| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
Introduction
Tags beginning withnac.forescout identify events generated by Forescout.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed asnac.forescout. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
...
Technology
...
Brand
...
Type
...
Subtype
...
nac
...
forescout
...
counteract
...
policy
These are the valid tags and corresponding data tables that will receive the parsers' data:
TagProduct/Service | Tags | Data table |
|---|---|---|
Forescout counterACT |
|
|
|
| |
|
| |
|
| |
|
|
Table structure
This is the set displayed by these tables:
...
| Rw tab | ||
|---|---|---|
|
...
Field
...
| Anchor | ||||
|---|---|---|---|---|
|
Field | Type | Source field name | Extra Label |
|---|---|---|---|
eventdate |
|
...
-
machine |
|
...
-
...
server_date
...
timestamp
...
-
...
hostname
...
str
...
-
...
category
...
str
...
-
...
log_level
...
str
...
-
...
event_id
...
str
...
-
...
server_instance
...
str
...
-
...
client_ip
...
ip4
...
-
...
server_ip
...
ip4
...
-
...
action
...
str
...
-
...
action_id
...
str
...
-
...
result
...
str
...
-
...
reason
...
str
...
-
...
session_id
...
str
...
-
...
user_id
...
str
...
-
...
user_identity_source_id
...
str
...
-
...
user_security_domain_id
...
str
...
-
...
user_login_name
...
str
...
-
...
user_first_name
...
str
...
-
...
user_last_name
...
str
...
-
...
arg_1
...
str
...
-
...
arg_2
...
str
...
-
...
arg_3
...
str
...
-
...
arg_4
...
str
...
-
...
arg_5
...
str
...
-
...
arg_6
...
str
...
-
...
cause
...
str
...
-
vmachine | |||
eventType |
| ||
ipAddr |
| ||
macAddr |
| ||
hostName |
| ||
dnsName |
| ||
user |
| ||
rawMessage |
| ||
unknown |
| ||
hostchain |
| ✓ | |
tag |
| ✓ |
| Anchor | ||||
|---|---|---|---|---|
|
Field | Type | Source field name | Extra Label |
|---|---|---|---|
eventdate |
| ||
machine |
| vmachine | |
eventtype |
| ||
sourceIp |
| ||
destinationIp |
| ||
destinationPort |
| ||
rawMessage |
| ||
unknown |
| ||
hostchain |
| ✓ | |
tag |
| ✓ |
...
rawMessage
...
str
...
| Anchor |
|---|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
nac.
...
forescout.
...
counteract.
...
log
Field | Type | Source field name | Extra Label |
|---|---|---|---|
eventdate |
|
...
machine |
|
...
-
...
server_date
...
timestamp
...
-
...
hostname
...
str
...
-
...
category
...
str
...
vmachine | |
log |
...
|
...
-
...
event_id
...
str
...
-
...
server_instance
...
str
...
-
...
details |
|
...
severity |
...
server_ip
|
...
-
...
rawMessage |
|
...
unknown |
...
action_id
|
...
-
...
hostchain |
|
...
✓ |
...
tag |
|
...
-
...
session_id
...
str
...
-
...
user_id
...
str
...
-
...
user_identity_source_id
...
str
...
-
...
user_security_domain_id
...
str
...
-
...
user_login_name
...
str
...
-
...
user_first_name
...
str
...
-
...
user_last_name
...
str
...
-
...
agent_id
...
str
...
-
...
agent_security_domain_id
...
str
...
-
...
agent_address
...
ip4
...
-
...
agent_name
...
str
...
-
...
agent_type
...
str
...
-
...
policy_method_id
...
str
...
-
...
policy_method_name
...
str
...
-
...
policy_id
...
str
...
-
...
policy_expression
...
str
...
-
...
arg1
...
str
...
-
...
arg2
...
str
...
-
...
arg3
...
str
...
-
...
arg4
...
str
...
-
...
arg5
...
str
...
-
...
arg6
...
str
...
-
...
arg7
...
str
...
-
...
arg8
...
str
...
-
...
arg9
...
str
...
-
...
arg10
...
str
...
-
...
more_args
...
str
...
✓ |
nac.forescout.counteract.policy
| Anchor | ||||
|---|---|---|---|---|
|
Field | Type | Extra Label |
|---|---|---|
eventdate |
| |
machine |
| |
serverdate |
| |
hostname |
| |
procName |
| |
procId |
| |
sourceIp |
| |
rule |
| |
details |
| |
match |
| |
category |
| |
rawMessage |
| |
hostchain |
| ✓ |
tag |
| ✓ |
| Anchor | ||||
|---|---|---|---|---|
|
Field | Type | Extra Label |
|---|---|---|
eventdate |
| |
message |
| |
hostchain |
| ✓ |
tag |
| ✓ |
...
rawMessage
...
str
...