
Forescout eyeInspect
OT Security- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
Data retrieved from Forescout eyeInspect
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Asset | Yes | Host |
| Alert | Yes | Alert |
| Alert Definition | Yes | Alert Definition |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
Model relationships
For detailed steps on how to view the data retrieved from Forescout eyeInspect in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Forescout eyeInspect from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Server URL | Yes | https://<server> | Forescout server URL |
| Username | Yes | — | Forescout account username |
| Password | Yes | — | Forescout account password |
| Page size | No | 100 | Maximum number of records to get per API request |
| Parallel requests | No | min(4, CPU cores) | Maximum number of parallel API requests |
| Maximum retries | No | 5 | Maximum number of API request retries |
| SSL / TLS | No | false | Skip certificate verification |
How to obtain Forescout eyeInspect credentials
This connector uses the shared HTTP authentication provided by BasicHttpConnectorConfiguration (from the http-connectors-parent library).
Obtain the required credentials (url, username, password) from your Forescout eyeInspect administrator or the Forescout eyeInspect admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Asset
| Source Field Name | SDM Attribute |
|---|---|
asset.broadcast_ip | IS_BROADCAST_IP |
asset.client_protos | CLIENT_PROTOCOLS |
asset.criticality | CRITICALITY |
asset.description | DESCRIPTION |
asset.firmware_version | FIRMWARE_VERSION |
asset.first_seen | FIRST_SEEN |
asset.id | UID |
asset.ip | IP_ADDRESSES |
asset.labels | LABELS |
asset.last_seen | LAST_SEEN |
asset.learnt_host | IS_LEARNT_HOST |
asset.mac_addresses | MAC_ADDRESSES |
asset.mac_vendors | MAC_VENDORS |
asset.main_name | NAME |
asset.main_name | HOSTNAMES |
asset.main_role | ROLE |
asset.main_vendor_model | MODEL |
asset.multicast_ip | IS_MULTICAST_IP |
asset.open_ports[].port | OPEN_PORTS |
asset.operational_risk | OPERATIONAL_RISK |
asset.os_version | OPERATING_SYSTEM |
asset.project | PROJECT |
asset.public_ip | IS_PUBLIC_IP |
asset.purdue_level | PURDUE_LEVEL |
asset.security_risk | SECURITY_RISK |
asset.serial_number | SERIAL_NUMBER |
asset.server_protos | SERVER_PROTOCOLS |
asset.vlan | VLAN |
now() | LAST_CAPTURED |
| — | STATUS |
Alert
| Source Field Name | SDM Attribute |
|---|---|
alert.alert_id | UID |
alert.alert_id | TYPE |
alert.case_name | CASE_NAME |
alert.direction_certain | DIRECTION_CERTAIN |
alert.dst_ip | DST_IP |
alert.dst_mac | DST_MAC |
alert.dst_port | DST_PORT |
alert.engine | ENGINE |
alert.event_type_names | EVENT_TYPES |
alert.fea_alert_count | FEA_ALERT_COUNT |
alert.fea_duration_sec | FEA_DURATION_SEC |
alert.fea_start | FEA_START |
alert.fea_state | FEA_STATE |
alert.hotstart | HOT_START |
alert.l2_proto | L2_PROTOCOL |
alert.l3_proto | L3_PROTOCOL |
alert.l4_proto | L4_PROTOCOL |
alert.l7_proto | L7_PROTOCOL |
alert.labels | LABELS |
alert.normalized | NORMALIZED |
alert.notes | NOTES |
alert.profile_module_name | PROFILE_MODULE |
alert.sensor_name | SENSOR |
alert.src_ip | SRC_IP |
alert.src_mac | SRC_MAC |
alert.src_port | SRC_PORT |
alert.status | PROVIDER_STATUS |
alert.status | SOURCE_STATUS |
alert.status | STATUS |
alert.status | STATUS_CATEGORY |
alert.timestamp | TIMESTAMP |
alert.vlan | VLAN |
now() | LAST_CAPTURED |
Alert Definition
| Source Field Name | SDM Attribute |
|---|---|
alert.alert_id | UID |
alert.alert_id | NAME |
alert.description | DESCRIPTION |
alert.severity | SOURCE_SEVERITY |
getFindingSeverityScore(severity) | SEVERITY_SCORE |
normalizeFindingSeverity(alert.severity) | SEVERITY |
now() | LAST_CAPTURED |
Vulnerability
| Source Field Name | SDM Attribute |
|---|---|
asset.id | TARGETS |
asset.id + "_" + cve.id | UID |
cve.id | TYPE |
cve.matching_confidence | MATCHING_CONFIDENCE |
cve.suppressed | SUPPRESSED |
now() | LAST_CAPTURED |
| — | PROVIDER_STATUS |
| — | SOURCE_STATUS |
| — | STATUS |
| — | STATUS_CATEGORY |
Vulnerability Definition
| Source Field Name | SDM Attribute |
