[New Integration] Forescout #14069
Description
Description
Forescout provides continuous, agentless device visibility and network access control across connected devices including IT, IoT and OT environments. It discovers and classifies all network connected devices in real time and provides contextual information about device security posture, compliance status, user associations and network behavior patterns.
Forescout exposes device intelligence via its Web API and eyeExtend integration framework. The Elastic <> Forescout integration should consist of:
- Forescout eyeExtend Connect module (pushes data from Forescout to Elastic)
- Elastic integration package (receives data, normalizes to ECS, provides visualizations)
- Elastic response actions (triggers policies in Forescout such as isolating or quarantining potentially compromised endpoints)
Sample data is available on request.
Architecture
This integration package creates an HTTP-based data ingestion pipeline to receive device intelligence data from Forescout systems and normalize it into ECS format.
Scope of this issue
- Elastic integration package (HTTP endpoint input, data transformation and dashboards)
Related/dependent issues
- Forescout eyeExtend Connect module
- Elastic response actions (future)
User stories
As a SOC analyst I want to:
- Correlate Forescout device context with security events from other sources in Elastic Security
- Detect anomalies and threats using Forescout's device intelligence
- View device compliance status, security posture gaps and policy violations in Elastic dashboards
As a network security engineer, I want to:
- Monitor real-time inventory of all connected devices across IT, IoT and OT envs
- Track device classification, authentication, connection patterns and location over time
- Maintain accurate asset inventory including device type, OS, applications, users and peripherals
Acceptance criteria
Ingest & transformation
- Integration package uses
http_endpointinput type for receiving Forescout webhook data- Support for comprehensive device properties:
- Device classification
- OS, applications and peripheral information
- Network connection details and location context
- Vuln scan results and IOCs
- Policy compliance status
- Support for comprehensive device properties:
- Ingest pipeline transforms Forescout device properties to ECS format
Visualizations
- OOTB dashboards show:
- Real-time device inventory across all device types
- Device compliance status and security posture gaps
- User types (corporate, guest) and access patterns
- Network connection details and location mapping
- Policy trends and violation tracking
Scale & performance
- Support customer requirement of ~2 million endpoints through proper architecture
References: