Scanning endpoint SOAR Tenable.sc: How to get a cr...

wisconsin · ‎06-29-2022

When scanning an endpoint in SOAR how to you get a credential scan? I can start a scan via SOAR playbook but its not a credential scan.

phanTom · ‎06-29-2022

@wisconsin it's likely the app wasn't built with that requirement in-mind. However, there is nothing stopping you expanding the app to include this capability. All you need is SOAR v5.x and the Tenable API docs!

The code for scan_endpoint action includes this JSON with a 'credentials' key:

        scan_data = {
            "name": "Scan Launched from Phantom",
            "repository": {"id": scan_repository_id},
            "schedule": {"start": scan_start, "repeatRule": "FREQ=NOW;INTERVAL=1", "type": "now"},
            "reports": [],
            "type": "policy",
            "policy": {"id": scan_policy_id},
            "zone": {"id": -1},
            "ipList": str(ip_hostname),
            "credentials": [],
            "maxScanTime": "unlimited",
        }

However, it's not populated by any code, meaning the update should be simple; add the relevant inputs for the action (maybe a boolean to include credentials or not, then use the other config params), add the logic to the _scan_endpoint action code and you should be golden.

This should help with adding new inputs to the action: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/DevelopApps/Overview

Scanning endpoint SOAR Tenable.sc: How to get a credential scan?

troubleshooting

using SOAR ⁄ Phantom

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

Are you a member of the Splunk Community?