[PuPr] Forescout Host Property Monitor: Add the necessary files for the new version#14550
[PuPr] Forescout Host Property Monitor: Add the necessary files for the new version#14550RodrigoLopezCam wants to merge 7 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Migrates the Forescout Host Property Monitor solution from the legacy REST/Log Ingestion connector to a Codeless Connector Framework (CCF) Push connector, introducing DCR/DCE-based ingestion and updating content to query custom *_CL tables directly.
Changes:
- Added CCF connector assets (connector definition, DCR, poller config) and custom table schemas for host/policy/compliance streams.
- Removed the legacy data connector JSON and updated solution/package metadata to version 4.0.0.
- Updated support tier/contact metadata and adjusted analytic/workbook behavior to query *_CL tables directly.
Reviewed changes
Copilot reviewed 14 out of 16 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/ForescoutHostPropertyMonitor/SolutionMetadata.json | Updates support contact/tier metadata to Microsoft. |
| Solutions/ForescoutHostPropertyMonitor/ReleaseNotes.md | Adds 4.0.0 release notes entries describing CCF migration. |
| Solutions/ForescoutHostPropertyMonitor/Playbooks/Forescout-DNSSniffEventPlaybook.json | Updates playbook support tier to Microsoft. |
| Solutions/ForescoutHostPropertyMonitor/Package/testParameters.json | Adds resource group and subscription parameters for deployment templates. |
| Solutions/ForescoutHostPropertyMonitor/Package/createUiDefinition.json | Updates UI text to reflect CCF Push connector. |
| Solutions/ForescoutHostPropertyMonitor/Data/Solution_ForescoutHostProp.json | Points solution to the new connector definition and bumps version. |
| Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor_ccf/ForescoutHostPropertyMonitor_table_ForescoutPolicyStatus.json | Adds custom table schema for policy status stream. |
| Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor_ccf/ForescoutHostPropertyMonitor_table_ForescoutHostProperties.json | Adds custom table schema for host properties stream. |
| Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor_ccf/ForescoutHostPropertyMonitor_table_ForescoutComplianceStatus.json | Adds custom table schema for compliance status stream. |
| Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor_ccf/ForescoutHostPropertyMonitor_connectorDefinition.json | Introduces CCF connector definition and onboarding instructions/queries. |
| Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor_ccf/ForescoutHostPropertyMonitor_PollerConfig.json | Adds push connector instance (poller) configuration. |
| Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor_ccf/ForescoutHostPropertyMonitor_DCR.json | Adds DCR with stream declarations and transformations for 3 streams. |
| Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor.json | Removes the legacy data connector definition. |
| Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml | Bumps analytic rule version after switching to *_CL table usage. |
|
Hi @RodrigoLopezCam, could you please confirm which file |
|
Hi @RodrigoLopezCam, |
Change(s):
Replaced the legacy REST/Log-Ingestion Data Connector (ForescoutHostPropertyMonitor.json) with a new Codeless Connector Framework (CCF) Push connector under Data Connectors/ForescoutHostPropertyMonitor_ccf/:
ForescoutHostPropertyMonitor_connectorDefinition.json (kind Customizable)
ForescoutHostPropertyMonitor_DCR.json — Data Collection Rule with three custom streams
ForescoutHostPropertyMonitor_PollerConfig.json — Push poller configuration
Three custom tables: ForescoutHostProperties_CL, ForescoutPolicyStatus_CL, ForescoutComplianceStatus_CL
Removed the three legacy alias-function Parsers; the Analytic Rule and Workbook now query the _CL tables directly.
Updated the Analytic Rule ForeScout-DNSSniffEventMonitor.yaml to reference ForescoutHostProperties_CL (table) instead of the parser alias.
Updated support contact to Microsoft in SolutionMetadata.json and the playbook metadata (tier: Microsoft), keeping Forescout
as the provider/author.
Reason for Change(s):
Migrates Forescout Host Property Monitor from the deprecated manual push (HTTP Data Collector / Log Ingestion API) model to the modern CCF Push connector, which automatically deploys the DCR, DCE, and poller — improving onboarding and supportability.
Version Updated:
3.1.0
Testing Completed:
Yes — Built and validated locally using the V3 packaging tool and the local validation runner. Package 4.0.0.zip generated successfully.
(Please confirm/adjust: whether the generated mainTemplate.json was also deployed to a clean Microsoft Sentinel workspace and the connector appeared/ingested as expected — set to Yes once verified, or Need Help.)
Checked that the validations are passing and have addressed any issues that are present:
Yes — Local validation run completed: 12 passed, 0 failed, 6 skipped. ARM-TTK reports 48 passing checks. KQL, JSON/YAML syntax, Solution, Workbook Template, Playbook, MS-Branding, Documents Link, Field Types, Classic App Insights, and Hyperlink validations all pass. The 6 skips are local-environment only (Detection Schema & Non-ASCII require the .NET Core 3.1 runtime; TruffleHog requires the CLI) and run in CI.