### Run Splunk DataForwarder Setup Script Source: https://docs.forescout.com/fs-cloud/cloud-admin-guide/cloud-admin-guide/creating-splunk-indexes-and-installing-the-application-pack.htm Executes the setup script for the Splunk DataForwarder application. Requires start time, API token, and certificate path. Use -h for help. ```bash python setup.py --startTime "2022-09-03 13:00:00" --token "" --certificatePathForSetup "" ``` -------------------------------- ### Display Setup Script Help Source: https://docs.forescout.com/fs-cloud/cloud-admin-guide/cloud-admin-guide/creating-splunk-indexes-and-installing-the-application-pack.htm Displays the help message for the Splunk DataForwarder setup script, showing available options and usage. ```bash python setup.py -h ``` -------------------------------- ### Example Configuration for Export Source: https://docs.forescout.com/eyeinspect/eyeinspect-rn-api-user-guide/eyeinspect-configuration-guide/manage_passive_sensors_via_nidstool.htm An example of a configuration file generated by the 'config export' command, showing global and sensor-specific settings. ```yaml configuration: nids.conf: sniff-threads: 1 interfaces: replay1 sensors: - name: nids-first ``` -------------------------------- ### Import Hosts - POST Request Example Source: https://docs.forescout.com/eyeinspect/eyeinspect-rn-api-user-guide/eyeinspect-api-guide/import-hosts.htm Example of a POST request to import hosts, including session cookies and the obtained CSRF token. ```http POST /api/v1/sensors/15/modules HTTP/1.1 Cookie: JSESSIONID=... X-CSRF-Token: ... Authorization: Basic ... Host: localhost:443 ... ``` -------------------------------- ### Start All Sensor Services Source: https://docs.forescout.com/eyeinspect/eyeinspect-rn-api-user-guide/eyeinspect-configuration-guide/manage_passive_sensors_via_nidstool.htm This command starts all known sensor services. It's a convenient way to bring all passive sensors online simultaneously. ```bash sudo nidstool up all ``` -------------------------------- ### Get Nidstool Command Overview Source: https://docs.forescout.com/eyeinspect/eyeinspect-rn-api-user-guide/eyeinspect-configuration-guide/manage_passive_sensors_via_nidstool.htm Run this command to get an overview of all supported nidstool commands. This is useful for understanding the available functionalities. ```bash sudo nidstool --help ``` -------------------------------- ### Get Specific Command Help Source: https://docs.forescout.com/eyeinspect/eyeinspect-rn-api-user-guide/eyeinspect-configuration-guide/manage_passive_sensors_via_nidstool.htm Use the --help option with a specific command to get detailed information about its usage and parameters. This helps in understanding how to use individual commands effectively. ```bash sudo nidstool --help ``` -------------------------------- ### Summarize Expression for Aggregation Source: https://docs.forescout.com/fs-cloud/eyealert-gov/forescout-eyealert-gov/advanced_search_syntax_quick_reference_guide.htm Example of using the 'summarize' expression to get aggregated counts by status. ```kql logs | summarize Count = count() by status | top 5 by Count ``` -------------------------------- ### Install Python Requirements Source: https://docs.forescout.com/fs-cloud/cloud-admin-guide/cloud-admin-guide/creating-splunk-indexes-and-installing-the-application-pack.htm Installs necessary Python packages for the Splunk DataForwarder application. Ensure you are in the application's directory. ```bash pip install -r requirements.txt ``` -------------------------------- ### Import Sensor Module Request Example Source: https://docs.forescout.com/eyeinspect/eyeinspect-rn-api-user-guide/eyeinspect-api-guide/import-sensor-module.htm Shows how to send a POST request to import a sensor module. This includes setting the necessary cookies, CSRF token, authorization, and the module file in the request body. ```http Client Request: POST /api/v1/sensors/15/modules HTTP/1.1 Cookie: JSESSIONID=... X-CSRF-Token: ... Authorization: Basic ... Host: localhost:443 ... Server Response: HTTP/1.1 200 OK ``` -------------------------------- ### Run a Sensor with Startup Arguments Source: https://docs.forescout.com/eyeinspect/eyeinspect-rn-api-user-guide/eyeinspect-configuration-guide/manage_passive_sensors_via_nidstool.htm This command runs a specific sensor service and allows passing startup arguments to the sensor. Arguments must be separated from nidstool arguments by a double-dash (--). ```bash sudo nidstool run nids-first -- --no-sniff ``` -------------------------------- ### Run sdconfig for IP Configuration Source: https://docs.forescout.com/eyeinspect/eyeinspect-rn-api-user-guide/eyeinspect-configuration-guide/ip_configuration_and_ip_stack_selection.htm Execute the sdconfig command from the main menu to access IP configuration options. This is the initial step for setting up network parameters. ```bash sudo sdconfig ``` -------------------------------- ### Basic KQL Query Example Source: https://docs.forescout.com/fs-cloud/eyealert-gov/forescout-eyealert-gov/advanced_search_syntax_quick_reference_guide.htm A fundamental KQL query demonstrating SELECT, COUNT, GROUP BY, and HAVING clauses. ```kql SELECT Status, COUNT(_) AS Count_ FROM Logs GROUP BY Status HAVING COUNT(_) > 10; ``` -------------------------------- ### Start a Specific Sensor Service Source: https://docs.forescout.com/eyeinspect/eyeinspect-rn-api-user-guide/eyeinspect-configuration-guide/manage_passive_sensors_via_nidstool.htm Use this command to create and start a specific sensor service container. The Passive Sensor will then run as a background task. ```bash sudo nidstool up nids-first ``` -------------------------------- ### Prefix Queries in KQL and SQL Source: https://docs.forescout.com/fs-cloud/eyealert-gov/forescout-eyealert-gov/advanced_search_syntax_quick_reference_guide.htm Search for strings that start with a specific prefix. KQL uses 'startswith', SQL uses 'LIKE'. ```KQL `logs | where message startswith 'Error'` ``` ```SQL SELECT * FROM Logs WHERE Message LIKE 'Error%'; ``` -------------------------------- ### Fetch CSRF Token - Step 1: Get Session ID Source: https://docs.forescout.com/eyeinspect/eyeinspect-rn-api-user-guide/eyeinspect-api-guide/modify-sensor-module.htm Obtain the session ID by making a GET request to fetch sensors with basic authentication. ```http GET /api/v1/sensors HTTP/1.1 Authorization: Basic ... Host: localhost:443 ... ``` -------------------------------- ### Set Mitigation Script as Executable Source: https://docs.forescout.com/eyesight/vulnerabilities/vulnerabilities.htm Make the downloaded mitigation script executable before running it on the Forescout appliance. ```bash chmod +x cve-2026-43284-mitigation.sh ```