Forescout eyeInspect
Forescout eyeInspect is an OT (operational technology) security tool. You can bring asset and security data from Forescout eyeInspect into Brinqa to gain a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Forescout eyeInspect and how to obtain that information from Forescout eyeInspect. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Forescout eyeInspect from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Forescout eyeInspect with Brinqa:
-
Server URL: The Forescout eyeInspect server URL. The default URL format is
https://<server>. -
Username and Password: The username and password associated with the Forescout eyeInspect account, which must have permissions to log in to the API server and return data.
noteThe Forescout eyeInspect user account must have at least the Viewer role assigned to retrieve data from Forescout eyeInspect. This role provides read-only access to assets, alerts, and vulnerabilities. For additional information on configuring user roles and permissions, see the Forescout eyeInspect User Management documentation.
(Optional) Create a Forescout API-only user
In addition to using credentials tied to an existing user account with the Viewer role, you can also create a dedicated API-only user in Forescout eyeInspect. This account is specifically intended for API access and retrieving data. For additional information, see the Forescout eyeInspect documentation.
Additional settings
The Forescout eyeInspect connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Forescout eyeInspect API before giving up and reporting a failure. The default setting is 5.
-
Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The Forescout eyeInspect connector can retrieve the following types of data from the Forescout eyeInspect API:
Table 1: Data retrieved from Forescout eyeInspect
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Alert | Yes | Alert |
| Alert Definition | Yes | Alert Definition |
| Asset | Yes | Host |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
The Forescout eyeInspect connector does not support operation options for the types of data it retrieves.
For detailed steps on how to view the data retrieved from Forescout eyeInspect in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Alert
Table 2: Alert attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| alert.alert_id | uid |
| alert.alert_id | type |
| alert.case_name | caseName |
| alert.direction_certain | directionCertain |
| alert.dst_ip | dstIp |
| alert.dst_mac | dstMac |
| alert.dst_port | dstPort |
| alert.engine | engine |
| alert.event_type_names | eventTypes |
| alert.fea_alert_count | feaAlertCount |
| alert.fea_duration_sec | feaDurationSec |
| alert.fea_start | feaStart |
| alert.fea_state | feaState |
| alert.hotstart | hotStart |
| alert.l2_proto | l2Protocol |
| alert.l3_proto | l3Protocol |
| alert.l4_proto | l4Protocol |
| alert.l7_proto | l7Protocol |
| alert.labels | labels |
| alert.normalized | normalized |
| alert.notes | notes |
| alert.profile_module_name | profileModule |
| alert.sensor_name | sensor |
| alert.src_ip | srcIp |
| alert.src_mac | srcMac |
| alert.src_port | srcPort |
| alert.status | providerStatus |
| Generated (normalized from providerStatus) | sourceStatus |
| Generated (normalized from providerStatus) | status |
| Generated (category from status) | statusCategory |
| alert.timestamp | timestamp |
| alert.vlan | vlan |
| Generated (sync capture timestamp) | lastCaptured |
Alert Definition
Table 3: Alert Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| alert.alert_id | uid |
| alert.alert_id | name |
| alert.description | description |
| alert.severity | sourceSeverity |
| Generated (computed from severity) | severityScore |
| Generated (normalized from alert.severity) | severity |
| Generated (sync capture timestamp) | lastCaptured |
Asset
Table 4: Asset attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| Generated (default: "active") | status |
| asset.broadcast_ip | isBroadcastIp |
| asset.client_protos | clientProtocols |
| asset.criticality | criticality |
| asset.description | description |
| asset.firmware_version | firmwareVersion |
| asset.first_seen | firstSeen |
