog.yml @@ -0,0 +1,12 @@ +# newer versions go on top +- version: '0.1.0' + changes: + - description: Initial release. + type: enhancement + link: https://github.com/elastic/integrations/pull/18493 + - description: Add support for Host Data Stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/18097 + - description: Add support for Event Data Stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/16426 diff --git a/packages/forescout/data_stream/event/_dev/test/pipeline/test-common-config.yml b/packages/forescout/data_stream/event/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/forescout/data_stream/event/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/forescout/data_stream/event/_dev/test/pipeline/test-pipeline-event.log b/packages/forescout/data_stream/event/_dev/test/pipeline/test-pipeline-event.log new file mode 100644 index 00000000000..36a4ed10b26 --- /dev/null +++ b/packages/forescout/data_stream/event/_dev/test/pipeline/test-pipeline-event.log @@ -0,0 +1,14 @@ +_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool netflowtool netflow_init_softflow +_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool lsif +Accepted publickey for root from 172.20.10.101 port 46018 ssh2: RSA SHA256:WokXPUll0YJnJwbAFK1xYfYR+DaVN2RVFEyK6lMW78c +Created slice User Slice of root. +New session 14906 of user root. +pam_unix(sshd:session): session opened for user root by (uid=0) +Received disconnect from 172.20.10.101 port 46018:11: disconnected by user +_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool netflowtool netflow_init_softflow +_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status +_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool cysiv-health-monitoring stats +Started Session 35384 of user root. +(root) CMD (/usr/lib64/sa/sa1 1 1) +_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool cysiv-health-monitoring 5 172.20.10.101:0,172.20.10.102:6440432280227338598 \ +_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool lsif diff --git a/packages/forescout/data_stream/event/_dev/test/pipeline/test-pipeline-event.log-expected.json b/packages/forescout/data_stream/event/_dev/test/pipeline/test-pipeline-event.log-expected.json new file mode 100644 index 00000000000..fa743d49cd1 --- /dev/null +++ b/packages/forescout/data_stream/event/_dev/test/pipeline/test-pipeline-event.log-expected.json @@ -0,0 +1,382 @@ +{ + "expected": [ + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "command": "/bin/fstool netflowtool netflow_init_softflow", + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool netflowtool netflow_init_softflow", + "pwd": "/usr/local/forescout", + "service": "_fsservice", + "tty": "unknown", + "user": "root" + } + }, + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool netflowtool netflow_init_softflow", + "process": { + "command_line": "/bin/fstool netflowtool netflow_init_softflow", + "user": { + "name": "root" + }, + "working_directory": "/usr/local/forescout" + }, + "related": { + "user": [ + "root" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "root" + } + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "command": "/bin/fstool lsif", + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool lsif", + "pwd": "/usr/local/forescout", + "service": "_fsservice", + "tty": "unknown", + "user": "root" + } + }, + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool lsif", + "process": { + "command_line": "/bin/fstool lsif", + "user": { + "name": "root" + }, + "working_directory": "/usr/local/forescout" + }, + "related": { + "user": [ + "root" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "root" + } + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "message": "Accepted publickey for root from 172.20.10.101 port 46018 ssh2: RSA SHA256:WokXPUll0YJnJwbAFK1xYfYR+DaVN2RVFEyK6lMW78c" + } + }, + "message": "Accepted publickey for root from 172.20.10.101 port 46018 ssh2: RSA SHA256:WokXPUll0YJnJwbAFK1xYfYR+DaVN2RVFEyK6lMW78c", + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "message": "Created slice User Slice of root." + } + }, + "message": "Created slice User Slice of root.", + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "message": "New session 14906 of user root." + } + }, + "message": "New session 14906 of user root.", + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "message": "pam_unix(sshd:session): session opened for user root by (uid=0)" + } + }, + "message": "pam_unix(sshd:session): session opened for user root by (uid=0)", + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "message": "Received disconnect from 172.20.10.101 port 46018:11: disconnected by user" + } + }, + "message": "Received disconnect from 172.20.10.101 port 46018:11: disconnected by user", + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "command": "/bin/fstool netflowtool netflow_init_softflow", + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool netflowtool netflow_init_softflow", + "pwd": "/usr/local/forescout", + "service": "_fsservice", + "tty": "unknown", + "user": "root" + } + }, + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool netflowtool netflow_init_softflow", + "process": { + "command_line": "/bin/fstool netflowtool netflow_init_softflow", + "user": { + "name": "root" + }, + "working_directory": "/usr/local/forescout" + }, + "related": { + "user": [ + "root" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "root" + } + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "command": "/bin/fstool fw status", + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status", + "pwd": "/usr/local/forescout", + "service": "_fsservice", + "tty": "unknown", + "user": "root" + } + }, + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status", + "process": { + "command_line": "/bin/fstool fw status", + "user": { + "name": "root" + }, + "working_directory": "/usr/local/forescout" + }, + "related": { + "user": [ + "root" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "root" + } + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "command": "/bin/fstool cysiv-health-monitoring stats", + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool cysiv-health-monitoring stats", + "pwd": "/usr/local/forescout", + "service": "_fsservice", + "tty": "unknown", + "user": "root" + } + }, + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool cysiv-health-monitoring stats", + "process": { + "command_line": "/bin/fstool cysiv-health-monitoring stats", + "user": { + "name": "root" + }, + "working_directory": "/usr/local/forescout" + }, + "related": { + "user": [ + "root" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "root" + } + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "message": "Started Session 35384 of user root." + } + }, + "message": "Started Session 35384 of user root.", + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "message": "(root) CMD (/usr/lib64/sa/sa1 1 1)" + } + }, + "message": "(root) CMD (/usr/lib64/sa/sa1 1 1)", + "tags": [ + "preserve_duplicate_custom_fields" + ] + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "command": "/bin/fstool cysiv-health-monitoring 5 172.20.10.101:0,172.20.10.102:6440432280227338598 \\", + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool cysiv-health-monitoring 5 172.20.10.101:0,172.20.10.102:6440432280227338598 \\", + "pwd": "/usr/local/forescout", + "service": "_fsservice", + "tty": "unknown", + "user": "root" + } + }, + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool cysiv-health-monitoring 5 172.20.10.101:0,172.20.10.102:6440432280227338598 \\", + "process": { + "command_line": "/bin/fstool cysiv-health-monitoring 5 172.20.10.101:0,172.20.10.102:6440432280227338598 \\", + "user": { + "name": "root" + }, + "working_directory": "/usr/local/forescout" + }, + "related": { + "user": [ + "root" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "root" + } + }, + { + "ecs": { + "version": "9.3.0" + }, + "event": { + "kind": "event" + }, + "forescout": { + "event": { + "command": "/bin/fstool lsif", + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool lsif", + "pwd": "/usr/local/forescout", + "service": "_fsservice", + "tty": "unknown", + "user": "root" + } + }, + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool lsif", + "process": { + "command_line": "/bin/fstool lsif", + "user": { + "name": "root" + }, + "working_directory": "/usr/local/forescout" + }, + "related": { + "user": [ + "root" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "root" + } + } + ] +} diff --git a/packages/forescout/data_stream/event/_dev/test/system/test-tcp-config.yml b/packages/forescout/data_stream/event/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..ffe876567cb --- /dev/null +++ b/packages/forescout/data_stream/event/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,8 @@ +service: forescout-event-tcp +service_notify_signal: SIGHUP +input: tcp +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9532 + preserve_original_event: true diff --git a/packages/forescout/data_stream/event/_dev/test/system/test-udp-config.yml b/packages/forescout/data_stream/event/_dev/test/system/test-udp-config.yml new file mode 100644 index 00000000000..529c1388ace --- /dev/null +++ b/packages/forescout/data_stream/event/_dev/test/system/test-udp-config.yml @@ -0,0 +1,8 @@ +service: forescout-event-udp +service_notify_signal: SIGHUP +input: udp +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9533 + preserve_original_event: true diff --git a/packages/forescout/data_stream/event/agent/stream/tcp.yml.hbs b/packages/forescout/data_stream/event/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..43200211eec --- /dev/null +++ b/packages/forescout/data_stream/event/agent/stream/tcp.yml.hbs @@ -0,0 +1,43 @@ +host: "{{listen_address}}:{{listen_port}}" + +{{#if tcp_options}} +{{tcp_options}} +{{/if}} + +{{#if ssl}} +ssl: {{ssl}} +{{/if}} + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} + +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +processors: +{{#unless tz_offset}} +- add_locale: ~ +{{/unless}} +{{#if preserve_original_event}} +- copy_fields: + fields: + - from: message + to: event.original +{{/if}} +- syslog: + field: message +{{#if tz_offset}} + timezone: {{tz_offset}} +{{/if}} +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/forescout/data_stream/event/agent/stream/udp.yml.hbs b/packages/forescout/data_stream/event/agent/stream/udp.yml.hbs new file mode 100644 index 00000000000..2ff7ec59024 --- /dev/null +++ b/packages/forescout/data_stream/event/agent/stream/udp.yml.hbs @@ -0,0 +1,39 @@ +host: "{{listen_address}}:{{listen_port}}" + +{{#if udp_options}} +{{udp_options}} +{{/if}} + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} + +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +processors: +{{#unless tz_offset}} +- add_locale: ~ +{{/unless}} +{{#if preserve_original_event}} +- copy_fields: + fields: + - from: message + to: event.original +{{/if}} +- syslog: + field: message +{{#if tz_offset}} + timezone: {{tz_offset}} +{{/if}} +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/forescout/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/forescout/data_stream/event/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..732a54ccf6e --- /dev/null +++ b/packages/forescout/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,127 @@ +--- +description: Pipeline for processing event logs. +processors: + - set: + tag: set_ecs_version_to_9_3_0_3273339c + field: ecs.version + value: 9.3.0 + + # Set event.* fields + - set: + tag: set_event_kind_to_event_de80643c + field: event.kind + value: event + + # extract fields from message + - dissect: + description: Extract fields from the `message` field using the Dissect processor. + tag: dissect_message_2db7ab01 + if: ctx.message != null + field: message + pattern: '%{forescout.event.service} : TTY=%{forescout.event.tty} ; PWD=%{forescout.event.pwd} ; USER=%{forescout.event.user} ; COMMAND=%{forescout.event.command}' + ignore_failure: true + + # Map custom fields to corresponding ECS and related fields. + - set: + tag: set_forescout_event_message_to_message_903253c7 + field: forescout.event.message + copy_from: message + ignore_empty_value: true + - set: + tag: set_process_working_directory_from_forescout_event_pwd_a9dce622 + field: process.working_directory + copy_from: forescout.event.pwd + ignore_empty_value: true + - set: + tag: set_user_name_from_forescout_event_user_40cd5918 + field: user.name + copy_from: forescout.event.user + ignore_empty_value: true + - set: + tag: set_process_user_name_from_forescout_event_user_162cc9a1 + field: process.user.name + copy_from: forescout.event.user + ignore_empty_value: true + - set: + tag: set_process_command_line_from_forescout_event_command_6d140bfb + field: process.command_line + copy_from: forescout.event.command + ignore_empty_value: true + + # Append related.* fields + - append: + tag: append_related_user_b1d91a7c + if: ctx.forescout?.event?.user != null + field: related.user + value: '{{{process.user.name}}}' + allow_duplicates: false + - append: + tag: append_related_hosts_bb491624 + if: ctx.log?.syslog?.hostname != null + field: related.hosts + value: '{{{log.syslog.hostname}}}' + allow_duplicates: false + + # Remove duplicate custom fields + - remove: + tag: remove_custom_duplicate_fields_6d3cc57d + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + field: + - forescout.event.message + - forescout.event.pwd + - forescout.event.user + - forescout.event.command + ignore_missing: true + + # Cleanup + - script: + description: This script processor iterates over the whole document to remove fields with null values. + tag: script_to_drop_null_values_b72900e6 + lang: painless + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + tag: set_event_kind_to_pipeline_error_92954dfa + if: ctx.error?.message != null + field: event.kind + value: pipeline_error + - append: + tag: append_tags_9fe66b2c + if: ctx.error?.message != null + field: tags + value: preserve_original_event + allow_duplicates: false +on_failure: + - append: + tag: append_error_message_e0c9bd63 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + tag: set_event_kind_to_pipeline_error_f51b77ad + field: event.kind + value: pipeline_error + - append: + tag: append_tags_d762b9c5 + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/forescout/data_stream/event/fields/base-fields.yml b/packages/forescout/data_stream/event/fields/base-fields.yml new file mode 100644 index 00000000000..f2ae091984f --- /dev/null +++ b/packages/forescout/data_stream/event/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: data_stream.type + external: ecs +- name: event.dataset + type: constant_keyword + external: ecs + value: forescout.event +- name: event.module + type: constant_keyword + external: ecs + value: forescout +- name: '@timestamp' + external: ecs diff --git a/packages/forescout/data_stream/event/fields/beats.yml b/packages/forescout/data_stream/event/fields/beats.yml new file mode 100644 index 00000000000..6759e833785 --- /dev/null +++ b/packages/forescout/data_stream/event/fields/beats.yml @@ -0,0 +1,14 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log + type: group + fields: + - name: offset + type: long + description: Log offset. + - name: source + type: group + fields: + - name: address + type: keyword diff --git a/packages/forescout/data_stream/event/fields/ecs.yml b/packages/forescout/data_stream/event/fields/ecs.yml new file mode 100644 index 00000000000..0241ebef83b --- /dev/null +++ b/packages/forescout/data_stream/event/fields/ecs.yml @@ -0,0 +1,39 @@ +# Define ECS constant fields as constant_keyword +- name: error.message + external: ecs +- name: event.kind + external: ecs +- name: log.syslog.appname + external: ecs +- name: log.syslog.facility.code + external: ecs +- name: log.syslog.facility.name + external: ecs +- name: log.syslog.hostname + external: ecs +- name: log.syslog.priority + external: ecs +- name: log.syslog.procid + external: ecs +- name: log.syslog.severity.code + external: ecs +- name: log.syslog.severity.name + external: ecs +- name: message + external: ecs +- name: observer.vendor + external: ecs + type: constant_keyword + value: Forescout +- name: process.command_line + external: ecs +- name: process.user.name + external: ecs +- name: process.working_directory + external: ecs +- name: related.hosts + external: ecs +- name: related.user + external: ecs +- name: user.name + external: ecs diff --git a/packages/forescout/data_stream/event/fields/fields.yml b/packages/forescout/data_stream/event/fields/fields.yml new file mode 100644 index 00000000000..4b2ad8451f4 --- /dev/null +++ b/packages/forescout/data_stream/event/fields/fields.yml @@ -0,0 +1,18 @@ +- name: forescout + type: group + fields: + - name: event + type: group + fields: + - name: command + type: keyword + - name: message + type: match_only_text + - name: pwd + type: keyword + - name: service + type: keyword + - name: tty + type: keyword + - name: user + type: keyword diff --git a/packages/forescout/data_stream/event/manifest.yml b/packages/forescout/data_stream/event/manifest.yml new file mode 100644 index 00000000000..17b09673d70 --- /dev/null +++ b/packages/forescout/data_stream/event/manifest.yml @@ -0,0 +1,182 @@ +title: Collect Syslog from Forescout. +type: logs +streams: + - input: tcp + title: Forescout Events + enabled: false + description: Collect Forescout events (via Syslog). + template_path: tcp.yml.hbs + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9530 + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #framing: delimiter + #max_message_size: 50KiB + #max_connections: 1 + #line_delimiter: '\n' + description: Specify custom configuration options for the TCP input. + - name: preserve_original_event + type: bool + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + multi: false + required: false + show_user: true + default: false + - name: tags + type: text + title: Tags + description: Tags for the data-stream. + multi: true + required: true + show_user: false + default: + - forescout-event + - forwarded + - name: preserve_duplicate_custom_fields + required: false + title: Preserve duplicate custom fields + description: Preserve forescout.event.* fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + show_user: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. + - name: ssl + type: yaml + title: SSL Configuration + description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - input: udp + title: Forescout Events + enabled: false + description: Collect Forescout events (via Syslog). + template_path: udp.yml.hbs + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9531 + - name: tz_offset + type: text + title: Timezone + multi: false + required: false + show_user: false + default: UTC + description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting syslog timestamps without a time zone. + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + default: | + #max_message_size: 50KiB + #timeout: 300s + description: Specify custom configuration options for the UDP input. + - name: preserve_original_event + type: bool + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + multi: false + required: false + show_user: true + default: false + - name: tags + type: text + title: Tags + description: Tags for the data-stream. + multi: true + required: true + show_user: false + default: + - forescout-event + - forwarded + - name: preserve_duplicate_custom_fields + required: false + title: Preserve duplicate custom fields + description: Preserve forescout.event.* fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + show_user: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/forescout/data_stream/event/sample_event.json b/packages/forescout/data_stream/event/sample_event.json new file mode 100644 index 00000000000..2a16aedbca7 --- /dev/null +++ b/packages/forescout/data_stream/event/sample_event.json @@ -0,0 +1,81 @@ +{ + "@timestamp": "2026-11-22T18:31:08.000Z", + "agent": { + "ephemeral_id": "1d936cb6-f23d-4c04-b07f-ada119d549a5", + "id": "a013286f-d805-4c6e-b5a3-aa506e415086", + "name": "elastic-agent-95897", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "forescout.event", + "namespace": "61844", + "type": "logs" + }, + "ecs": { + "version": "9.3.0" + }, + "elastic_agent": { + "id": "a013286f-d805-4c6e-b5a3-aa506e415086", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "forescout.event", + "ingested": "2026-04-03T10:15:37Z", + "kind": "event", + "original": "<85>Nov 22 18:31:08 azure-app01 sudo: _fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status" + }, + "forescout": { + "event": { + "service": "_fsservice", + "tty": "unknown" + } + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "192.168.241.3:37420" + }, + "syslog": { + "appname": "sudo", + "facility": { + "code": 10, + "name": "security/authorization" + }, + "hostname": "azure-app01", + "priority": 85, + "severity": { + "code": 5, + "name": "Notice" + } + } + }, + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status", + "process": { + "command_line": "/bin/fstool fw status", + "user": { + "name": "root" + }, + "working_directory": "/usr/local/forescout" + }, + "related": { + "hosts": [ + "azure-app01" + ], + "user": [ + "root" + ] + }, + "tags": [ + "preserve_original_event", + "forescout-event", + "forwarded" + ], + "user": { + "name": "root" + } +} diff --git a/packages/forescout/data_stream/host/_dev/test/pipeline/test-common-config.yml b/packages/forescout/data_stream/host/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..3bcb3a67c3c --- /dev/null +++ b/packages/forescout/data_stream/host/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_duplicate_custom_fields + - preserve_original_event diff --git a/packages/forescout/data_stream/host/_dev/test/pipeline/test-host.log b/packages/forescout/data_stream/host/_dev/test/pipeline/test-host.log new file mode 100644 index 00000000000..963074c733e --- /dev/null +++ b/packages/forescout/data_stream/host/_dev/test/pipeline/test-host.log @@ -0,0 +1,3 @@ +{"timestamp":"2026-03-20T10:41:23.966575","access_ip":"Unknown","compliance_state":"N/A","guest_corporate_state":"N/A","device_interfaces":"Irresolvable","is_dhcp_relay":"No DHCP traffic seen","is_dhcp_server":"No DHCP traffic seen","is_behind_nat":"Irresolvable","dhcp_server":"Unknown","ip":"1.128.0.0","mac":"Unknown","nested_device_id":"Unknown","nested_device_parent_ip":"Unknown","hwi_network_adapters":"Irresolvable","openports":"Unknown","os_cpe":"Irresolvable","segment_name":"","segment_path":"Irresolvable","smb_relay":"Irresolvable","user":"User"} +{"timestamp":"2026-03-20T10:42:23.966575","access_ip":"Unknown","compliance_state":"N/A","guest_corporate_state":"N/A","device_interfaces":"Irresolvable","is_dhcp_relay":"No DHCP traffic seen","is_dhcp_server":"No DHCP traffic seen","is_behind_nat":"Irresolvable","dhcp_server":"Unknown","ip":"1.128.0.0","mac":"Unknown","nested_device_id":"Unknown","nested_device_parent_ip":"Unknown","hwi_network_adapters":"Irresolvable","openports":"Unknown","os_cpe":"Irresolvable","segment_name":"","segment_path":"Irresolvable","smb_relay":"Irresolvable","user":"User"} +{"timestamp":"2026-03-20T10:43:23.966575","access_ip":"Unknown","compliance_state":"N/A","guest_corporate_state":"N/A","device_interfaces":"Irresolvable","is_dhcp_relay":"No DHCP traffic seen","is_dhcp_server":"No DHCP traffic seen","is_behind_nat":"Irresolvable","dhcp_server":"Unknown","ip":"224.0.52.139","mac":"11228675748e","nested_device_id":"Unknown","nested_device_parent_ip":"Unknown","hwi_network_adapters":"Irresolvable","openports":"Irresolvable","os_cpe":"Irresolvable","segment_name":"","segment_path":"Irresolvable","smb_relay":"Irresolvable","user":"User"} diff --git a/packages/forescout/data_stream/host/_dev/test/pipeline/test-host.log-expected.json b/packages/forescout/data_stream/host/_dev/test/pipeline/test-host.log-expected.json new file mode 100644 index 00000000000..600139cce0d --- /dev/null +++ b/packages/forescout/data_stream/host/_dev/test/pipeline/test-host.log-expected.json @@ -0,0 +1,162 @@ +{ + "expected": [ + { + "@timestamp": "2026-03-20T10:41:23.966Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "category": [ + "host" + ], + "kind": "event", + "original": "{\"timestamp\":\"2026-03-20T10:41:23.966575\",\"access_ip\":\"Unknown\",\"compliance_state\":\"N/A\",\"guest_corporate_state\":\"N/A\",\"device_interfaces\":\"Irresolvable\",\"is_dhcp_relay\":\"No DHCP traffic seen\",\"is_dhcp_server\":\"No DHCP traffic seen\",\"is_behind_nat\":\"Irresolvable\",\"dhcp_server\":\"Unknown\",\"ip\":\"1.128.0.0\",\"mac\":\"Unknown\",\"nested_device_id\":\"Unknown\",\"nested_device_parent_ip\":\"Unknown\",\"hwi_network_adapters\":\"Irresolvable\",\"openports\":\"Unknown\",\"os_cpe\":\"Irresolvable\",\"segment_name\":\"\",\"segment_path\":\"Irresolvable\",\"smb_relay\":\"Irresolvable\",\"user\":\"User\"}", + "type": [ + "info" + ] + }, + "forescout": { + "host": { + "device_interfaces": "Irresolvable", + "hwi_network_adapters": "Irresolvable", + "ip": "1.128.0.0", + "is_behind_nat": "Irresolvable", + "is_dhcp_relay": "No DHCP traffic seen", + "is_dhcp_server": "No DHCP traffic seen", + "os_cpe": "Irresolvable", + "segment_path": "Irresolvable", + "smb_relay": "Irresolvable", + "timestamp": "2026-03-20T10:41:23.966Z", + "user": "User" + } + }, + "host": { + "ip": [ + "1.128.0.0" + ] + }, + "related": { + "ip": [ + "1.128.0.0" + ], + "user": [ + "User" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields", + "preserve_original_event" + ], + "user": { + "name": "User" + } + }, + { + "@timestamp": "2026-03-20T10:42:23.966Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "category": [ + "host" + ], + "kind": "event", + "original": "{\"timestamp\":\"2026-03-20T10:42:23.966575\",\"access_ip\":\"Unknown\",\"compliance_state\":\"N/A\",\"guest_corporate_state\":\"N/A\",\"device_interfaces\":\"Irresolvable\",\"is_dhcp_relay\":\"No DHCP traffic seen\",\"is_dhcp_server\":\"No DHCP traffic seen\",\"is_behind_nat\":\"Irresolvable\",\"dhcp_server\":\"Unknown\",\"ip\":\"1.128.0.0\",\"mac\":\"Unknown\",\"nested_device_id\":\"Unknown\",\"nested_device_parent_ip\":\"Unknown\",\"hwi_network_adapters\":\"Irresolvable\",\"openports\":\"Unknown\",\"os_cpe\":\"Irresolvable\",\"segment_name\":\"\",\"segment_path\":\"Irresolvable\",\"smb_relay\":\"Irresolvable\",\"user\":\"User\"}", + "type": [ + "info" + ] + }, + "forescout": { + "host": { + "device_interfaces": "Irresolvable", + "hwi_network_adapters": "Irresolvable", + "ip": "1.128.0.0", + "is_behind_nat": "Irresolvable", + "is_dhcp_relay": "No DHCP traffic seen", + "is_dhcp_server": "No DHCP traffic seen", + "os_cpe": "Irresolvable", + "segment_path": "Irresolvable", + "smb_relay": "Irresolvable", + "timestamp": "2026-03-20T10:42:23.966Z", + "user": "User" + } + }, + "host": { + "ip": [ + "1.128.0.0" + ] + }, + "related": { + "ip": [ + "1.128.0.0" + ], + "user": [ + "User" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields", + "preserve_original_event" + ], + "user": { + "name": "User" + } + }, + { + "@timestamp": "2026-03-20T10:43:23.966Z", + "ecs": { + "version": "9.3.0" + }, + "event": { + "category": [ + "host" + ], + "kind": "event", + "original": "{\"timestamp\":\"2026-03-20T10:43:23.966575\",\"access_ip\":\"Unknown\",\"compliance_state\":\"N/A\",\"guest_corporate_state\":\"N/A\",\"device_interfaces\":\"Irresolvable\",\"is_dhcp_relay\":\"No DHCP traffic seen\",\"is_dhcp_server\":\"No DHCP traffic seen\",\"is_behind_nat\":\"Irresolvable\",\"dhcp_server\":\"Unknown\",\"ip\":\"224.0.52.139\",\"mac\":\"11228675748e\",\"nested_device_id\":\"Unknown\",\"nested_device_parent_ip\":\"Unknown\",\"hwi_network_adapters\":\"Irresolvable\",\"openports\":\"Irresolvable\",\"os_cpe\":\"Irresolvable\",\"segment_name\":\"\",\"segment_path\":\"Irresolvable\",\"smb_relay\":\"Irresolvable\",\"user\":\"User\"}", + "type": [ + "info" + ] + }, + "forescout": { + "host": { + "device_interfaces": "Irresolvable", + "hwi_network_adapters": "Irresolvable", + "ip": "224.0.52.139", + "is_behind_nat": "Irresolvable", + "is_dhcp_relay": "No DHCP traffic seen", + "is_dhcp_server": "No DHCP traffic