ForeScout CounterACT policies test conditions to trigger management and remediation
actions on the appliance.
About this task
The plug-in provides an extra action for policies to forward the event to the IBM
QRadar by using syslog. To
forward events to QRadar, you
must define a CounterACT policy that includes the QRadar update action.
The policy condition must be met at least one time to initiate an event send to QRadar. You must configure each
policy to send updates to QRadar for events you want to record.
Procedure
-
Select a policy for ForeScout CounterACT.
-
From the Actions tree, select to QRadar
Server.
-
From the Contents tab, configure the following value:
Select the Send host property results check box.
-
Choose one of the type of events to forward for the policy:
-
Send All - Select this option to include all properties that are
discovered for the policy to QRadar.
-
Send Specific - Select this option to select and send only specific
properties for the policy to QRadar.
-
Select the Send policy status check box.
-
From the Trigger tab, select the interval ForeScout CounterACT uses for
forwarding the event to QRadar:
- Send when the action starts - Select this check box to send a single
event to QRadar when the
conditions of your policy are met.
- Send when information is updated - Select this check box to send a report
when there is a change in the host properties that are specified in the
Contents tab.
- Send periodically every - Select this check box to send a reoccurring
event to QRadar on an interval
if the policy conditions are met.
-
Click OK to save the policy changes.
-
Repeat this process to configure any additional policies with an action to send updates to QRadar.
The configuration is complete. Events that are forwarded by ForeScout CounterACT are displayed on
the Log Activity tab of QRadar.