Configuring ForeScout CounterACT Policies
ForeScout CounterACT policies test conditions to trigger management and remediation actions on the appliance.
The plug-in provides an extra action for policies to forward the event to the JSA by using syslog. To forward events to JSA, you must define a CounterACT policy that includes the JSA update action.
The policy condition must be met at least one time to initiate an event send to JSA. You must configure each policy to send updates to JSA for events you want to record.
- Select a policy for ForeScout CounterACT.
- From the Actions tree, select Audit >Send Updates to JSA Server.
- From the Contents tab, configure the following
Select the Send host property results check box.
- Choose one of the type of events to forward for the policy:
Send All— Select this option to include all properties that are discovered for the policy to JSA.
Send Specific— Select this option to select and send only specific properties for the policy to JSA.
- Select the Send policy status check box.
- From the Trigger tab, select the interval ForeScout
CounterACT uses for forwarding the event to JSA:
Send when the action starts— Select this check box to send a single event to JSA when the conditions of your policy are met.
Send when information is updated— Select this check box to send a report when there is a change in the host properties that are specified in the Contents tab.
Send periodically every— Select this check box to send a reoccurring event to JSA on an interval if the policy conditions are met.
- Click OK to save the policy changes.
- Repeat this process to configure any additional policies
with an action to send updates to JSA.
The configuration is complete. Events that are forwarded by ForeScout CounterACT are displayed on the Log Activity tab of JSA.