ForeScout Policy Conditions/Properties Flashcards
Working with Properties
Conditions include one or more properties. A property is an attribute detected on the endpoint. The following categories of properties are available by default with Forescout 8.1: 1. Authentication Properties 2. Classification Properties 3. Advanced Classification Properties 4. Device Information Properties 5. Event Properties 6. External Devices Properties 7. Guest Registration Properties 8. Linux Properties 9. Macintosh Properties 10. Remote Inspection Properties 11. SNMP Properties 12. Switch Properties 13. Track Changes Properties 14. User Directory Properties 15. Windows Properties 16. Windows Application Properties 17. Windows Security Properties
How Forescout 8.1 Queries Property Values
CounterACT Appliances must regularly query endpoints to keep property values up to date. This can generate significant network traffic. The following methods are provided to minimize traffic: 1. In general, endpoints are polled for property values only when a policy that includes the property is evaluated. Defining the time interval at which policies are evaluated and rechecked influences the frequency at which endpoints are queried. 2. When SecureConnector is used on endpoints, event driven monitoring can be enabled. SecureConnector proactively sends updates to the HPS Inspection Engine only when it detects a change in an endpoint property. This eliminates blind polling by Forescout 8.1, and significantly reduces redundant network traffic.
Define Properties
You can define the properties to be detected on an endpoint as part of a condition definition. To define properties:
- Select Add from the Condition section of the Sub-Rules dialog box
- Select a property type in the Select Property section and define the property value. When defining properties, indicate if the endpoint meets the criteria defined or does not meet the criteria. The properties are detailed below.
- Select OK. The Conditions dialog box reopens.
Authentication Properties
- Authenticated by Certificate
- Authentication Certificate Expiration
- Authentication Certificate Issuer
- Authentication Certificate Root CA Subject
- Authentication Certificate Serial Number
- Authentication Certificate Status
- Authentication Certificate Subject
- Authentication Certificate Subject Alternate Name
- Authentication Login
- Authentication Login (Advanced)
- HTTP Confirmation Events
- HTTP Login Failure
- HTTP Login User
- Signed In Status
Classification Properties
- Function
- Network Function
- Operating System
- Vendor and Model
Advanced Classification Properties
- Service Banner
- Network Function Resolution Method
- HTTP User Agent
- Function Classified By
- Operating System Classified By
- Function Classification Update
- Operating System Classification Update
- Vendor and Model Classification Update
- Suggested Function
- Suggested Operating System
- OS Fingerprint
- Compare OS Fingerprint to (Classification Version 2)
- Compare OS Fingerprint to (Classification Version 3)
- Compare Network Function To (Classification Version 2)
- Compare Network Function To (Classification Version 3)
Device Information Properties
- Access IP
- Assigned Label
- Comment
- Compliance Status
- Corporate / Guest Status
- Counter
- Forescout Script Result
- Device Interfaces
- Device is DHCP Relay
- Device is DHCP Server
- Device is NAT
- DHCP Server Address
- DNS Name
- Host is online
- IPv4 Address IPv6 Address
- Last Known IPv4 Address
- MAC Address
- Member of Group
- NetBIOS Domain
- NetBIOS Hostname
- Network Adapters
- NIC Vendor
- NIC Vendor Value
- Number of IPv4 Addresses Number of IPv6 Addresses
- Open Ports
- OS CPE Format
- Segment Name
- Segment Path
- SMB Relay
- snmpwalk Command Output
- SSH Command Output
- SSH Command Output (interactive)
- Traffic seen
- URL Content
- User
Event Properties
- ARP Spoofing
- Admission
- Malicious Event
- Miscellaneous Events
- Sessions as Client / Sessions as Server
- Traps Received
- External Devices
External Devices Properties
- External Devices Properties
- Bus Type
- Bus Type
Guest Registration Properties
- Guest Account Approve Date
- Guest Approved By
- Guest Registration Status
- Guest Tags
- Guest Registration Information
Linux Properties
- Linux Expected Script Result
- Linux File Date
- Linux File Exists
- Linux File Size
- Linux Manageable (SSH Direct Access)
- Linux Manageable (SecureConnector)
- Linux Processes Running
- Linux User
- Linux Version
Macintosh Properties
- Macintosh Applications Installed
- Macintosh Expected Script Result
- Macintosh File Date
- Macintosh File Exists
- Macintosh File Size
- Macintosh Hostname
- Macintosh Manageable (SSH Direct Access)
- Macintosh Manageable (SecureConnector)
- Macintosh Processes Running
- Macintosh SecureConnector Version
- Macintosh Software Updates Missing
- Macintosh User
- Macintosh Version
Remote Inspection Properties
- MS-RRP Reachable
- MS-SMB Reachable
- MS-WMI Reachable
NOTE: These properties do not have an Irresolvable state. When the plugin or module cannot establish connection with the service, the property value is False. Do not use the Evaluate Irresolvable Criteria as option with these properties. The following corresponding Track Changes policies are listed under the Track Changes folder:
MS-RRP reachability changed
MS-SMB reachability changed
MS-WMI reachability changed
SNMP Properties - Requirements
Use of SNMP properties requires the proper configuration and activation of the HPS Inspection Engine. When entering the following values, use these guidelines:
For SNMP V1, use: -v 1 -c <community></community>
For SNMP V2, use: -v 2 -c <community></community>
For SNMP V3, use: -v 3 -u <user> -A <password></password></user>
Use the SNMP Parameters field to enter optional SNMP connection parameters. The following parameters are supported:
- p <port> Specify the port used for SNMP messaging on the server.</port>
- r <retries> Specify the number of times to retry the request.</retries>
- t <seconds> Specify the timeout period before retrying the request.</seconds>
- E <engine_id> Specify the Context Engine ID for REQUEST messages (SNMP v3 only).</engine_id>
- n <cont_name> Specify the Context Name (SNMP v3 only). <br></br> </cont_name>
SNMP Properties
- SNMP-MIB-II ifNumber
- SNMP-MIB-II sysDescription
- SNMP-MIB-II sysLocation
- SNMP-MIB-II sysName
- SNMP-MIB-II sysUpTime
- SNMP-OID
Switch Properties - General
- Number of Hosts on Port
- SGT: The Security Group Tag (SGT number range of 1–65,535) assigned to an endpoint.