seen", + "mac": "11-22-86-75-74-8E", + "openports": "Irresolvable", + "os_cpe": "Irresolvable", + "segment_path": "Irresolvable", + "smb_relay": "Irresolvable", + "timestamp": "2026-03-20T10:43:23.966Z", + "user": "User" + } + }, + "host": { + "ip": [ + "224.0.52.139" + ], + "mac": [ + "11-22-86-75-74-8E" + ] + }, + "related": { + "ip": [ + "224.0.52.139" + ], + "user": [ + "User" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields", + "preserve_original_event" + ], + "user": { + "name": "User" + } + } + ] +} diff --git a/packages/forescout/data_stream/host/elasticsearch/ingest_pipeline/default.yml b/packages/forescout/data_stream/host/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..af709ad977d --- /dev/null +++ b/packages/forescout/data_stream/host/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,268 @@ +--- +description: Pipeline for processing host logs. +processors: + - set: + tag: set_ecs_version_to_9_3_0_b777da29 + field: ecs.version + value: 9.3.0 + + # parse the event JSON + - rename: + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + tag: rename_message_to_event_original_c74b1d7e + if: ctx.event?.original == null + field: message + target_field: event.original + ignore_missing: true + - remove: + description: The `message` field is no longer required if the document has an `event.original` field. + tag: remove_message_84808ee4 + if: ctx.event?.original != null + field: + - message + ignore_missing: true + - json: + tag: json_event_original_into_forescout_host_482387c8 + field: event.original + target_field: forescout.host + + # Set event.* fields + - set: + tag: set_event_kind_to_event_de80643c + field: event.kind + value: event + - append: + tag: Append_event_type_to_info_8a66ccaa + field: event.type + value: info + - append: + tag: Append_event_category_to_host_3fa422a0 + field: event.category + value: host + + # Remove null/Unknown/Empty/`n/a` values from the document + - script: + description: This script processor iterates over the whole document to remove fields with null, empty, 'n/a', or 'unknown' values. + tag: remove_null_unknown_empty_n_a_values + lang: painless + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == ''|| v.toString().toLowerCase() == "n/a" || v.toString().toLowerCase() == "unknown" || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || v.toString().toLowerCase() == "n/a" || v.toString().toLowerCase() == "unknown" || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + + # Date processors + - date: + tag: date_forescout_host_timestamp_into_forescout_host_timestamp_2227c7a3 + if: ctx.forescout?.host?.timestamp != null && ctx.forescout.host.timestamp != '' + field: forescout.host.timestamp + target_field: forescout.host.timestamp + formats: + - ISO8601 + on_failure: + - remove: + tag: remove_forescout_host_timestamp_9d6204e9 + field: + - forescout.host.timestamp + - append: + tag: append_error_message_35bf28d1 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # Convert to IP + - convert: + tag: convert_forescout_host_access_ip_to_ip_81caf7ca + if: ctx.forescout?.host?.access_ip != '' + field: forescout.host.access_ip + type: ip + ignore_missing: true + on_failure: + - remove: + tag: remove_forescout_host_access_ip_5ef51382 + field: + - forescout.host.access_ip + - append: + tag: append_error_message_1e30c6aa + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_forescout_host_ip_to_ip_6aa9d628 + if: ctx.forescout?.host?.ip != '' + field: forescout.host.ip + type: ip + ignore_missing: true + on_failure: + - remove: + tag: remove_forescout_host_ip_532469c5 + field: + - forescout.host.ip + - append: + tag: append_error_message_dd72bf88 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + tag: convert_forescout_host_nested_device_parent_ip_to_ip_0ed74c96 + if: ctx.forescout?.host?.nested_device_parent_ip != '' + field: forescout.host.nested_device_parent_ip + type: ip + ignore_missing: true + on_failure: + - remove: + tag: remove_forescout_host_nested_device_parent_ip_2f3f3251 + field: + - forescout.host.nested_device_parent_ip + - append: + tag: append_error_message_a20fd3d6 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # Convert mac addresses to proper format + - gsub: + tag: Gsub_Mac_1801ec84 + if: ctx.forescout?.host?.mac != null && ctx.forescout.host.mac != '' + field: forescout.host.mac + pattern: (..)(?!$) + replacement: $1- + ignore_missing: true + - uppercase: + tag: Uppercase_Mac_3a5dcee1 + if: ctx.forescout?.host?.mac != null && ctx.forescout.host.mac != '' + field: forescout.host.mac + ignore_missing: true + + # Map custom fields to corresponding ECS and related fields. + - set: + tag: set_@timestamp_from_forescout_host_timestamp_c949e90d + field: '@timestamp' + copy_from: forescout.host.timestamp + ignore_empty_value: true + - set: + tag: set_user_name_from_forescout_host_user_ef4bebdc + field: user.name + copy_from: forescout.host.user + ignore_empty_value: true + - append: + tag: append_host_mac_from_forescout_host_mac_66c303ed + if: ctx.forescout?.host?.mac != null + field: host.mac + value: '{{{forescout.host.mac}}}' + allow_duplicates: false + - append: + tag: append_host_ip_from_forescout_host_ip_b317703f + if: ctx.forescout?.host?.ip != null + field: host.ip + value: '{{{forescout.host.ip}}}' + allow_duplicates: false + - append: + tag: append_related_ip_from_forescout_host_access_ip_4beb64bc + if: ctx.forescout?.host?.access_ip != null + field: related.ip + value: '{{{forescout.host.access_ip}}}' + allow_duplicates: false + - append: + tag: append_related_ip_from_forescout_host_ip_c902b2a0 + if: ctx.forescout?.host?.ip != null + field: related.ip + value: '{{{forescout.host.ip}}}' + allow_duplicates: false + - append: + tag: append_related_ip_from_forescout_host_nested_device_parent_ip_e341d2e0 + if: ctx.forescout?.host?.nested_device_parent_ip != null + field: related.ip + value: '{{{forescout.host.nested_device_parent_ip}}}' + allow_duplicates: false + - append: + tag: append_related_user_from_forescout_host_user_d2a81d92 + if: ctx.forescout?.host?.user != null + field: related.user + value: '{{{forescout.host.user}}}' + allow_duplicates: false + + # Remove duplicate custom fields if preserve_duplicate_custom_fields are not enabled + - remove: + tag: remove_custom_duplicate_fields_e5e0519a + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + field: + - forescout.host.ip + - forescout.host.mac + - forescout.host.user + - forescout.host.timestamp + ignore_missing: true + + # Remove `event.original` if `preserve_original_event` is not enabled + - remove: + tag: remove_original_event_3c7f05eb + if: ctx.error?.message != null || ctx.tags == null || !ctx.tags.contains('preserve_original_event') + field: + - event.original + ignore_missing: true + + # Cleanup + - script: + description: This script processor iterates over the whole document to remove fields with null values. + tag: script_to_drop_null_values_8360f3de + lang: painless + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + tag: set_event_kind_to_pipeline_error_92954dfa + if: ctx.error?.message != null + field: event.kind + value: pipeline_error + - append: + tag: append_tags_9fe66b2c + if: ctx.error?.message != null + field: tags + value: preserve_original_event + allow_duplicates: false +on_failure: + - append: + tag: append_error_message_e0c9bd63 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + tag: set_event_kind_to_pipeline_error_f51b77ad + field: event.kind + value: pipeline_error + - append: + tag: append_tags_d762b9c5 + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/forescout/data_stream/host/fields/base-fields.yml b/packages/forescout/data_stream/host/fields/base-fields.yml new file mode 100644 index 00000000000..2c3e151495c --- /dev/null +++ b/packages/forescout/data_stream/host/fields/base-fields.yml @@ -0,0 +1,19 @@ +- name: data_stream.dataset + external: ecs + value: forescout.host +- name: data_stream.namespace + external: ecs + value: default +- name: data_stream.type + external: ecs + value: logs +- name: event.dataset + type: constant_keyword + external: ecs + value: forescout.host +- name: event.module + type: constant_keyword + external: ecs + value: forescout +- name: '@timestamp' + external: ecs diff --git a/packages/forescout/data_stream/host/fields/beats.yml b/packages/forescout/data_stream/host/fields/beats.yml new file mode 100644 index 00000000000..2c743163876 --- /dev/null +++ b/packages/forescout/data_stream/host/fields/beats.yml @@ -0,0 +1,3 @@ +- name: log.offset + type: long + description: Log offset. diff --git a/packages/forescout/data_stream/host/fields/ecs.yml b/packages/forescout/data_stream/host/fields/ecs.yml new file mode 100644 index 00000000000..72e3e34e77c --- /dev/null +++ b/packages/forescout/data_stream/host/fields/ecs.yml @@ -0,0 +1,9 @@ +# Define ECS constant fields as constant_keyword +- name: observer.product + external: ecs + type: constant_keyword + value: eyeExtend-Connect +- name: observer.vendor + external: ecs + type: constant_keyword + value: Forescout diff --git a/packages/forescout/data_stream/host/fields/fields.yml b/packages/forescout/data_stream/host/fields/fields.yml new file mode 100644 index 00000000000..b5ca0f691f3 --- /dev/null +++ b/packages/forescout/data_stream/host/fields/fields.yml @@ -0,0 +1,46 @@ +- name: forescout + type: group + fields: + - name: host + type: group + fields: + - name: access_ip + type: ip + - name: compliance_state + type: keyword + - name: