HomeGuidesAPI ReferenceChangelog
Log In
Guides

Wiz.io CLI

This CLI is provided to perform batch processing and orchestration of the Wiz.io Cloud-Native Application Protection Platform (CNAPP). It is designed to perform bulk processing of Wiz data to create, update, and otherwise sync with RegScale to allow for compliance automation reporting. The CLI currently supports the follow functionalities:

  • authenticate - Authenticate with Wiz and get a JSON Web Token (JWT) for future requests to Wiz
  • inventory - syncs all Wiz entities into RegScale as assets
  • issues - syncs any identified problems as issues/POAMs to RegScale
  • sync_compliance - syncs compliance posture from Wiz to RegScale
  • attach_sbom - downloads SBOM report from wiz into your security plan

Permissions required from Wiz.io

This CLI functionality uses the Wiz API to pull issues and entities from Wiz. We require that the user sets up a service account with the following permissions:
create:reports read:all read:resources read:connectors read:outposts

read:sensors read:security_scans read:scanner_settings read:issue_settings read:users
read:service_accounts read:projects read:issues read:controls read:automation_actions
read:integrations read:action_templates read:reports read:inventory read:vulnerabilities
read:host_configuration read:cloud_accounts read:scan_policies read:security_settings
read:security_frameworks read:system_activities read:cloud_events read:cloud_event_rules
read:licenses read:kubernetes_clusters read:digital_trust_settings read:admission_controllers
read:custom_file_detection read:network_exposure create:reports update:reports write:reports

Update bash environment for CLI

# These environment variables need to be optionally available to the CLI, OR they can be passed as a command line argument.
export WizClientID='WIZ CLIENT ID'
export WizClientSecret='WIZ CLIENT SECRET'

init.yaml Configuration

There are multiple pieces of information needed to configure the Wiz.io integration via the CLI:

  • maxThreads - The total number of threads the application is allowed to use for bulk processing. The default value is 1000. (NOTE: Changing this number can have a negative or positive impact on performance.)
  • wizUrl - GraphQL endpoint for your Wiz.io instance
  • wizAuthUrl - URL for granting authentication tokens (default set in the example file, but government customers may require an alternate URL)
  • wizExcludes - flags the specific assets to exclude from syncing to RegScale. For each node, this is based on the entities[0]["name"] attribute.
  • issues: {wiz: {critical: 30, high: 90, medium: 90, low: 365, status: Open}} - number of days to add to today's date when setting due dates to RegScale issues based on Wiz severity and the status to use for a new RegScale issue.

Wiz Setup Workfow

  1. Get the Wiz URL.
    • Click the user profile icon in the top right, and navigate to "Tenant Info".
    • Copy and paste the API Endpoint URL from this page into the wizUrl field.
  2. Create a service account within Wiz.
    • Go to search bar in the top right and enter "Service Accounts"
    • Add the service account, give read only permissions to the data you wish to retrieve, and copy and paste the client ID and client secret into the init.yaml file.
    • The wizAuthUrl is set by default for commercial customers but you may need to change it if using a specific service such as GovCloud.
    • The wizExcludes flag lets you determine which assets you do not want to sync and will exclude them from processing.
    • Once done, you should have all configuration necessary to perform Wiz integrations using the RegScale CLI.

Issue Processing Workflow

The CLI currently supports processing Wiz issues. The issue processing workflow is shown below:

  • The user first logs into RegScale via the CLI to set the access token or otherwise creates a service account as described in the CLI Login documentation.
  • The user then logs into Wiz using the Client ID and Client Secret to generate an access token with the appropriate scope (NOTE: The access token and scope are automatically generated from the Wiz authenticate CLI).
  • The user then calls the CLI to process Wiz issues while setting the following flags:
    • regscale_id - the ID # of the RegScale record associated with these issues
    • regscale_module - the RegScale module of the record associated wit these issues, please view RegScale Modules for options.
  • The CLI retrieves all existing issues in RegScale for the key value pair provided above.
  • The CLI then creates an automated report in Wiz, waits for it to update and retrieves all open issues in Wiz.io.
  • The CLI then processes through all retrieved Wiz issues and does the following:
    • Sees if a RegScale issue already exists, if so, it updates it.
    • If no RegScale issue exists, it creates a new one.
  • The CLI then processes through all existing RegScale issues and sees if the Wiz.io issue still exists. If not, it has been remediated and the CLI closes the RegScale issue.

The CLI provides detailed logging throughout the process to indicate progress and to provide troubleshooting in case of issues.

