XDR – Extended Detection and Response
Improve Your SOC Efficiency by 450x with Better Detection and Response of True Threats
Security operations center (SOC) teams face a daily barrage of incomplete and inaccurate alerts that lack vital contextual information, many of them false positives. As a result, analysts miss critical threats and take longer to investigate and respond to them, increasing the risk of a breach. In fact, the typical SOC receives an estimated 11,000 alerts per day, or 450 alerts per hour1 – most of them low fidelity, low confidence alerts and false positives.
With Forescout XDR, that number is reduced to one SOC-actionable detection an hour – or one probable threat that warrants human investigation2.

Business Value
Forescout XDR is an eXtended detection and response solution that converts telemetry and logs into high fidelity, SOC-actionable probable threats.
It automates the detection, investigation, hunt for and response to advanced threats across all connected assets – IT, OT/ICS, IoT and IoMT – from campus to cloud to data center to edge. Forescout XDR combines essential SOC technologies and functions into a unified, cloud-native platform, viewable and actionable from a single console.

Reduce business risk
Reduce the risk and magnitude of a successful attack, business disruption or data breach by eliminating alert noise so you can quickly and accurately detect, investigate and respond to the broadest range of advanced threats.

Lower costs
Consolidate point solutions (data lake, security analytics, SOAR, UEBA, threat intel platform) and reduce costs related to data onboarding, rules management and analyst turnover with a solution that simplifies and supports their workflow.

Optimize security operations
Streamline the analyst function and speed complex investigation and threat-hunting processes with enriched, normalized and contextualized data correlated to produce a small number of detections that warrant investigation – all in a unified console that integrates with case management systems and other security tools.

Leverage multi-vendor security investments
Derive more value from existing solutions and make better use of asset data and threat intel via automation across case management and incident response systems, sensors (network, endpoint, cloud) and enforcement points.

Support compliance
Combine long-term log storage with automated threat detection and threat intelligence to close the potential gap between when a breach or disruption is noticed and when a response action is taken.
See a Demo
Watch CTO Justin Foster run through key features in Forescout XDR.
The Forescout Advantage
Vendor and EDR Agnostic Data Ingestion
- Supports the products and vendors you’ve already invested in
- Can ingest data from any managed and unmanaged device (IT, OT/ICS, IoT, IoMT)
- Ensures more comprehensive, powerful, flexible, and effective threat detection
450x Better Detections
- Advanced data pipeline enforces a common information model (CIM) to normalize ingested data and auto enrich with user info, IP attribution, geolocation, critical asset information
- 2-stage threat detection engine uses a blend of 5 techniques to reduce noise & improve fidelity
Full Spectrum Response
- Powerful investigation tools
- Native integrations with case management solutions
- Automate responses via Forescout solutions to touch all managed & un-managed devices
Up Front Risk Reduction
- Integration with other Forescout solutions reduces the attack surface, and the risk of a compromised or non-compliant device connecting to your network in the first place
- Continuously monitors all connected assets with dynamic access policies
Simple, Predictable, and Accessible Pricing
- No penalties for sending more logs to Forescout XDR, to support better detection
- License fee is based on the total number of endpoints (IP/MAC address) in your organization
- Pricing includes 31-day log storage, and longer-term storage options are available
Webinar: Improving SOC Efficiency by 450x with Forescout XDR
Threat detection and response has become increasingly important, and increasingly difficult, even for seasoned and large SOC teams. Watch this 30-minute webinar to discover how Forescout XDR uniquely addresses today’s detection and response challenges by not only converting daily alerts into high-fidelity detections of true threats but by also enabling SOC teams to automate response processes across the extended enterprise.
1 Detection per Hour, from 50 Million Logs
Forescout XDR combines vendor- and EDR-agnostic support for more than 170 data sources in our cloud-based data lake, with cost-effective log retention and management, automated data normalization and enrichment, and a two-stage threat detection engine to weed out false positives and identify true threats, along with more than 1,500 verified detection rules and models that are regularly updated.
Forescout XDR combines essential SOC technologies and functions into a single, unified, cloud-native console.

Data ingestion
Natively supports Forescout eyeSight, eyeInspect and Medical Device Security data – and over 170 vendor- and EDR-agnostic sources including:
security, infrastructure, enrichment, applications and cloud/SaaS
- Security: Firewall, network IDS/IPS, EDR, EPP, server/workload/container
security, web proxy and email security - Infrastructure: Windows security, AD authentication, IAM, DHCP, DNS, cloud audit trail and network metadata
- Enrichment: Identity (LDAP), asset inventory and classification, configuration management, vulnerability scan results, IOCs
- Applications: Database, ERP, CRM and APIs
- Cloud/SaaS: AWS, Microsoft Azure, Google Cloud, Microsoft 365, Google Workspace and any other SaaS application

Data onboarding
Helps ensure that you extract maximum detection value to support your most important use cases. Forescout data engineers work alongside your team to plan and prioritize the data sources to be onboarded, then help configure the data pipeline and ensure your data is being properly parsed, cleansed, normalized and enriched.

Advanced data pipeline
Applies a rigorous data science-centric approach to manage data flowing from enterprise-wide sources into thethreat detection engine.
- Enforces a common information model (CIM) to normalize ingested data.
- Enriches data with IP address, geolocation, ADObject properties, configuration and other contextual data to maximizes detection and enable faster correlations across data sources.
- Uses an ETL (extract-transform-load) process for faster, stabler, more efficient data analysis than more common ELT (extract-load-transform) processes.