device_interfaces + type: keyword + - name: dhcp_server + type: keyword + - name: guest_corporate_state + type: keyword + - name: hwi_network_adapters + type: keyword + - name: ip + type: ip + - name: is_behind_nat + type: keyword + - name: is_dhcp_relay + type: keyword + - name: is_dhcp_server + type: keyword + - name: mac + type: keyword + - name: nested_device_id + type: keyword + - name: nested_device_parent_ip + type: ip + - name: openports + type: keyword + - name: os_cpe + type: keyword + - name: segment_name + type: keyword + - name: segment_path + type: keyword + - name: smb_relay + type: keyword + - name: timestamp + type: date + - name: user + type: keyword diff --git a/packages/forescout/data_stream/host/manifest.yml b/packages/forescout/data_stream/host/manifest.yml new file mode 100644 index 00000000000..56e6ff97009 --- /dev/null +++ b/packages/forescout/data_stream/host/manifest.yml @@ -0,0 +1,2 @@ +title: Collect Logs Sent by Forescout EyeExtend Connect. +type: logs diff --git a/packages/forescout/docs/README.md b/packages/forescout/docs/README.md new file mode 100644 index 00000000000..fcaff3656ce --- /dev/null +++ b/packages/forescout/docs/README.md @@ -0,0 +1,240 @@ +# Forescout Integration for Elastic + +## Overview +[Forescout](https://www.forescout.com) is a leading device visibility and control platform that enables organizations to continuously identify, classify, and enforce security policies across all connected devices. It provides real-time visibility into IT, IoT, OT, and unmanaged devices across enterprise networks. + +The Forescout integration for Elastic enables you to ingest host data from the Forescout eyeExtend Connect app and event data using TCP and UDP, then visualize it in Kibana. + +### Compatibility +The Forescout integration is compatible with Forescout product version **8.5.2** and the Elastic eyeExtend Connect app version **0.2.0**. + +### How it works +This integration receives host data sent directly by the Forescout eyeExtend Connect app to Elastic, as well as real-time syslog events sent by the Forescout platform over TCP and UDP. + +The Elastic Agent listens on the configured network port for syslog messages and receives host data from the eyeExtend Connect app. The integration processes the incoming data using ingest pipelines to parse, normalize, and map the information to Elastic Common Schema (ECS). + +## What data does this integration collect? +This integration collects log messages of the following type: + +- `host`: Collect host information sent by the Forescout eyeExtend Connect app from the Forescout platform. +- `event`: collect event messages forwarded by the [syslog plugin](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.How-to-Work-with-the-Syslog-Plugin.html) from Forescout platform. These events are categorized into following groups: + - **NAC Events**: These event messages contain information on all policy event logs. + - **Threat Protection**: These event messages contain information on intrusion-related activity, including bite events, scan events, lockdown events and manual events. + - **System Logs and Events**: These event messages contain information about the Forescout platform system events. + - **User Operations**: These event messages are generated when a user operation takes place, and they are included in the Audit Trail. + - **Operating System Messages**: These event messages are generated by the operating system. + +**Note**: Logs other than those from the fsservice are ingested as-is. These logs can be excluded from being ingested into Elastic, you can configure this behavior using the Syslog plugin on the Forescout platform. Refer to the configuration steps [here](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Syslog-Triggers.html#pID0E0UC0HA). + +### Supported use cases + +Integrating Forescout with Elastic SIEM delivers centralized, real-time visibility into network access control, device posture, and security enforcement across IT, IoT, and OT environments by transforming Forescout's device intelligence and policy enforcement events into actionable SIEM data. + +For **Host Data**, the dashboard provides detailed breakdowns by compliance state and network segments, enabling rapid asset discovery and inventory management across managed and unmanaged devices. + +For **Events**, the dashboard presents key metrics with breakdowns by `Severity`, `Facility`, `Priority`, `Hosts`, and `Applications`, helping analysts quickly triage security events and assess risk levels. + +Time-based visualizations such as `Events over Time by Priority` reveal trends and abnormal spikes in access or security activity, supporting proactive threat detection and continuous monitoring. + +Interactive filtering controls allow analysts to drill down across hosts and events, supporting streamlined investigation, threat hunting, and accelerated incident response within a unified Elastic environment. + +## What do I need to use this integration? +### From Elastic +- Elastic Stack with ingest pipelines capability to process incoming host data. +- Elastic Agent installed on a host that is reachable by the Forescout syslog sender. +- Ensure the required TCP/UDP ports are open to receive data. + +### From Forescout +- [Forescout eyeExtend Connect app](https://docs.forescout.com/bundle/connect-1-4-1-h/page/connect-1-4-1-h.About-the-Connect-Plugin.html) configured to send host data to Elastic. +- [Configure the syslog plugin](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Configure-the-Syslog-Plugin.html) in Forescout to continuously send the event message over either TCP or UDP. + +## How do I deploy this integration? + +### Agent-based deployment + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + +Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. + +This integration does not include a data collector for host data. Host data is sent directly by the Forescout eyeExtend Connect app to Elastic. The integration provides the necessary ingest pipelines and Kibana dashboards for processing and visualizing both host and event data. + +## Setup +1. In the top search bar in Kibana, search for **Integrations**. +2. In the search bar, type **Forescout**. +3. Select the **Forescout** integration from the search results. +4. Select **Add Forescout** to add the integration. +5. Enable and configure only the collection methods which you will use. + + * To **Collect Forescout events via syslog**, you'll need to: + + - Configure **Listen Address**, **Listen Port**. + - Additionally, **Timezone**, **Custom TCP/UDP options** and **tags** can be provided. + +6. Select **Save and continue** to save the integration. + +> **Note**: The configured timezone is added to the `event.timezone` field for each event and is used to accurately build the `@timestamp` for syslog messages that lack a year value. The default is UTC, and if no value is provided, the system timezone of the Elastic Agent host is used. + +> **Note**: This integration does not include a data collector for host data. It provides ingest pipelines and Kibana dashboards to process host data sent directly by the Forescout eyeExtend Connect app to Elastic. + +### Validation +#### Dashboards populated + +1. In the top search bar in Kibana, search for **Dashboards**. +2. In the search bar, type **Forescout**. +3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated. + +## Troubleshooting + +For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems). + +If host data is not appearing in Elastic, verify that the Forescout eyeExtend Connect app is properly configured to send data to your Elastic instance. + +A known data-corruption issue affects the TCP input in Elastic Stack versions 9.2.0 and 9.2.1, so these releases should be avoided for TCP-based data collection. + +## Scaling + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. + +## Reference + +### ECS field reference + +#### Event +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| error.message | Error message. | match_only_text | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| forescout.event.command | | keyword | +| forescout.event.message | | match_only_text | +| forescout.event.pwd | | keyword | +| forescout.event.service | | keyword | +| forescout.event.tty | | keyword | +| forescout.event.user | | keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| log.source.address | | keyword | +| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.procid | The process name or ID that originated the Syslog message, if available. | keyword | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| observer.vendor | Vendor name of the observer. | constant_keyword | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.user.name | Short name or login of the user. | keyword | +| process.user.name.text | Multi-field of `process.user.name`. | match_only_text | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + + +### Example event + +#### Event +An example event for `event` looks as following: + +```json +{ + "@timestamp": "2026-11-22T18:31:08.000Z", + "agent": { + "ephemeral_id": "1d936cb6-f23d-4c04-b07f-ada119d549a5", + "id": "a013286f-d805-4c6e-b5a3-aa506e415086", + "name": "elastic-agent-95897", + "type": "filebeat", + "version": "8.18.0" + }, + "data_stream": { + "dataset": "forescout.event", + "namespace": "61844", + "type": "logs" + }, + "ecs": { + "version": "9.3.0" + }, + "elastic_agent": { + "id": "a013286f-d805-4c6e-b5a3-aa506e415086", + "snapshot": false, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "forescout.event", + "ingested": "2026-04-03T10:15:37Z", + "kind": "event", + "original": "<85>Nov 