| asset.id | uid |
| asset.ip | ipAddresses |
| asset.labels | labels |
| asset.last_seen | lastSeen |
| asset.learnt_host | isLearntHost |
| asset.mac_addresses | macAddresses |
| asset.mac_vendors | macVendors |
| asset.main_name | name |
| asset.main_name | hostnames |
| asset.main_role | role |
| asset.main_vendor_model | model |
| asset.multicast_ip | isMulticastIp |
| asset.open_ports[].port | openPorts |
| asset.operational_risk | operationalRisk |
| asset.os_version | os |
| asset.project | project |
| asset.public_ip | isPublicIp |
| asset.purdue_level | purdueLevel |
| asset.security_risk | securityRisk |
| asset.serial_number | serialNumber |
| asset.server_protos | serverProtocols |
| asset.vlan | vlan |
| Generated (sync capture timestamp) | lastCaptured |
Vulnerability
Table 5: Vulnerability attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| Generated (default: "active") | providerStatus |
| Generated (normalized from providerStatus) | sourceStatus |
| Generated (normalized from providerStatus) | status |
| Generated (category from status) | statusCategory |
| asset.id | targets |
| asset.id + "_" + cve.id | uid |
| cve.id | type |
| cve.matching_confidence | matchingConfidence |
| cve.suppressed | suppressed |
| Generated (sync capture timestamp) | lastCaptured |
Vulnerability Definition
Table 6: Vulnerability Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| cve.cvss_access_complexity | cvssV2Ac |
| cve.cvss_access_vector | cvssV2Av |
| cve.cvss_attack_complexity | cvssV3Ac |
| cve.cvss_attack_vector | cvssV3Av |
| cve.cvss_authentication | cvssV2Au |
| cve.cvss_availability_impact | cvssV2Ai |
| cve.cvss_availability_impact | cvssV3Ai |
| cve.cvss_confidentiality_impact | cvssV2Ci |
| cve.cvss_confidentiality_impact | cvssV3Ci |
| cve.cvss_exploit_code_maturity | cvssV3E |
| cve.cvss_exploitability | cvssV2E |
| cve.cvss_integrity_impact | cvssV2Ii |
| cve.cvss_integrity_impact | cvssV3Ii |
| cve.cvss_privileges_required | cvssV3Pr |
| cve.cvss_remediation_level | cvssV2Rl |
| cve.cvss_remediation_level | cvssV3Rl |
| cve.cvss_reporting_confidence | cvssV2Rc |
| cve.cvss_reporting_confidence | cvssV3Rc |
| cve.cvss_scope | cvssV3Scope |
| cve.cvss_score | cvssV2BaseScore |
| cve.cvss_score | cvssV3BaseScore |
| cve.cvss_temporal_score | cvssV2TemporalScore |
| cve.cvss_temporal_score | cvssV3TemporalScore |
| cve.cvss_user_interaction | cvssV3Ui |
| cve.cvss_version | cvssVersion |
| cve.cve_id | cveIds |
| cve.cve_id | cveRecords |
| cve.icsa_id | icsaId |
| cve.id | uid |
| cve.last_modified_date | sourceLastModified |
| cve.published_date | publishedDate |
| cve.references[].label | references |
| cve.solution | recommendation |
| cve.summary | description |
| cve.title | name |
| cve.vendor | vendor |
| cve.vendor_specific_id | vendorSpecificId |
| Generated (sync capture timestamp) | lastCaptured |
APIs
The Forescout eyeInspect connector uses the eyeInspect API v1. Specifically, it uses the following endpoints:
Table 7: Forescout eyeInspect API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Alert | GET /api/v1/alerts |
| Alert Definition | GET /api/v1/alerts |
| Asset | GET /api/v1/hosts |
| Vulnerability | GET /api/v1/hosts |
| Vulnerability Definition | GET /api/v1/hosts, GET /api/v1/cve_info/<id> |
Vulnerability Definitions are derived from each host's CVE records, with individual CVE details fetched from the /api/v1/cve_info/<id> endpoint.
Changelog
The Forescout eyeInspect connector has undergone the following changes:
Table 8: Forescout eyeInspect connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.0.2 | Changed the Criticality attribute data type from String to Integer on the Asset model. Added support for the Last Captured field across all models. Updated connector to align with model SDK changes. Migration required: purge and re-sync the Asset (Host) model. | May 12th, 2026 |
| 3.0.1 | Added support for CVSS v3 vulnerability scoring with automatic detection of the CVSS version reported by eyeInspect. Removed unsupported CVSS v2 attributes that were not populated by the API. No migration required. | May 12th, 2026 |
| 3.0.0 | Initial Integration+ release. | May 7th, 2025 |