eyeExtend for Splunk®

Forescout discovers, classifies and assesses all connected devices; compiles this information in the Splunk CIM format and shares it with Splunk. The additional device information from Forescout includes user information, device type, device configuration, network access patterns over time, network location and security posture. Splunk correlates rich contextual data from Forescout with other data sources and uses this information for long-term storage, swift anomaly detection and accurate trend analysis.

Splunk correlates rich device context from the Forescout platform with other data sources to better identify and prioritize incidents. When Splunk receives alerts from other data sources about a suspicious activity on a device, it shares the information with Forescout. Forescout provides high-value user, network and device context to Splunk. Splunk leverages this additional insight to determine if a suspicious event is actually malicious or violates policy and escalates or reduces the severity of the event based on the device and user context, such as highly privileged or less trusted users.

Forescout scans all connected devices for indicators of compromise (IOCs) and policy violations in real time when alerted by Splunk. Through Splunk’s Adaptive Operations Framework, Splunk operators can initiate Forescout actions—such as isolating or quarantining potentially compromised or noncompliant endpoints depending on the severity of the violation. Forescout can also dynamically trigger policy-based mitigation and response actions until the deviant device is remediated. Forescout then delivers the results back to Splunk to close the loop. Administrators can view the entire lifecycle and final outcome of the event in the Splunk dashboard.