Splunk SOAR (f.k.a. Phantom)

Scanning endpoint SOAR Tenable.sc: How to get a credential scan?

New Member

When scanning an endpoint in SOAR how to you get a credential scan? I can start a scan via SOAR playbook but its not a credential scan.

Labels (3)
0 Karma


@wisconsin it's likely the app wasn't built with that requirement in-mind. However, there is nothing stopping you expanding the app to include this capability. All you need is SOAR v5.x and the Tenable API docs!

The code for scan_endpoint action includes this JSON with a 'credentials' key:

        scan_data = {
            "name": "Scan Launched from Phantom",
            "repository": {"id": scan_repository_id},
            "schedule": {"start": scan_start, "repeatRule": "FREQ=NOW;INTERVAL=1", "type": "now"},
            "reports": [],
            "type": "policy",
            "policy": {"id": scan_policy_id},
            "zone": {"id": -1},
            "ipList": str(ip_hostname),
            "credentials": [],
            "maxScanTime": "unlimited",

However, it's not populated by any code, meaning the update should be simple; add the relevant inputs for the action (maybe a boolean to include credentials or not, then use the other config params), add the logic to the _scan_endpoint action code and you should be golden. 

This should help with adding new inputs to the action: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/DevelopApps/Overview 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...