- Switch Hostname
- Switch IP/FQDN
- Switch IP/FQDN and Port Name
- Switch Location
- Switch OS
- Switch Port ACL
- Switch Port Action
- Switch Port Alias
- Switch Port Configurations
- Switch Port Connect
- Switch Port PoE Connected Device
- Switch Port PoE Power Consumption
- Switch Port Name
- Switch Port VLAN
- Switch Port VLAN Name
- Switch Port Voice Device
- Switch Port Voice VLAN
- Switch Vendor
- Switch Virtual Interface
- Switch VoIP Port
- System Description
Switch Properties - Network Compliance
- Running Config
- Running Config Time
- Interface Table
Track Changes Properties
Items in this category check whether a property value has changed, for example, if a user name changed. Detecting changes in endpoints is a powerful method of identifying possible attacks or noncompliance. All these properties exist under other categories, but here these properties check whether the value has changed. For example, the Windows File Size property in the Windows folder detects the size of a file at a specific location. In the Track Changes folder, Forescout 8.1 detects if the file size at that location changed. Some of the Track Changes properties require the proper configuration and activation of the HPS Inspection Engine.
User Directory Properties
USer Account:
Account is Disabled
Account is Expired
User Directory configuration:
Common Name
Company
Department
Display Name
Distinguished Name
Employee Number
Initials
Last Name
LDAP User Name
Member Of
Mobile Phone
Password Last Set
Phone
Street Address
Title
User Given Name
Windows Properties
- NetBIOS Membership Typ
- SMB Signing
- Windows Active Users
- Windows Domain Member
- Windows Expected Script Result
- Windows File Date
- Windows File Exists
- Windows File MD5 Signature
- Windows File Size
- Windows File Version Comparison
- Windows Last Login Event
- Windows Logged On
- Windows Manageable Domain > Irresolvable endpoints are resolved based on their previous recheck status
- Windows Manageable Domain (Current) > if irresolvable, the status not manageable is applied until the next recheck.
- Windows Manageable Local
- Windows Manageable SecureConnector
- Windows Processes Running
- Windows Processes Running and User
- Windows Registry Key Exists
- Windows Registry Value
- Windows Registry Value Exists
- Windows SecureConnector Connection Encryption
- Windows SecureConnector Deployment Type
- Windows SecureConnector Systray Display
- Windows Services Installed
- Windows Services Running
- Windows Shared Folders
- Windows Version
- Windows Version CPE Format
- Windows Version Fine-tuned
Windows Application Properties
(choose from the list of supported third-party applications)
- Windows Applications Installed
- Cloud Storage Installed
- Cloud Storage Running
- Hard Drive Encryption Installed
- Hard Drive Encryption State
- Instant Messaging Installed
- Instant Messaging Running
- Microsoft Applications installed
- Peer-to-peer Installed
- Peer-to-peer Running
Windows Security Properties
( Windows Applications Plugin )
- Anti-Spyware Installed
- Antivirus Installed
- Antivirus Running
- Antivirus Update Date
- Windows Hotfix Installed
- Intranet WSUS Server
- Microsoft Vulnerabilities
- Microsoft Vulnerabilities Finetuned
- Personal Firewall
- Windows Updates Installed – Reboot Required
- Windows Security Center Antivirus Status
- Windows Update Agent Installed
Default (in the box) Properties
Authentication Properties
Classification Properties
Advanced Classification Properties
Device Information Properties
Event Properties
External Devices Properties
Guest Registration Properties
Linux Properties
Macintosh Properties
Remote Inspection Properties
SNMP Properties
Switch Properties
Track Changes Properties
User Directory Properties
Windows Properties
Windows Application Properties
Windows Security Properties
When can I use External Device Classification
Only for Windows