22 18:31:08 azure-app01 sudo: _fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status" + }, + "forescout": { + "event": { + "service": "_fsservice", + "tty": "unknown" + } + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "192.168.241.3:37420" + }, + "syslog": { + "appname": "sudo", + "facility": { + "code": 10, + "name": "security/authorization" + }, + "hostname": "azure-app01", + "priority": 85, + "severity": { + "code": 5, + "name": "Notice" + } + } + }, + "message": "_fsservice : TTY=unknown ; PWD=/usr/local/forescout ; USER=root ; COMMAND=/bin/fstool fw status", + "process": { + "command_line": "/bin/fstool fw status", + "user": { + "name": "root" + }, + "working_directory": "/usr/local/forescout" + }, + "related": { + "hosts": [ + "azure-app01" + ], + "user": [ + "root" + ] + }, + "tags": [ + "preserve_original_event", + "forescout-event", + "forwarded" + ], + "user": { + "name": "root" + } +} +``` + + +### Inputs used +These inputs are used in this integration: +- [TCP](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-tcp) +- [UDP](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-udp) +- [Forescout eyeExtend Connect Plugin](https://docs.forescout.com/bundle/connect-1-4-1-h/page/connect-1-4-1-h.About-the-Connect-Plugin.html) diff --git a/packages/forescout/img/forescout-event.png b/packages/forescout/img/forescout-event.png new file mode 100644 index 00000000000..143fef6fa53 Binary files /dev/null and b/packages/forescout/img/forescout-event.png differ diff --git a/packages/forescout/img/forescout-host.png b/packages/forescout/img/forescout-host.png new file mode 100644 index 00000000000..4d007d07bd8 Binary files /dev/null and b/packages/forescout/img/forescout-host.png differ diff --git a/packages/forescout/img/forescout-logo.svg b/packages/forescout/img/forescout-logo.svg new file mode 100644 index 00000000000..5cc16c419a3 --- /dev/null +++ b/packages/forescout/img/forescout-logo.svg @@ -0,0 +1,14 @@ + + + + +Forescout-logo + + + + + + + diff --git a/packages/forescout/kibana/dashboard/forescout-4b5d6ae2-9ce2-4e57-b922-3fe79be2e0a0.json b/packages/forescout/kibana/dashboard/forescout-4b5d6ae2-9ce2-4e57-b922-3fe79be2e0a0.json new file mode 100644 index 00000000000..10a93970903 --- /dev/null +++ b/packages/forescout/kibana/dashboard/forescout-4b5d6ae2-9ce2-4e57-b922-3fe79be2e0a0.json @@ -0,0 +1,1281 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "199f4bdf-80f5-4230-897d-988477da127b": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "forescout.host.compliance_state", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Compliance State" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "Overview of Host Data Sent using Forescout EyeExtend Connect", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "forescout.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "forescout.host" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e51f00af-d911-4fbf-918c-0df6c665a700", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "26d42377-9618-40aa-9c9a-3d90abae6e6f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "e51f00af-d911-4fbf-918c-0df6c665a700": { + "columnOrder": [ + "3730d397-5ee6-4761-9fe1-73c851516312", + "5c48db57-c4ef-4d7c-a8d0-9ab9d99222bf" + ], + "columns": { + "3730d397-5ee6-4761-9fe1-73c851516312": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": " Network Adapter", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "5c48db57-c4ef-4d7c-a8d0-9ab9d99222bf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "forescout.host.hwi_network_adapters" + }, + "5c48db57-c4ef-4d7c-a8d0-9ab9d99222bf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "26d42377-9618-40aa-9c9a-3d90abae6e6f", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "forescout.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "forescout.host" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "3730d397-5ee6-4761-9fe1-73c851516312" + }, + { + "columnId": "5c48db57-c4ef-4d7c-a8d0-9ab9d99222bf" + } + ], + "layerId": "e51f00af-d911-4fbf-918c-0df6c665a700", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "forescout.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "forescout.host" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "f629bef0-2f6b-4bca-b52c-11ca1ec4e1a5", + "w": 24, + "x": 0, + "y": 38 + }, + "panelIndex": "f629bef0-2f6b-4bca-b52c-11ca1ec4e1a5", + "title": "Top Network Adapter", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5ccace2e-b3d0-432d-9dac-0e6febdfadb1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "5ccace2e-b3d0-432d-9dac-0e6febdfadb1": { + "columnOrder": [ + "e26ab280-7c6e-45b0-9133-db4b1e5699f9", + "26230ae6-7303-4f6c-b54f-51d18865daa8" + ], + "columns": { + "26230ae6-7303-4f6c-b54f-51d18865daa8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "e26ab280-7c6e-45b0-9133-db4b1e5699f9": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Access IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "26230ae6-7303-4f6c-b54f-51d18865daa8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "forescout.host.access_ip" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "e26ab280-7c6e-45b0-9133-db4b1e5699f9" + }, + { + "columnId": "26230ae6-7303-4f6c-b54f-51d18865daa8" + } + ], + "layerId": "5ccace2e-b3d0-432d-9dac-0e6febdfadb1", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "565a9c19-0c4c-4120-ba46-595ffb562202", + "w": 24, + "x": 24, + "y": 23 + }, + "panelIndex": "565a9c19-0c4c-4120-ba46-595ffb562202", + "title": "Top Access IP", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bdfab623-200d-4cf5-aded-220b862f7f46", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "21378476-86bd-4613-ba74-fbae6512e567", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "bdfab623-200d-4cf5-aded-220b862f7f46": { + "columnOrder": [ + "5f161eda-8106-4f9c-8d67-c25c59b98d41", + "f73e4e13-bd27-4179-adb5-f0a64a848bad" + ], + "columns": { + "5f161eda-8106-4f9c-8d67-c25c59b98d41": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Segment", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "f73e4e13-bd27-4179-adb5-f0a64a848bad", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "forescout.host.segment_name" + }, + "f73e4e13-bd27-4179-adb5-f0a64a848bad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "21378476-86bd-4613-ba74-fbae6512e567", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "forescout.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "forescout.host" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "f73e4e13-bd27-4179-adb5-f0a64a848bad" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "bdfab623-200d-4cf5-aded-220b862f7f46", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "5f161eda-8106-4f9c-8d67-c25c59b98d41" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "forescout.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "forescout.host" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "dfec48ff-aa0f-4143-a9cd-6e9f6944fe28", + "w": 24, + "x": 0, + "y": 23 + }, + "panelIndex": "dfec48ff-aa0f-4143-a9cd-6e9f6944fe28", + "title": "Hosts by Segment", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-040457b3-f3c9-4ca4-9535-3620bf4c630a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "040457b3-f3c9-4ca4-9535-3620bf4c630a": { + "columnOrder": [ + "4c04e197-fe9a-4a91-8583-6d9a1bf4dd5d", + "cd15860b-9c23-4b9a-b46c-f248fee2ab98" + ], + "columns": { + "4c04e197-fe9a-4a91-8583-6d9a1bf4dd5d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "cd15860b-9c23-4b9a-b46c-f248fee2ab98", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "cd15860b-9c23-4b9a-b46c-f248fee2ab98": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "4c04e197-fe9a-4a91-8583-6d9a1bf4dd5d" + }, + { + "columnId": "cd15860b-9c23-4b9a-b46c-f248fee2ab98" + } + ], + "layerId": "040457b3-f3c9-4ca4-9535-3620bf4c630a", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "3f73e8d2-932b-4fd8-b92e-d1fede456d83", + "w": 24, + "x": 24, + "y": 38 + }, + "panelIndex": "3f73e8d2-932b-4fd8-b92e-d1fede456d83", + "title": "Top User", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "This dashboard provides visibility into host data ingested using the Forescout EyeExtend Connect app.\n\nIt includes a control panel with filters such as Compliance State for quick data refinement. A table highlights Top Network Adapters, while a pie chart shows Hosts by Device Interface. Additional tables provide insights into Top Host IPs, Top Access IPs, and Top Users. A bar chart visualizes Hosts by Segment to understand network distribution.\n\nTogether, these visualizations help monitor host posture, network attributes, and user associations for effective analysis and investigation.