Configuring the ForeScout CounterACT Plug-in

Before you configure IBM® QRadar®, you must install a plug-in for your ForeScout CounterACT appliance and configure ForeScout CounterACT to forward syslog events to QRadar.

About this task

To integrate QRadar with ForeScout CounterACT, you must download, install, and configure a plug-in for CounterACT. The plug-in extends ForeScout CounterACT and provides the framework for forwarding LEEF events to QRadar.


  1. From the ForeScout website (, download the plug-in for ForeScout CounterACT.
  2. Log in to your ForeScout CounterACT appliance.
  3. From the CounterACT Console toolbar, select Options > Plugins > Install. Select the location of the plug-in file.

    The plug-in is installed and displayed in the Plug-ins pane.

  4. From the Plug-ins pane, select the QRadar plug-in and click Configure.

    The Add QRadar wizard is displayed.

  5. In the Server Address field, type the IP address of QRadar.
  6. From the Port list, select 514.
  7. Click Next.
  8. From the Assigned CounterACT devices pane, choose one of the following options:
    • Default Server - Select this option to make all devices on this ForeScout CounterACT, forward events to QRadar.
    • Assign CounterACT devices - Select this option to assign which individual devices that are running on ForeScout CounterACT forward events to QRadar. The Assign CounterACT devices option is only available if you have one or more ForeScout CounterACT servers.
  9. Click Finish.

    The plug-in configuration is complete. You are now ready to define the events that are forwarded to QRadar by ForeScout CounterACT policies.