MITRE ATT&CK framework integration
Allows you to instantly see how different data sources map to the tactics, techniques and procedures (TTPs) of the MITRE ATT&CK framework. This makes it easy to prioritize the initial data sources that should be ingested for broad or specific TTP coverage, to identify potential blind spots that adversaries can exploit and to determine which additional data sources would further elevate your coverage.

Cloud-based data lake
Massively scalable, purpose-built, indexed data lake with tiered data storage (hot, warm, cold) and rapid, full-text search. This provides cost-effective short-term and optional longer-term (7 days to 1 year+) log retention and management of either raw telemetry or enriched data, in support of security and compliance requirements.

Threat detection engine
Two-stage threat detection engine applies five detection techniques to automatically generate high-fidelity, high-confidence true threats that warrant investigation, while weeding out false positives.
- Cyber intel: More than 70 sources to look for backdoors, command-and-control traffic or phishing.
- Signatures: Match object attributes to a known bad object to identify threats inside raw telemetry, uncleanable malware, ransomware, etc.
- UEBA: Looks for abnormal behaviors that match a digital pattern, footprint, human activity or network behavior with known bad behavior.
- Statistics and outliers: Uses clustering, grouping, stack counting, baseline and variation, outlier detection, logistic regression and other methods to detect anomalous activity.
- Algorithms: Uses context-aware AI and ML techniques such as supervised/unsupervised learning or deep learning to detect malicious or anomalous
activity and predict attacks.

Detection rules
Includes more than 1,500 verified, out-of-the box detection rules and models for your data sources. These rules have been tested on production data to ensure they operate effectively and deliver value on Day One. Custom detection rules give you the power and flexibility to quickly create indicator, detection and health rules that address your unique requirements, with a guided user experience.

Threat intelligence
>70 Global sources and classified, corroborated and scored
Forescout XDR references IOCs from over 70 high-quality sources worldwide, including from Vedere Labs, Forescout’s team of global research experts. These IOCs are classified, corroborated and scored to provide finished intelligence that is automatically leveraged across the threat detection, hunting and investigation process. You have access to detailed threat reports from Forescout researchers that profile key threat actors and threats. Anonymized IOC data can also be shared among opt-in community members, including industry-specific ISACs, via a built-in community threat exchange.- IOC data from a broad range of reliable sources
- IOC intel correlated into a searchable database of “known bad” domains, URLs and IPv4 and IPv6 addresses
- Each IOC dynamically assigned a confidence score based on source quality
- Confidence-scored IOC intel leveraged by threat detection engine and customer SOC teams to accelerate threat detection and investigation

UEBA
Behavior-based analytics are used to detect significant changes to behavior or anomalous activity for an entity. Standard profiles and behaviors are built for users and hosts across time, and any activity that is anomalous to these standard baselines is triggered as suspicious.

SOAR
Orchestrates the SOC process from detection through investigation and response with built-in case management and notifications.
- Automates security through enrichment sources such as IP geolocation, user and asset information, and correlation to multiple intelligence
sources. - Leverages Forescout eyeSight and eyeControl for automated orchestration
and response workflows across all managed and unmanaged devices. - If desired, continue to leverage your existing SOAR through integration
with Palo Alto Cortex XSOAR and other SOARs.

Case management
Provides workflows, tight integration, transparency and seamless communication and collaboration during detection handling and incident management.
- Based on the NIST Incident Response Life Cycle, Forescout XDR supports integrations with ServiceNow, RSA Archer, Jira Software, ManageEngine ServiceDesk Plus, Palo Alto Cortex XSOAR, TheHive and ConnectWise.

Dashboards
Preconfigured and customizable persona-based dashboards provide KPIs relevant to a variety of roles, including analysts/IR, engineers, SOC manager, compliance and risk managers, and executives.

Cloud-native
Nothing to deploy, with new features, fixes and rules delivered seamlessly and bi-weekly
- Ease of management
- Faster release cycle and updates
- Reliability and security
- Cost effectiveness
- Hyper-scale

Multi-tenant
Logical separations (or tenants) easily created based on country, office location or business unit, for example. You can also generate aggregate views and perform queries and analyses across tenants and business units, right up to the global level.
Particularly beneficial for large enterprises, multinationals, MSSPs and organizations with regional SOCs.

Unified global architecture
Data residency and compliance requirements readily met, with cost-effective support for regional security operations. Specify where you want your logs to be stored among 25 regions across the Americas, Europe and Asia-Pacific – while still being able to view and query your data globally.

SIEM Integration
True threats identified by Forescout XDR can be fed to an existing SIEM for centralized orchestration and incident response.

Continuous software and content updates
New features, functionality and fixes, along with new detection rules and models, are seamlessly delivered every few weeks, without requiring any operational support or causing disruption.
Resources for Understanding XDR Extended Detection and Response



Schedule an XDR Demo
Get a personalized tour of our XDR solution and see how we can help you automate cybersecurity.
Request a Demo111,000 alerts per day = 450 alerts per hour. Source: “The 2020 State of Security Operations,” Forrester Consulting”.
The actual number of alerts a SOC receives depends on a many factors including the number, type and location of security controls deployed, the tuning of those controls (which is a function of analyst capacity, risk tolerance and level of expertise), the number of employees/devices and industry.
2Based on aggregate data averaged over a one-year period (Dec 2021-2022), across 30 enterprises, representing a range of company sizes and industries.