\n\n**[Integration Page](/app/integrations/detail/forescout/overview)**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 19, + "i": "24b64911-b2ca-406c-be24-efee129b9f31", + "w": 12, + "x": 0, + "y": 4 + }, + "panelIndex": "24b64911-b2ca-406c-be24-efee129b9f31", + "title": "Overview", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8f764544-02dd-45f9-b2ea-1513ba11900c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4ccc0883-0a83-45ce-9d94-3fee94da339a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8f764544-02dd-45f9-b2ea-1513ba11900c": { + "columnOrder": [ + "232bc105-f2e3-47f3-af95-e72fd456c416", + "8a963827-3f5e-4e97-a119-46513e55dcfb" + ], + "columns": { + "232bc105-f2e3-47f3-af95-e72fd456c416": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Device Interface", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8a963827-3f5e-4e97-a119-46513e55dcfb", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "forescout.host.device_interfaces" + }, + "8a963827-3f5e-4e97-a119-46513e55dcfb": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "4ccc0883-0a83-45ce-9d94-3fee94da339a", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "forescout.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "forescout.host" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "8f764544-02dd-45f9-b2ea-1513ba11900c", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "8a963827-3f5e-4e97-a119-46513e55dcfb" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "232bc105-f2e3-47f3-af95-e72fd456c416" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "forescout.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "forescout.host" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 19, + "i": "0d325d2d-3693-4db0-ab66-0844efdd62d6", + "w": 18, + "x": 12, + "y": 4 + }, + "panelIndex": "0d325d2d-3693-4db0-ab66-0844efdd62d6", + "title": "Hosts by Device Interface", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-10e61e36-c486-4c78-8f8d-4484ea01d47d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "10e61e36-c486-4c78-8f8d-4484ea01d47d": { + "columnOrder": [ + "b9b21360-1517-49f8-8278-3eb243214e1f", + "6812b547-88dd-44bb-ac43-51ca6d3d8ed2" + ], + "columns": { + "6812b547-88dd-44bb-ac43-51ca6d3d8ed2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "b9b21360-1517-49f8-8278-3eb243214e1f": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Host IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6812b547-88dd-44bb-ac43-51ca6d3d8ed2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.ip" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "initialContext": null, + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "forescout.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "forescout.host" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "b9b21360-1517-49f8-8278-3eb243214e1f" + }, + { + "columnId": "6812b547-88dd-44bb-ac43-51ca6d3d8ed2" + } + ], + "layerId": "10e61e36-c486-4c78-8f8d-4484ea01d47d", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "forescout.host" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "forescout.host" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 19, + "i": "9806d55a-07ac-41c0-8f73-90c87400f2ce", + "w": 18, + "x": 30, + "y": 4 + }, + "panelIndex": "9806d55a-07ac-41c0-8f73-90c87400f2ce", + "title": "Top Host IP", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "layout": "horizontal", + "links": [ + { + "destinationRefName": "link_dbc447f0-344b-4944-88f3-c0b024f3ba33_dashboard", + "id": "dbc447f0-344b-4944-88f3-c0b024f3ba33", + "label": "Event", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_ffbc8c99-266d-4969-82e0-9afd35ebbe91_dashboard", + "id": "ffbc8c99-266d-4969-82e0-9afd35ebbe91", + "label": "Host", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 1, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 4, + "i": "208df9a7-3589-4946-9199-7fc993f695cd", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "208df9a7-3589-4946-9199-7fc993f695cd", + "type": "links" + } + ], + "timeRestore": false, + "title": "[Logs Forescout] Host", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2026-04-02T14:09:38.742Z", + "id": "forescout-4b5d6ae2-9ce2-4e57-b922-3fe79be2e0a0", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f629bef0-2f6b-4bca-b52c-11ca1ec4e1a5:indexpattern-datasource-layer-e51f00af-d911-4fbf-918c-0df6c665a700", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f629bef0-2f6b-4bca-b52c-11ca1ec4e1a5:26d42377-9618-40aa-9c9a-3d90abae6e6f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "565a9c19-0c4c-4120-ba46-595ffb562202:indexpattern-datasource-layer-5ccace2e-b3d0-432d-9dac-0e6febdfadb1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dfec48ff-aa0f-4143-a9cd-6e9f6944fe28:indexpattern-datasource-layer-bdfab623-200d-4cf5-aded-220b862f7f46", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dfec48ff-aa0f-4143-a9cd-6e9f6944fe28:21378476-86bd-4613-ba74-fbae6512e567", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3f73e8d2-932b-4fd8-b92e-d1fede456d83:indexpattern-datasource-layer-040457b3-f3c9-4ca4-9535-3620bf4c630a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0d325d2d-3693-4db0-ab66-0844efdd62d6:indexpattern-datasource-layer-8f764544-02dd-45f9-b2ea-1513ba11900c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0d325d2d-3693-4db0-ab66-0844efdd62d6:4ccc0883-0a83-45ce-9d94-3fee94da339a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9806d55a-07ac-41c0-8f73-90c87400f2ce:indexpattern-datasource-layer-10e61e36-c486-4c78-8f8d-4484ea01d47d", + "type": "index-pattern" + }, + { + "id": "forescout-52ac29ab-2ce2-4d68-937d-cac1cb92ab47", + "name": "208df9a7-3589-4946-9199-7fc993f695cd:link_dbc447f0-344b-4944-88f3-c0b024f3ba33_dashboard", + "type": "dashboard" + }, + { + "id": "forescout-4b5d6ae2-9ce2-4e57-b922-3fe79be2e0a0", + "name": "208df9a7-3589-4946-9199-7fc993f695cd:link_ffbc8c99-266d-4969-82e0-9afd35ebbe91_dashboard", + "type": "dashboard" + }, + { + "id": "logs-*", + "name": "controlGroup_199f4bdf-80f5-4230-897d-988477da127b:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0" +} \ No newline at end of file diff --git a/packages/forescout/kibana/dashboard/forescout-52ac29ab-2ce2-4d68-937d-cac1cb92ab47.json b/packages/forescout/kibana/dashboard/forescout-52ac29ab-2ce2-4d68-937d-cac1cb92ab47.json new file mode 100644 index 00000000000..b93ef2cb7a1 --- /dev/null +++ b/packages/forescout/kibana/dashboard/forescout-52ac29ab-2ce2-4d68-937d-cac1cb92ab47.json @@ -0,0 +1,1082 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "1bb06693-0d6d-4ce8-be3f-cd0a1cbd4237": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "log.syslog.facility.name", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Facility" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "e8bdde14-7fb2-43a3-843e-2f2a37fb8163": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "log.syslog.priority", + "searchTechnique": "exact", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Priority" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "ff3ef866-7c64-48fc-86f4-b0aca1ba2549": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "log.syslog.severity.name", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Severity" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "Overview of Events collected via Forescout", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "forescout.event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "forescout.event" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c63acc1b-0611-4965-a07c-dc6a0aea900f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "c63acc1b-0611-4965-a07c-dc6a0aea900f": { + "columnOrder": [ + "14240850-98d7-4cea-8153-4b548201e52a", + "def70c50-8053-4df3-ab0e-0f55a4d62535" + ], + "columns": { + "14240850-98d7-4cea-8153-4b548201e52a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "def70c50-8053-4df3-ab0e-0f55a4d62535", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "log.syslog.severity.name" + }, + "def70c50-8053-4df3-ab0e-0f55a4d62535": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "c63acc1b-0611-4965-a07c-dc6a0aea900f", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "def70c50-8053-4df3-ab0e-0f55a4d62535" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "14240850-98d7-4cea-8153-4b548201e52a" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "4926fc8a-e408-4fd8-ac42-cda804ce8abb", + "w": 24, + "x": 24, + "y": 21 + }, + "panelIndex": "4926fc8a-e408-4fd8-ac42-cda804ce8abb", + "title": "Events by Severity", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c63acc1b-0611-4965-a07c-dc6a0aea900f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "c63acc1b-0611-4965-a07c-dc6a0aea900f": { + "columnOrder": [ + "14240850-98d7-4cea-8153-4b548201e52a", + "def70c50-8053-4df3-ab0e-0f55a4d62535" + ], + "columns": { + "14240850-98d7-4cea-8153-4b548201e52a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Facility Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "def70c50-8053-4df3-ab0e-0f55a4d62535", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "log.syslog.facility.name" + }, + "def70c50-8053-4df3-ab0e-0f55a4d62535": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "c63acc1b-0611-4965-a07c-dc6a0aea900f", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "def70c50-8053-4df3-ab0e-0f55a4d62535" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "14240850-98d7-4cea-8153-4b548201e52a" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "1e522be8-5780-4e76-97e2-4c7d26de3db4", + "w": 24, + "x": 0, + "y": 21 + }, + "panelIndex": "1e522be8-5780-4e76-97e2-4c7d26de3db4", + "title": "Events by Facility", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-364e0793-a9b3-4681-b8b6-91e6f78cc8ba", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "364e0793-a9b3-4681-b8b6-91e6f78cc8ba": { + "columnOrder": [ + "0bc48c0b-c48c-491d-a5cd-788c91fe1dce", + "c52bbb91-b813-40c8-a1d6-245ac898d272" + ], + "columns": { + "0bc48c0b-c48c-491d-a5cd-788c91fe1dce": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Appname", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c52bbb91-b813-40c8-a1d6-245ac898d272", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "log.syslog.appname" + }, + "c52bbb91-b813-40c8-a1d6-245ac898d272": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "0bc48c0b-c48c-491d-a5cd-788c91fe1dce", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "c52bbb91-b813-40c8-a1d6-245ac898d272", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "364e0793-a9b3-4681-b8b6-91e6f78cc8ba", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "8ce05b3e-edf6-4caa-ad8d-308d1cde71c2", + "w": 24, + "x": 24, + "y": 36 + }, + "panelIndex": "8ce05b3e-edf6-4caa-ad8d-308d1cde71c2", + "title": "Top Application", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-364e0793-a9b3-4681-b8b6-91e6f78cc8ba", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "364e0793-a9b3-4681-b8b6-91e6f78cc8ba": { + "columnOrder": [ + "0bc48c0b-c48c-491d-a5cd-788c91fe1dce", + "c52bbb91-b813-40c8-a1d6-245ac898d272" + ], + "columns": { + "0bc48c0b-c48c-491d-a5cd-788c91fe1dce": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hostname", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c52bbb91-b813-40c8-a1d6-245ac898d272", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "log.syslog.hostname" + }, + "c52bbb91-b813-40c8-a1d6-245ac898d272": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "0bc48c0b-c48c-491d-a5cd-788c91fe1dce", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "c52bbb91-b813-40c8-a1d6-245ac898d272", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "364e0793-a9b3-4681-b8b6-91e6f78cc8ba", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "bd868103-d9ed-4145-bf78-79d36ba6d558", + "w": 24, + "x": 0, + "y": 36 + }, + "panelIndex": "bd868103-d9ed-4145-bf78-79d36ba6d558", + "title": "Top Hosts", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3ad776cf-edd7-4f6c-b25e-b08305f2b082", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "3ad776cf-edd7-4f6c-b25e-b08305f2b082": { + "columnOrder": [ + "f4c990c3-3a96-45fa-af5c-504d7c5c5205", + "fcf1e330-5298-4985-9f6d-b84f15ff97f1", + "41efa82f-5025-43f4-8d90-21fb5c015c31" + ], + "columns": { + "41efa82f-5025-43f4-8d90-21fb5c015c31": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Events", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "f4c990c3-3a96-45fa-af5c-504d7c5c5205": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Priority", + "operationType": "range", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + }, + "includeEmptyRows": false, + "maxBars": 499.5, + "ranges": [ + { + "from": 0, + "label": "", + "to": 1000 + } + ], + "type": "histogram" + }, + "scale": "interval", + "sourceField": "log.syslog.priority" + }, + "fcf1e330-5298-4985-9f6d-b84f15ff97f1": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "41efa82f-5025-43f4-8d90-21fb5c015c31" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "3ad776cf-edd7-4f6c-b25e-b08305f2b082", + "layerType": "data", + "position": "top", + "seriesType": "area_stacked", + "showGridlines": false, + "splitAccessor": "f4c990c3-3a96-45fa-af5c-504d7c5c5205", + "xAccessor": "fcf1e330-5298-4985-9f6d-b84f15ff97f1" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "area_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 17, + "i": "c98cbfe4-20f0-409b-8d71-7e3f4c2cb67b", + "w": 39, + "x": 9, + "y": 4 + }, + "panelIndex": "c98cbfe4-20f0-409b-8d71-7e3f4c2cb67b", + "title": "Events over Time by Priority", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "This dashboard provides a centralized view of Forescout syslog events, helping security teams monitor and analyze event activity effectively. It highlights event trends over time by priority, distributions by severity and facility, and showcases top applications and hosts generating events, while event message details table show event messages in realtime.\n\n**[Integration Page](/app/integrations/detail/forescout/overview)**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 17, + "i": "c15fa098-02cf-4129-8f84-dc51ee099c4c", + "w": 9, + "x": 0, + "y": 4 + }, + "panelIndex": "c15fa098-02cf-4129-8f84-dc51ee099c4c", + "title": "Overview", + "type": "visualization" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 19, + "i": "5a87aa4c-cd32-45c7-abe3-e79915dad4ec", + "w": 48, + "x": 0, + "y": 51 + }, + "panelIndex": "5a87aa4c-cd32-45c7-abe3-e79915dad4ec", + "panelRefName": "panel_5a87aa4c-cd32-45c7-abe3-e79915dad4ec", + "title": "[Logs Forescout] Event Message Essential Details", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "layout": "horizontal", + "links": [ + { + "destinationRefName": "link_1ae70623-bd27-4fad-a401-f35bf6c9936f_dashboard", + "id": "1ae70623-bd27-4fad-a401-f35bf6c9936f", + "label": "Event", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_75cfcef9-39f6-4ac9-9cf4-f73e0106cec1_dashboard", + "id": "75cfcef9-39f6-4ac9-9cf4-f73e0106cec1", + "label": "Host", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 1, + "type": "dashboardLink" + } + ] + }, + "enhancements": {} + }, + "gridData": { + "h": 4, + "i": "3e2fe402-efbf-4f58-b4a8-68a157843ae8", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "3e2fe402-efbf-4f58-b4a8-68a157843ae8", + "type": "links" + } + ], + "timeRestore": false, + "title": "[Logs Forescout] Event", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2026-04-02T14:24:55.462Z", + "id": "forescout-52ac29ab-2ce2-4d68-937d-cac1cb92ab47", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "forescout-09d5d60b-1995-4851-b518-9337a4761cae", + "name": "5a87aa4c-cd32-45c7-abe3-e79915dad4ec:panel_5a87aa4c-cd32-45c7-abe3-e79915dad4ec", + "type": "search" + }, + { + "id": "logs-*", + "name": "4926fc8a-e408-4fd8-ac42-cda804ce8abb:indexpattern-datasource-layer-c63acc1b-0611-4965-a07c-dc6a0aea900f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1e522be8-5780-4e76-97e2-4c7d26de3db4:indexpattern-datasource-layer-c63acc1b-0611-4965-a07c-dc6a0aea900f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8ce05b3e-edf6-4caa-ad8d-308d1cde71c2:indexpattern-datasource-layer-364e0793-a9b3-4681-b8b6-91e6f78cc8ba", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bd868103-d9ed-4145-bf78-79d36ba6d558:indexpattern-datasource-layer-364e0793-a9b3-4681-b8b6-91e6f78cc8ba", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c98cbfe4-20f0-409b-8d71-7e3f4c2cb67b:indexpattern-datasource-layer-3ad776cf-edd7-4f6c-b25e-b08305f2b082", + "type": "index-pattern" + }, + { + "id": "forescout-52ac29ab-2ce2-4d68-937d-cac1cb92ab47", + "name": "3e2fe402-efbf-4f58-b4a8-68a157843ae8:link_1ae70623-bd27-4fad-a401-f35bf6c9936f_dashboard", + "type": "dashboard" + }, + { + "id": "forescout-4b5d6ae2-9ce2-4e57-b922-3fe79be2e0a0", + "name": "3e2fe402-efbf-4f58-b4a8-68a157843ae8:link_75cfcef9-39f6-4ac9-9cf4-f73e0106cec1_dashboard", + "type": "dashboard" + }, + { + "id": "logs-*", + "name": "controlGroup_ff3ef866-7c64-48fc-86f4-b0aca1ba2549:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_1bb06693-0d6d-4ce8-be3f-cd0a1cbd4237:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_e8bdde14-7fb2-43a3-843e-2f2a37fb8163:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/forescout/kibana/search/forescout-09d5d60b-1995-4851-b518-9337a4761cae.json b/packages/forescout/kibana/search/forescout-09d5d60b-1995-4851-b518-9337a4761cae.json new file mode 100644 index 00000000000..a1b63972292 --- /dev/null +++ b/packages/forescout/kibana/search/forescout-09d5d60b-1995-4851-b518-9337a4761cae.json @@ -0,0 +1,41 @@ +{ + "attributes": { + "columns": [ + "message" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "[Logs Forescout] Events Essential Details " + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2026-04-02T14:09:38.742Z", + "id": "forescout-09d5d60b-1995-4851-b518-9337a4761cae", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0" +} \ No newline at end of file diff --git a/packages/forescout/manifest.yml b/packages/forescout/manifest.yml new file mode 100644 index 00000000000..d405898b3bc --- /dev/null +++ b/packages/forescout/manifest.yml @@ -0,0 +1,41 @@ +format_version: 3.3.2 +name: forescout +title: Forescout +version: 0.1.0 +description: Collect logs from Forescout with Elastic Agent and EyeExtend Connect. +type: integration +categories: + - security +conditions: + kibana: + version: '^8.18.0 || ^9.0.0' + elastic: + subscription: 'basic' +screenshots: + - src: /img/forescout-event.png + title: Event Dashboard + size: 600x600 + type: image/png + - src: /img/forescout-host.png + title: Host Dashboard + size: 600x600 + type: image/png +icons: + - src: /img/forescout-logo.svg + title: Forescout logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: forescout + title: Forescout Logs + description: Collect Forescout logs. + inputs: + - type: tcp + title: Collect logs from Forescout via TCP + description: Collecting logs from Forescout via TCP. + - type: udp + title: Collect logs from Forescout via UDP + description: Collecting logs from Forescout via UDP. +owner: + github: elastic/integration-experience + type: elastic diff --git a/packages/forescout/validation.yml b/packages/forescout/validation.yml new file mode 100644 index 00000000000..9b4a66cc525 --- /dev/null +++ b/packages/forescout/validation.yml @@ -0,0 +1,4 @@ +errors: + exclude_checks: + - SVR00004 # References in dashboards. + - SVR00002 # Mandatory filters in dashboards.