Splunk SOAR (f.k.a. Phantom)

Scanning endpoint SOAR Tenable.sc: How to get a credential scan?

wisconsin
New Member

When scanning an endpoint in SOAR how to you get a credential scan? I can start a scan via SOAR playbook but its not a credential scan.

Labels (3)
0 Karma

phanTom
SplunkTrust
SplunkTrust

@wisconsin it's likely the app wasn't built with that requirement in-mind. However, there is nothing stopping you expanding the app to include this capability. All you need is SOAR v5.x and the Tenable API docs!

The code for scan_endpoint action includes this JSON with a 'credentials' key:

        scan_data = {
            "name": "Scan Launched from Phantom",
            "repository": {"id": scan_repository_id},
            "schedule": {"start": scan_start, "repeatRule": "FREQ=NOW;INTERVAL=1", "type": "now"},
            "reports": [],
            "type": "policy",
            "policy": {"id": scan_policy_id},
            "zone": {"id": -1},
            "ipList": str(ip_hostname),
            "credentials": [],
            "maxScanTime": "unlimited",
        }



However, it's not populated by any code, meaning the update should be simple; add the relevant inputs for the action (maybe a boolean to include credentials or not, then use the other config params), add the logic to the _scan_endpoint action code and you should be golden. 

This should help with adding new inputs to the action: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/DevelopApps/Overview 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...