All Apps and Add-ons

Forescout Adaptive Response Add-on unable to retrieve alert actions from CounterAct

ezmo1982
Path Finder

Hi, 

I have the Forescout Technology Add-on and the Forescout Adaptive Response Add-on installed on my ES SH.

The integration is working fine in respect to retrieving events from Forescout, however I am having a problem with the Adaptive Response Add-on. I installed the Add-on but when i restart the ES SH it gives an error message (screen shot attached). When i go into /opt/splunk/var/log/splunk and check the log file TA-forescout_response_init.log, it shows ...

[splunk@dub2splk203 splunk]$ tail TA-forescout_response_init.log
2021-11-03 15:42:29 - fsct_rest_api_wrapper.py:30 - INFO - Posting new message to bulletin.
2021-11-03 15:42:29 - fsct_rest_api_wrapper.py:44 - DEBUG - REST API request succeeded
2021-11-03 17:15:17 - ta_forescout_response_init.py:35 - DEBUG - Initializing app: [TA-forescout_response]...
2021-11-03 17:15:18 - fsct_ar_actions_reader.py:34 - INFO - Read usessl: [1], verify_cert: [1] from app: [TA-forescout]
2021-11-03 17:15:18 - fsct_ta_config_reader.py:59 - DEBUG - Getting credentials configured in app: [TA-forescout].
2021-11-03 17:15:18 - fsct_ar_actions_reader.py:38 - INFO - Read fsct_emip: [dub2fst202.syncreon.local] from app: [TA-forescout]
2021-11-03 17:15:18 - fsct_ar_actions_reader.py:56 - DEBUG - Action url: https://dub2fst202.syncreon.local/splunk/actions_info?auth=CounterACT%20
2021-11-03 17:15:18 - ta_forescout_response_init.py:41 - CRITICAL - Error while getting alert actions from CounterACT: Unsuccessful Actions Info API call. Invalid status: [401] or request ID mismatch
2021-11-03 17:15:18 - fsct_rest_api_wrapper.py:30 - INFO - Posting new message to bulletin.
2021-11-03 17:15:18 - fsct_rest_api_wrapper.py:44 - DEBUG - REST API request succeeded

There is no problem with regards access to my CounterAct server (on-prem) as I verified that the HTTPS connection can be made.

Has anybody have any experience with this add-on or this error, as Im kind of lost and there is very little from Forescout on this?

Thanks!

Labels (2)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...