ForeScout Policy Conditions/Properties

Question 1

Working with Properties

Answer 1

Conditions include one or more properties. A property is an attribute detected on the endpoint. The following categories of properties are available by default with Forescout 8.1: 1. Authentication Properties 2. Classification Properties 3. Advanced Classification Properties 4. Device Information Properties 5. Event Properties 6. External Devices Properties 7. Guest Registration Properties 8. Linux Properties 9. Macintosh Properties 10. Remote Inspection Properties 11. SNMP Properties 12. Switch Properties 13. Track Changes Properties 14. User Directory Properties 15. Windows Properties 16. Windows Application Properties 17. Windows Security Properties

Question 2

How Forescout 8.1 Queries Property Values

Answer 2

CounterACT Appliances must regularly query endpoints to keep property values up to date. This can generate significant network traffic. The following methods are provided to minimize traffic: 1. In general, endpoints are polled for property values only when a policy that includes the property is evaluated. Defining the time interval at which policies are evaluated and rechecked influences the frequency at which endpoints are queried. 2. When SecureConnector is used on endpoints, event driven monitoring can be enabled. SecureConnector proactively sends updates to the HPS Inspection Engine only when it detects a change in an endpoint property. This eliminates blind polling by Forescout 8.1, and significantly reduces redundant network traffic.

Question 3

Define Properties

Answer 3

You can define the properties to be detected on an endpoint as part of a condition definition. To define properties:

1. Select Add from the Condition section of the Sub-Rules dialog box
2. Select a property type in the Select Property section and define the property value. When defining properties, indicate if the endpoint meets the criteria defined or does not meet the criteria. The properties are detailed below.
3. Select OK. The Conditions dialog box reopens.

Question 4

Authentication Properties

Answer 4

• Authenticated by Certificate
• Authentication Certificate Expiration
• Authentication Certificate Issuer
• Authentication Certificate Root CA Subject
• Authentication Certificate Serial Number
• Authentication Certificate Status
• Authentication Certificate Subject
• Authentication Certificate Subject Alternate Name
• Authentication Login
• Authentication Login (Advanced)
• HTTP Confirmation Events
• HTTP Login Failure
• HTTP Login User
• Signed In Status

Question 5

Classification Properties

Answer 5

• Function
• Network Function
• Operating System
• Vendor and Model

Question 6

Advanced Classification Properties

Answer 6

• Service Banner
• Network Function Resolution Method
• HTTP User Agent
• Function Classified By
• Operating System Classified By
• Function Classification Update
• Operating System Classification Update
• Vendor and Model Classification Update
• Suggested Function
• Suggested Operating System
• OS Fingerprint
• Compare OS Fingerprint to (Classification Version 2)
• Compare OS Fingerprint to (Classification Version 3)
• Compare Network Function To (Classification Version 2)
• Compare Network Function To (Classification Version 3)

Question 7

Device Information Properties

Answer 7

• Access IP
• Assigned Label
• Comment
• Compliance Status
• Corporate / Guest Status
• Counter
• Forescout Script Result
• Device Interfaces
• Device is DHCP Relay
• Device is DHCP Server
• Device is NAT
• DHCP Server Address
• DNS Name
• Host is online
• IPv4 Address IPv6 Address
• Last Known IPv4 Address
• MAC Address
• Member of Group
• NetBIOS Domain
• NetBIOS Hostname
• Network Adapters
• NIC Vendor
• NIC Vendor Value
• Number of IPv4 Addresses Number of IPv6 Addresses
• Open Ports
• OS CPE Format
• Segment Name
• Segment Path
• SMB Relay
• snmpwalk Command Output
• SSH Command Output
• SSH Command Output (interactive)
• Traffic seen
• URL Content
• User

Question 8

Event Properties

Answer 8

• ARP Spoofing
• Admission
• Malicious Event
• Miscellaneous Events
• Sessions as Client / Sessions as Server
• Traps Received
• External Devices

Question 9

External Devices Properties

Answer 9

• External Devices Properties
• Bus Type
• Bus Type

Question 10

Guest Registration Properties

Answer 10

• Guest Account Approve Date
• Guest Approved By
• Guest Registration Status
• Guest Tags
• Guest Registration Information

Question 11

Linux Properties

Answer 11

• Linux Expected Script Result
• Linux File Date
• Linux File Exists
• Linux File Size
• Linux Manageable (SSH Direct Access)
• Linux Manageable (SecureConnector)
• Linux Processes Running
• Linux User
• Linux Version

Question 12

Macintosh Properties

Answer 12

• Macintosh Applications Installed
• Macintosh Expected Script Result
• Macintosh File Date
• Macintosh File Exists
• Macintosh File Size
• Macintosh Hostname
• Macintosh Manageable (SSH Direct Access)
• Macintosh Manageable (SecureConnector)
• Macintosh Processes Running
• Macintosh SecureConnector Version
• Macintosh Software Updates Missing
• Macintosh User
• Macintosh Version

Question 13

Remote Inspection Properties

Answer 13

• MS-RRP Reachable
• MS-SMB Reachable
• MS-WMI Reachable

NOTE: These properties do not have an Irresolvable state. When the plugin or module cannot establish connection with the service, the property value is False. Do not use the Evaluate Irresolvable Criteria as option with these properties. The following corresponding Track Changes policies are listed under the Track Changes folder:

