Solved: ForeScout CounterACT Integration Module: How to ch...

tungntran · ‎02-22-2016

Hi All,

I was able to get counteract module to forward data using "web_event" sourcetype. However, all the data resides in the "main" index. Does anyone have any tips on how to change the index for the data being forwarded by counteract integration module?

Thanks,
Tung

tungntran · ‎02-22-2016

Figured it out.

In the counteract policy for Splunk, edit the condition. Under the "HTTP Request" tab for the "DEX Send Web..." action add the index name.

Original:
https://[IP]:[port]/services/receivers/simple?source=CounterACT&sourcetype=web_event

Changed index:
https://[IP]:[port]/services/receivers/simple?index=counteract&source=CounterACT&sourcetype=web_event

View solution in original post

tungntran · ‎02-22-2016

Figured it out.

In the counteract policy for Splunk, edit the condition. Under the "HTTP Request" tab for the "DEX Send Web..." action add the index name.

Original:
https://[IP]:[port]/services/receivers/simple?source=CounterACT&sourcetype=web_event

Changed index:
https://[IP]:[port]/services/receivers/simple?index=counteract&source=CounterACT&sourcetype=web_event

ForeScout CounterACT Integration Module: How to change the index for the counteract web_event sourcetype?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)