cef0.forescoutTechnologies.counteract

Introduction

The table cef0.forescoutTechnologies.counteract identifies events in CEF format generated by Forescout CounterACT v8.1.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

cef0.forescoutTechnologies.counteract

How is the data sent to Devo?

Logs generated by Forescout CounterACT v8.1 are sent to the Devo platform via Relay to secure communication and no rule needs to be specified to effectively perform this data transfer.

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Log samples

The following are sample logs sent to cef0.forescoutTechnologies.counteract. Find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

cef0.forescoutTechnologies.counteract

CEF:0|ForeScout Technologies|CounterAct|8.1.1|COMPLIANCE|host is compliant|1|cs1Label=Compliancy Policy Name cs2Label=Compliancy Policy Subrule Name cs3Label=Host Compliancy Status cs4Label=Compliancy Event Trigger cs1=2. AntiVirus Check cs2=No Antivirus cs3=yes cs4=New host dst=192.168.1.52 dmac=ca:fe:ca:fe:ca:fe duser= dhost= dntdom= dvc=192.168.2.52 dvchost=fas1f-cvddf-01 rt=1613605321000

And this is how these logs would be parsed:

Field	Value	Type	Extra fields
eventdate	`2021-03-01 00:01:01.000`	`timestamp`
priorityCode	`13`	`str`
cefTag	`CEF`	`str`
cefVersion	`0`	`str`
embDeviceVendor	`ForeScout Technologies`	`str`
embDeviceProduct	`CounterAct`	`str`
deviceVersion	`8.1.1`	`str`
signatureID	`COMPLIANCE`	`str`
name	`host is compliant`	`str`
severity	`1`	`str`
extension	`cs1Label=Compliancy Policy Name cs2Label=Compliancy Policy Subrule Name cs3Label=Host Compliancy Status cs4Label=Compliancy Event Trigger cs1=2. AntiVirus Check cs2=No Antivirus cs3=yes cs4=New host dst=192.168.1.52 dmac=ca:fe:ca:fe:ca:fe duser= dhost= dntdom= dvc=192.168.2.52 dvchost=fas1f-cvddf-01 rt=1613605321000`	`str`
cs1Label	`Compliancy Policy Name`	`str`
cs1	`2. AntiVirus Check`	`str`
cs2Label	`Compliancy Policy Subrule Name`	`str`
cs2	`No Antivirus`	`str`
cs3Label	`Host Compliancy Status`	`str`
cs3	`yes`	`str`
cs4Label	`Compliancy Event Trigger`	`str`
cs4	`New host`	`str`
dhost	`null`	`str`
dmac	`ca:fe:ca:fe:ca:fe`	`src`
dntdom	`null`	`src`
dst	`192.168.1.52`	`ip4`
duser	`null`	`src`
dvchost	`fas1f-cvddf-01`	`src`
dvc	`192.168.2.52`	`ip4`
rt	`2021-02-18 00:42:01.0`	`timestamp`
rawSource	`CEF:0\|ForeScout Technologies\|CounterAct\|8.1.1\|COMPLIANCE\|host is compliant\|1\|cs1Label=Compliancy Policy Name cs2Label=Compliancy Policy Subrule Name cs3Label=Host Compliancy Status cs4Label=Compliancy Event Trigger cs1=2. AntiVirus Check cs2=No Antivirus cs3=yes cs4=New host dst=192.168.1.52 dmac=ca:fe:ca:fe:ca:fe duser= dhost= dntdom= dvc=192.168.2.52 dvchost=fas1f-cvddf-01 rt=1613605321000`	`src`	✓
hostchain	`192.168.2.52=192.168.2.52/host01.domain.com=66.123.141.24`	`src`	✓
tag	CEF	`str`	✓
raw	`2021-03-01 00:01:01.000 192.168.2.52=192.168.2.52/host01.domain.com=66.123.141.24 13 : CEF:0\|ForeScout Technologies\|CounterAct\|8.1.1\|COMPLIANCE\|host is compliant\|1\|cs1Label=Compliancy Policy Name cs2Label=Compliancy Policy Subrule Name cs3Label=Host Compliancy Status cs4Label=Compliancy Event Trigger cs1=2. AntiVirus Check cs2=No Antivirus cs3=yes cs4=New host dst=192.168.1.52 dmac=ca:fe:ca:fe:ca:fe duser= dhost= dntdom= dvc=192.168.2.52 dvchost=fas1f-cvddf-01 rt=1613605321000`	`src`	✓