All Scanner Integrations
How Scanner Integrations Work in RegScale
For Commercial Integrations with RegScale, all vulnerability scanners now use a common library and behave identically. This outlines how each of these work to create records in RegScale.
Background
Vulnerability Scanners are integrated into RegScale for three outcomes:
- Import assets into a Security Plan
- Import vulnerabilities into a Security Plan
- Create Issues and/or POA&Ms in a Security Plan
For each of the dozen-odd vulnerability scan integrations, asset inventories are updated, a scan history is created, Vulnerabilities are created, and, if configured to do so, Issues are created and optionally marked as "Cyber Reportable Plan of Actions and Milestones (POA&M)".
Scanner Configurations
All vulnerability scanner integrations leverage three configuration items from the init.yaml
file:
(see CLI Configuration for full details on init.yaml
)
Key | Notes | Value Type |
---|---|---|
dueDates | default days for due date (in days) | dict: {'high': 60, 'moderate': 120, ' 'low': 364} |
incrementPoamIdentifier | If the issues use "otherIdentifier" for POA&M id, this will increment the pattern by +1 | bool: true | false default: false |
ingestClosedIssues | Whether or not to import closed issues | bool: true | false default: false |
issueCreation | For Commercial Scan integrations, this determines whether an issue is created for each unique vulnerability / asset pair: PerAsset or only for each unique vulnerability: Consolidated | string: options: "Consolidated" | "PerAsset" |
poamTitleType | What to use for the title of poams created from scans | string: options: "Cve" (default) - CVE Number | "pluginId" - Scanner Plugin Id |
stigMapperFile | Path to the STIG mapper rules file for compliance scanning | str: stig_mapper_rules.json |
tenableGroupByPlugin | For Tenable scans, can group by Plugin Id (vice CVE) | bool: true | false default: false |
threadMaxWorkers | Maximum number of worker threads | int: 1-8 default: 4 |
vulnerabilityCreation | For Commercial Scan integrations, this determines whether an issue is created for vulnerabilities. Options are: "NoIssue" -don't create issues from vulnerabilities. "IssueCreation" - create issues from vulnerabilities. "PoamCreation" - create issues/POA&Ms from vulnerabilities | string: options: "NoIssue" | "IssueCreation" | "PoamCreation" |
Data Flow and Record Creation
For each vulnerability scan integration the following records are created:
- Scan History:
- All scanner integrations first create a scanner history entry as a child of the Security Plan identified in the scanner integration argument (
--regscale_ssp_id
) - Scan History is visible in Security Plans under the "Vulnerabilities" tab in Data Entry
- All scanner integrations first create a scanner history entry as a child of the Security Plan identified in the scanner integration argument (
- Assets:
- All assets are created as children of the Security Plan
- As assets appear in the scan they are created in RegScale, regardless of the existence off a vulnerability or not.
- Asset status is set by the scan. If an asset is shown as active in a scan, it is marked active; If a scan shows an asset as inactive, it is marked inactive
- Assets are visible in Security Plans under the "Assets" tab in Data Entry
- Vulnerabilities:
- All scan results are created as vulnerability records as children of the Security Plan
- Vulnerabilities are visible in Security Plans under "Vulnerabilities" tab in Data Entry and then "CVE List"
- For each asset affected by the vulnerability, a vulnerability mapping record is created which is visible when clicking in the "CVE List" on "View" and "Impacted Assets"
- Issues:
- If the
vulnerabilityCreation
configuration item is set toIssueCreation
orPoamCreation
, vulnerabilities will create Issue records as children of the Security Plan - If the
vulnerabilityCreation
configuration item is set toPoamCreation
, vulnerabilities will create Issue records as children of the Security Plan and will mark the issues as "Cyber Reportable Plan of Actions and Milestones (POA&M)" - Issues are visible in Security Plans under the "Issues/POAMS" tab in Data Entry
- If the
issueCreation
configuration item is set toConsolidated
, one issue will be created per vulnerability and all impacted assets will be listed in the same record - If the
issueCreation
configuration item is set toPerAsset
, an issue will be created for each vulnerability/asset pair - If the
poamTitleType
configuration item is set toCve
, the issues will be consolidated according to unique CVEs, when set toConsolidated
or will simply use the CVE as the label of the Issue when set toPerAsset
- If the
poamTitleType
configuration item is set topluginId
, the issues will be consolidated according to unique Plugin Ids, when set toConsolidated
or will simply use the Plugin Id as the label of the Issue when set toPerAsset
- Each Issue created will be marked by the source of the scan in the
Source Report
field of the issue record (e.g. "Aqua")
- If the
- Subsequent scan imports:
- If an asset was created in a previous scan, but does not appear in subsequent scans from the same source (e.g. Aqua), it is updated to inactive
- If a vulnerability was created in a previous scan, but does not appear in subsequent scans from the same source, it's status is changed to "Closed"
- If an issue was created in a previous scan, but does not appear in subsequent scans from the same source, it's status is changed to "Closed"
- If an issue was created in a previous scan and includes multiple assets, the impacted assets listed in the issue will be updated according to what assets still have the same vulnerability in the subsequent scan
- If an issue was created in a previous scan and appears in subsequent scans, the "Last Seen Date" will be updated and the issue status remain "Open"
Updated 1 day ago