Skip to content

[PuPr] Forescout Host Property Monitor: Add the necessary files for the new version#14550

Open
RodrigoLopezCam wants to merge 7 commits into
Azure:masterfrom
RodrigoLopezCam:users/v-rodrigolop/forescout
Open

[PuPr] Forescout Host Property Monitor: Add the necessary files for the new version#14550
RodrigoLopezCam wants to merge 7 commits into
Azure:masterfrom
RodrigoLopezCam:users/v-rodrigolop/forescout

Conversation

@RodrigoLopezCam

@RodrigoLopezCam RodrigoLopezCam commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Change(s):

Replaced the legacy REST/Log-Ingestion Data Connector (ForescoutHostPropertyMonitor.json) with a new Codeless Connector Framework (CCF) Push connector under Data Connectors/ForescoutHostPropertyMonitor_ccf/:

ForescoutHostPropertyMonitor_connectorDefinition.json (kind Customizable)
ForescoutHostPropertyMonitor_DCR.json — Data Collection Rule with three custom streams
ForescoutHostPropertyMonitor_PollerConfig.json — Push poller configuration

Three custom tables: ForescoutHostProperties_CL, ForescoutPolicyStatus_CL, ForescoutComplianceStatus_CL
Removed the three legacy alias-function Parsers; the Analytic Rule and Workbook now query the _CL tables directly.
Updated the Analytic Rule ForeScout-DNSSniffEventMonitor.yaml to reference ForescoutHostProperties_CL (table) instead of the parser alias.

Updated support contact to Microsoft in SolutionMetadata.json and the playbook metadata (tier: Microsoft), keeping Forescout
as the provider/author.

Reason for Change(s):

Migrates Forescout Host Property Monitor from the deprecated manual push (HTTP Data Collector / Log Ingestion API) model to the modern CCF Push connector, which automatically deploys the DCR, DCE, and poller — improving onboarding and supportability.

Version Updated:

3.1.0

Testing Completed:

Yes — Built and validated locally using the V3 packaging tool and the local validation runner. Package 4.0.0.zip generated successfully.
(Please confirm/adjust: whether the generated mainTemplate.json was also deployed to a clean Microsoft Sentinel workspace and the connector appeared/ingested as expected — set to Yes once verified, or Need Help.)
Checked that the validations are passing and have addressed any issues that are present:

Yes — Local validation run completed: 12 passed, 0 failed, 6 skipped. ARM-TTK reports 48 passing checks. KQL, JSON/YAML syntax, Solution, Workbook Template, Playbook, MS-Branding, Documents Link, Field Types, Classic App Insights, and Hyperlink validations all pass. The 6 skips are local-environment only (Detection Schema & Non-ASCII require the .NET Core 3.1 runtime; TruffleHog requires the CLI) and run in CI.

image image image image image

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Migrates the Forescout Host Property Monitor solution from the legacy REST/Log Ingestion connector to a Codeless Connector Framework (CCF) Push connector, introducing DCR/DCE-based ingestion and updating content to query custom *_CL tables directly.

Changes:

  • Added CCF connector assets (connector definition, DCR, poller config) and custom table schemas for host/policy/compliance streams.
  • Removed the legacy data connector JSON and updated solution/package metadata to version 4.0.0.
  • Updated support tier/contact metadata and adjusted analytic/workbook behavior to query *_CL tables directly.

Reviewed changes

Copilot reviewed 14 out of 16 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
Solutions/ForescoutHostPropertyMonitor/SolutionMetadata.json Updates support contact/tier metadata to Microsoft.
Solutions/ForescoutHostPropertyMonitor/ReleaseNotes.md Adds 4.0.0 release notes entries describing CCF migration.
Solutions/ForescoutHostPropertyMonitor/Playbooks/Forescout-DNSSniffEventPlaybook.json Updates playbook support tier to Microsoft.
Solutions/ForescoutHostPropertyMonitor/Package/testParameters.json Adds resource group and subscription parameters for deployment templates.
Solutions/ForescoutHostPropertyMonitor/Package/createUiDefinition.json Updates UI text to reflect CCF Push connector.
Solutions/ForescoutHostPropertyMonitor/Data/Solution_ForescoutHostProp.json Points solution to the new connector definition and bumps version.
Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor_ccf/ForescoutHostPropertyMonitor_table_ForescoutPolicyStatus.json Adds custom table schema for policy status stream.
Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor_ccf/ForescoutHostPropertyMonitor_table_ForescoutHostProperties.json Adds custom table schema for host properties stream.
Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor_ccf/ForescoutHostPropertyMonitor_table_ForescoutComplianceStatus.json Adds custom table schema for compliance status stream.
Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor_ccf/ForescoutHostPropertyMonitor_connectorDefinition.json Introduces CCF connector definition and onboarding instructions/queries.
Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor_ccf/ForescoutHostPropertyMonitor_PollerConfig.json Adds push connector instance (poller) configuration.
Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor_ccf/ForescoutHostPropertyMonitor_DCR.json Adds DCR with stream declarations and transformations for 3 streams.
Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor.json Removes the legacy data connector definition.
Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml Bumps analytic rule version after switching to *_CL table usage.

Comment thread Solutions/ForescoutHostPropertyMonitor/ReleaseNotes.md Outdated
Comment thread Solutions/ForescoutHostPropertyMonitor/Package/testParameters.json Outdated
Comment thread Solutions/ForescoutHostPropertyMonitor/Data/Solution_ForescoutHostProp.json Outdated
@artafres

Copy link
Copy Markdown
Contributor

@v-shukore

@v-shukore

Copy link
Copy Markdown
Contributor

Hi @RodrigoLopezCam, could you please confirm which file ForescoutHostPropertyMonitor.json‎ you have deleted from data connector folder is that old data connector?

@v-shukore

Copy link
Copy Markdown
Contributor

Hi @RodrigoLopezCam,
Thanks for the update on teams chat.
One concern with deleting the old data connector is that any clients still using it could run into issues after it is removed. For now, I recommend not deleting it from the solution. Once the CCF connector is ready and all customers have been migrated to the CCF connector, you can delete that connector by following this process:
First, inform the app assure team and obtain approval to proceed with deleting the connector from the solution. After they approve it, you can go ahead and delete it.
Email ID (App assure team) : AzureSentinelPartner@microsoft.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants