Configuring ForeScout CounterACT Policies

ForeScout CounterACT policies test conditions to trigger management and remediation actions on the appliance.

About this task

The plug-in provides an extra action for policies to forward the event to the IBM QRadar by using syslog. To forward events to QRadar, you must define a CounterACT policy that includes the QRadar update action.

The policy condition must be met at least one time to initiate an event send to QRadar. You must configure each policy to send updates to QRadar for events you want to record.

Procedure

  1. Select a policy for ForeScout CounterACT.
  2. From the Actions tree, select Audit > Send Updates to QRadar Server.
  3. From the Contents tab, configure the following value:

    Select the Send host property results check box.

  4. Choose one of the type of events to forward for the policy:
    • Send All - Select this option to include all properties that are discovered for the policy to QRadar.

    • Send Specific - Select this option to select and send only specific properties for the policy to QRadar.

  5. Select the Send policy status check box.
  6. From the Trigger tab, select the interval ForeScout CounterACT uses for forwarding the event to QRadar:
    • Send when the action starts - Select this check box to send a single event to QRadar when the conditions of your policy are met.
    • Send when information is updated - Select this check box to send a report when there is a change in the host properties that are specified in the Contents tab.
    • Send periodically every - Select this check box to send a reoccurring event to QRadar on an interval if the policy conditions are met.
  7. Click OK to save the policy changes.
  8. Repeat this process to configure any additional policies with an action to send updates to QRadar.

    The configuration is complete. Events that are forwarded by ForeScout CounterACT are displayed on the Log Activity tab of QRadar.