 MS-RRP reachability changed

 MS-SMB reachability changed

 MS-WMI reachability changed

Question 14

SNMP Properties - Requirements

Answer 14

Use of SNMP properties requires the proper configuration and activation of the HPS Inspection Engine. When entering the following values, use these guidelines:

 For SNMP V1, use: -v 1 -c <community></community>

 For SNMP V2, use: -v 2 -c <community></community>

 For SNMP V3, use: -v 3 -u <user> -A <password></password></user>

Use the SNMP Parameters field to enter optional SNMP connection parameters. The following parameters are supported:

• p <port> Specify the port used for SNMP messaging on the server.</port>
• r <retries> Specify the number of times to retry the request.</retries>
• t <seconds> Specify the timeout period before retrying the request.</seconds>
• E <engine_id> Specify the Context Engine ID for REQUEST messages (SNMP v3 only).</engine_id>
• n <cont_name> Specify the Context Name (SNMP v3 only). <br></br> </cont_name>

Question 15

SNMP Properties

Answer 15

• SNMP-MIB-II ifNumber
• SNMP-MIB-II sysDescription
• SNMP-MIB-II sysLocation
• SNMP-MIB-II sysName
• SNMP-MIB-II sysUpTime
• SNMP-OID

Question 16

Switch Properties - General

Answer 16

• Number of Hosts on Port
• SGT: The Security Group Tag (SGT number range of 1–65,535) assigned to an endpoint.
• Switch Hostname
• Switch IP/FQDN
• Switch IP/FQDN and Port Name
• Switch Location
• Switch OS
• Switch Port ACL
• Switch Port Action
• Switch Port Alias
• Switch Port Configurations
• Switch Port Connect
• Switch Port PoE Connected Device
• Switch Port PoE Power Consumption
• Switch Port Name
• Switch Port VLAN
• Switch Port VLAN Name
• Switch Port Voice Device
• Switch Port Voice VLAN
• Switch Vendor
• Switch Virtual Interface
• Switch VoIP Port
• System Description

Question 17

Switch Properties - Network Compliance

Answer 17

• Running Config
• Running Config Time
• Interface Table

Question 18

Track Changes Properties

Answer 18

Items in this category check whether a property value has changed, for example, if a user name changed. Detecting changes in endpoints is a powerful method of identifying possible attacks or noncompliance. All these properties exist under other categories, but here these properties check whether the value has changed. For example, the Windows File Size property in the Windows folder detects the size of a file at a specific location. In the Track Changes folder, Forescout 8.1 detects if the file size at that location changed. Some of the Track Changes properties require the proper configuration and activation of the HPS Inspection Engine.

Question 19

User Directory Properties

Answer 19

USer Account:

 Account is Disabled

 Account is Expired

User Directory configuration:

 Common Name

 Company

 Department

 Display Name

 Distinguished Name

 Email

 Employee Number

 Initials

 Last Name

 LDAP User Name

 Member Of

 Mobile Phone

 Password Last Set

 Phone

 Street Address

 Title

 User Given Name

Question 20

Windows Properties

Answer 20

• NetBIOS Membership Typ
• SMB Signing
• Windows Active Users
• Windows Domain Member
• Windows Expected Script Result
• Windows File Date
• Windows File Exists
• Windows File MD5 Signature
• Windows File Size
• Windows File Version Comparison
• Windows Last Login Event
• Windows Logged On
• Windows Manageable Domain > Irresolvable endpoints are resolved based on their previous recheck status
• Windows Manageable Domain (Current) > if irresolvable, the status not manageable is applied until the next recheck.
• Windows Manageable Local
• Windows Manageable SecureConnector
• Windows Processes Running
• Windows Processes Running and User
• Windows Registry Key Exists
• Windows Registry Value
• Windows Registry Value Exists
• Windows SecureConnector Connection Encryption
• Windows SecureConnector Deployment Type
• Windows SecureConnector Systray Display
• Windows Services Installed
• Windows Services Running
• Windows Shared Folders
• Windows Version
• Windows Version CPE Format
• Windows Version Fine-tuned

Question 21

Windows Application Properties

(choose from the list of supported third-party applications)

Answer 21

• Windows Applications Installed
• Cloud Storage Installed
• Cloud Storage Running
• Hard Drive Encryption Installed
• Hard Drive Encryption State
• Instant Messaging Installed
• Instant Messaging Running
• Microsoft Applications installed
• Peer-to-peer Installed
• Peer-to-peer Running

Question 22

Windows Security Properties

( Windows Applications Plugin )

Answer 22

• Anti-Spyware Installed
• Antivirus Installed
• Antivirus Running
• Antivirus Update Date
• Windows Hotfix Installed
• Intranet WSUS Server
• Microsoft Vulnerabilities
• Microsoft Vulnerabilities Finetuned
• Personal Firewall
• Windows Updates Installed – Reboot Required
• Windows Security Center Antivirus Status
• Windows Update Agent Installed

Question 23

Default (in the box) Properties

Answer 23

 Authentication Properties

 Classification Properties

 Advanced Classification Properties

 Device Information Properties

 Event Properties

 External Devices Properties

 Guest Registration Properties

 Linux Properties

 Macintosh Properties

 Remote Inspection Properties

 SNMP Properties

 Switch Properties

 Track Changes Properties

 User Directory Properties

 Windows Properties

 Windows Application Properties

 Windows Security Properties

Question 24

When can I use External Device Classification

Answer 24

Only for Windows