|---|---|
cve.cve_id | CVE_IDS |
cve.cve_id | CVE_RECORDS |
cve.cvss_access_complexity | CVSS_V2_AC |
cve.cvss_access_vector | CVSS_V2_AV |
cve.cvss_attack_complexity | CVSS_V3_AC |
cve.cvss_attack_vector | CVSS_V3_AV |
cve.cvss_authentication | CVSS_V2_AU |
cve.cvss_availability_impact | CVSS_V2_AI |
cve.cvss_availability_impact | CVSS_V3_AI |
cve.cvss_confidentiality_impact | CVSS_V2_CI |
cve.cvss_confidentiality_impact | CVSS_V3_CI |
cve.cvss_exploit_code_maturity | CVSS_V3_E |
cve.cvss_exploitability | CVSS_V2_E |
cve.cvss_integrity_impact | CVSS_V2_II |
cve.cvss_integrity_impact | CVSS_V3_II |
cve.cvss_privileges_required | CVSS_V3_PR |
cve.cvss_remediation_level | CVSS_V2_RL |
cve.cvss_remediation_level | CVSS_V3_RL |
cve.cvss_reporting_confidence | CVSS_V2_RC |
cve.cvss_reporting_confidence | CVSS_V3_RC |
cve.cvss_scope | CVSS_V3_SCOPE |
cve.cvss_score | CVSS_V2_BASE_SCORE |
cve.cvss_score | CVSS_V3_BASE_SCORE |
cve.cvss_temporal_score | CVSS_V2_TEMPORAL_SCORE |
cve.cvss_temporal_score | CVSS_V3_TEMPORAL_SCORE |
cve.cvss_user_interaction | CVSS_V3_UI |
cve.cvss_version | CVSS_VERSION |
cve.icsa_id | ICSA_ID |
cve.id | UID |
cve.last_modified_date | SOURCE_LAST_MODIFIED |
cve.published_date | PUBLISHED_DATE |
cve.references[].label | REFERENCES |
cve.solution | RECOMMENDATION |
cve.summary | DESCRIPTION |
cve.title | NAME |
cve.vendor | VENDOR |
cve.vendor_specific_id | VENDOR_SPECIFIC_ID |
now() | LAST_CAPTURED |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Asset
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
The connector README does not document a data source for this object.
Alert
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
The connector README does not document a data source for this object.
Alert Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
The connector README does not document a data source for this object.
Vulnerability
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
The connector README does not document a data source for this object.
Vulnerability Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
The connector README does not document a data source for this object.
Changelog
The Forescout eyeInspect connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.3 | Improvements - Connector-sourced attribute values now take precedence over non-connector data channels (manual edits, bulk imports, UI input) when the platform consolidates records, so Forescout data is no longer overridden by lower-priority sources. Bug Fixes - Corrected the data type of Alert attributes: "Normalized" is now text (was Boolean), and "Source port" / "Destination port" are now numbers (were text), matching the values returned by the API. | • Alert: the "Normalized", "Source port", and "Destination port" attributes changed data type. Re-sync the Forescout connector to repopulate alerts with the corrected types. |
| 3.0.2 | Improvements - Changed the Criticality attribute datatype from String to Integer in the Asset model to correctly reflect the numeric criticality value returned by the eyeInspect API - Added support for exposing the Last captured field (Last capture date) across data retrieval for all models - Updated connector to align with model SDK changes ( model-version 1.6.15), migrating to OptionalInstantDeserializer, StorageManager/StorageOperations APIs, and getCustomAttributeInfos() for schema registration across all models | • The Criticality attribute on the Asset (Host) model has changed from String to Integer. --- |
| 3.0.1 | New Features - Added support for CVSS v3 vulnerability scoring — the connector now automatically detects the CVSS version reported by eyeInspect and maps vulnerability data to the appropriate CVSS v2 or CVSS v3 attributes, including base score, temporal score, attack vector, attack complexity, privileges required, user interaction, scope, confidentiality/integrity/availability impact, exploit code maturity, remediation level, and reporting confidence Improvements - Removed unsupported CVSS_V2_SEVERITY and CVSS_V2_VECTOR attributes that were not populated by the eyeInspect API | N/A |