Overview

"ForescoutHostPropertyMonitor" is a project that helps to check and report IP addresses of the hosts that are involved in various categories of malicious attacks. It does the checks by analyzing host properties uploaded by Forescout platform. This project analyzes number of times certain events are generated by a host to determine the classificaction and severity of activity done by the host. It forwards that severity and host information back to Forescout platform through description field or Tags of Sentinel Incident so that Coninuum platform can act upon the host.

Playbook Templates

This package includes:

• DNS Sniff Event Playbook This topic describes a sample Logic App/Playbook, "DNS Sniff Event Playbook". Analytic Rule (DNS Sniff Event Monitor) checks host properties and generates incidents containing number of times the events happened for any endpoint within the time interval. Based on this information, the Logic App/Playbook will set the Description field or Tags of the incident with the following information:

The field info is optional.

Note that the eyeExtend for Microsoft Sentinel module polls the incidents information periodically and examines the Description field and Tags of each incident. Based on the information set in the Description field and the Tags, the Forescout Platform applies the requested action set by Microsoft Sentinel playbook to the endpoints. The following is a sample description field of an incident set by the playbook: action_group="restrict";endpoint_ip=["10.16.141.130"];em_ip=["10.16.147.96"];info=block network access If Tags are used, please use corresponding tag names: action_group, endpoint_ip, em_ip, info

Following table lists valid info values for each action group:

Use the Microsoft Apps Designer to view or edit the playbook as needed to fulfil security requirements. The code is prepared by using the visual editor, which can be easily viewed and modified.

You can choose to deploy the playbook: