Scanning endpoint SOAR Tenable.sc: How to get a cr...

wisconsin · ‎06-29-2022

When scanning an endpoint in SOAR how to you get a credential scan? I can start a scan via SOAR playbook but its not a credential scan.

phanTom · ‎06-29-2022

@wisconsin it's likely the app wasn't built with that requirement in-mind. However, there is nothing stopping you expanding the app to include this capability. All you need is SOAR v5.x and the Tenable API docs!

The code for scan_endpoint action includes this JSON with a 'credentials' key:

        scan_data = {
            "name": "Scan Launched from Phantom",
            "repository": {"id": scan_repository_id},
            "schedule": {"start": scan_start, "repeatRule": "FREQ=NOW;INTERVAL=1", "type": "now"},
            "reports": [],
            "type": "policy",
            "policy": {"id": scan_policy_id},
            "zone": {"id": -1},
            "ipList": str(ip_hostname),
            "credentials": [],
            "maxScanTime": "unlimited",
        }

However, it's not populated by any code, meaning the update should be simple; add the relevant inputs for the action (maybe a boolean to include credentials or not, then use the other config params), add the logic to the _scan_endpoint action code and you should be golden.

This should help with adding new inputs to the action: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/DevelopApps/Overview

Scanning endpoint SOAR Tenable.sc: How to get a credential scan?

Other

troubleshooting

using SOAR ⁄ Phantom

Splunk Forwarders and Forced Time Based Load Balancing

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!