Forescout eyeExtend

The purpose of this doc is to list the configruation steps needed for a Forescout eyeExtend integration with Clear NDR®.

From the Stamus networks (under Administration) drop down menu go to Integrations:

Splunk Cloud Setup integration example

In the left menu click on Configure provider:

Splunk Cloud Setup integration example

Fill the Forescout eyeExtend Connect form:

  • Auth URL should be (example): https://10.136.0.150/connect/v1/authentication/token

  • Credentials: snuser/snpasswd if you use the previous URL for test

  • Verify HTTPS certificate should be unchecked

Splunk Cloud Setup integration example

Click Submit to save the changes.

After submission, use the Test button to verify the correctness of the entered details

Splunk Cloud Setup integration example

Return to the Integrations page. Navigate to the Webhook tab and click Add Item. Select the provider Forescout.

Splunk Cloud Setup integration example

The JSON template will be auto-filled. Set the URL to (example): https://10.136.0.150/connect/v1/hosts (example url).

Uchecked Verify HTTPS certificate box:

Splunk Cloud Setup integration example

Click Submit to save the changes. The Test Syntax button can be used for an additional validation check.

Splunk Cloud Setup integration example

Update and push ruleset

Splunk Cloud Setup integration example

To confirm or test functionality - SSH into the probe and replay a PCAP file, preferably malicious / test pcap.

Trigger the webhook to view the results in the Java app:

Splunk Cloud Setup integration example

Use the following details to log in:

Login Method: Keep it as Password
Username: admin
Password: snpasswd!
Splunk Cloud Setup integration example Splunk Cloud Setup integration example