Hi,
I have the Forescout Technology Add-on and the Forescout Adaptive Response Add-on installed on my ES SH.
The integration is working fine in respect to retrieving events from Forescout, however I am having a problem with the Adaptive Response Add-on. I installed the Add-on but when i restart the ES SH it gives an error message (screen shot attached). When i go into /opt/splunk/var/log/splunk and check the log file TA-forescout_response_init.log, it shows ...
[splunk@dub2splk203 splunk]$ tail TA-forescout_response_init.log
2021-11-03 15:42:29 - fsct_rest_api_wrapper.py:30 - INFO - Posting new message to bulletin.
2021-11-03 15:42:29 - fsct_rest_api_wrapper.py:44 - DEBUG - REST API request succeeded
2021-11-03 17:15:17 - ta_forescout_response_init.py:35 - DEBUG - Initializing app: [TA-forescout_response]...
2021-11-03 17:15:18 - fsct_ar_actions_reader.py:34 - INFO - Read usessl: [1], verify_cert: [1] from app: [TA-forescout]
2021-11-03 17:15:18 - fsct_ta_config_reader.py:59 - DEBUG - Getting credentials configured in app: [TA-forescout].
2021-11-03 17:15:18 - fsct_ar_actions_reader.py:38 - INFO - Read fsct_emip: [dub2fst202.syncreon.local] from app: [TA-forescout]
2021-11-03 17:15:18 - fsct_ar_actions_reader.py:56 - DEBUG - Action url: https://dub2fst202.syncreon.local/splunk/actions_info?auth=CounterACT%20
2021-11-03 17:15:18 - ta_forescout_response_init.py:41 - CRITICAL - Error while getting alert actions from CounterACT: Unsuccessful Actions Info API call. Invalid status: [401] or request ID mismatch
2021-11-03 17:15:18 - fsct_rest_api_wrapper.py:30 - INFO - Posting new message to bulletin.
2021-11-03 17:15:18 - fsct_rest_api_wrapper.py:44 - DEBUG - REST API request succeeded
There is no problem with regards access to my CounterAct server (on-prem) as I verified that the HTTPS connection can be made.
Has anybody have any experience with this add-on or this error, as Im kind of lost and there is very little from Forescout on this?
Thanks!