Issue CLI Command Example

The following command provide an example of processing Wiz issues for a given RegScale System Security Plan (SSP). These commands can be easily adapted for the customer's specific use case. The steps are shown below:

  • Log into RegScale to set the token, which is good for 24 hours, and will secure all future RegScale API calls. (NOTE: You can skip this step if you are using a RegScale Service Account)
regscale login
  • Authenticate to Wiz to get an access token for GraphQL calls.
regscale wiz authenticate
  • Process the appropriate level of issues for the given security plan.
regscale wiz issues --regscale_id=5  --regscale_module="securityplans"

Inventory Processing Workflow

The CLI currently supports processing Wiz entities as assets into RegScale. The inventory processing workflow is shown below:

  • The user first logs into RegScale via the CLI to set the access token or otherwise creates a service account as described in the CLI Login documentation.
  • The user then logs into Wiz passing the Client ID and Client Secret to the command line to generate an access token with the appropriate scope (NOTE: The access token and scope are automatically generated from the Wiz authenticate CLI).
  • The user then calls the CLI to process Wiz inventory while setting the following flags:
    • regscale_id - the ID # of the RegScale record associated with these issues
    • regscale_module - the RegScale module of the record associated wit these issues (OPTIONS - securityplans, supplychain, projects, policies, components)
  • The CLI then retrieves all existing assets in RegScale for the key value pair provided above.
  • The CLI then creates an automated report in Wiz, waits for it to update and retrieves all entities in Wiz.io using a user provided filter (see init.yaml below) or using a default filter.
  • The CLI then processes through all retrieved Wiz entities and does the following:
    • Sees if a RegScale asset already exists, if so, it updates it.
    • If no RegScale asset exists, it creates a new one.

The CLI provides detailed logging throughout the process to indicate progress and to provide troubleshooting in case of any problems.

Inventory CLI Command Example

The following command provide an example of processing Wiz entities for a given RegScale Security Plan. These commands can be easily adapted for the customer's specific use case. The steps are shown below:

  • Log into RegScale to set the token, which is good for 24 hours, and will secure all future RegScale API calls. (NOTE: You can skip this step if you are using a RegScale Service Account)
regscale login
  • Authenticate to Wiz to get an access token for GraphQL calls.
regscale wiz authenticate
  • Process assets for the given security plan.
regscale wiz inventory --regscale_id=5 --regscale_module="securityplans"

There are several advanced features available for the inventory wiz integration new in 5.31.0

--filter_by_override: see below for possible values

--full_inventory: sync all cloud resources from wiz into your security plan if not passed will default to false and use the new last inventory pull date in the yaml file and will sync anything added from wiz from that date forward.

regscale wiz inventory \
  --wiz_project_id="123,456" \
  --regscale_id=5 \
  --regscale_module="securityplans" \
  --filter_by_override='{projectId: ["1234"], type: ["VIRTUAL_MACHINE"], subscriptionExternalId: ["1234"], providerUniqueId: ["1234"], updatedAt: {after: "2023-06-14T14:07:06Z"}, search: "test-7"}' \
  --full_inventory

Filter Parameters for Inventory filter by override json string may contain any of the follow but must include the projectID

projectID [String!]

  • Description: Filter cloud resources by Wiz project ID. You can specify multiple values in an array.
  • Note: If no values are provided, then returns results from all projects.

type [Wiz GraphEntityTypeValue!]

  • Description: Filter cloud resources by specific entity types. You can specify multiple values in an array.
  • Possible values:
    • ACCESS_ROLE
    • ACCESS_ROLE_BINDING
    • ACCESS_ROLE_PERMISSION
    • API_GATEWAY
    • BACKUP_SERVICE
    • BUCKET
    • CDN
    • CICD_SERVICE
    • CLOUD_LOG_CONFIGURATION
    • CLOUD_ORGANIZATION
    • COMPUTE_INSTANCE_GROUP
    • CONFIG_MAP
    • CONTAINER
    • CONTAINER_GROUP
    • CONTAINER_IMAGE
    • CONTAINER_REGISTRY
    • CONTAINER_REPOSITORY
    • CONTAINER_SERVICE
    • CONTROLLER_REVISION
    • DAEMON_SET
    • DATABASE
    • DATA_WORKFLOW
    • DATA_WORKLOAD
    • DB_SERVER
    • DEPLOYMENT
    • DNS_RECORD
    • DNS_ZONE
    • DOMAIN
    • EMAIL_SERVICE
    • ENCRYPTION_KEY
    • FILE_SYSTEM_SERVICE
    • FIREWALL
    • GATEWAY
    • GOVERNANCE_POLICY
    • GOVERNANCE_POLICY_GROUP
    • KUBERNETES_CLUSTER
    • KUBERNETES_CRON_JOB
    • KUBERNETES_INGRESS
    • KUBERNETES_INGRESS_CONTROLLER
    • KUBERNETES_JOB
    • KUBERNETES_NETWORK_POLICY
    • KUBERNETES_NODE
    • KUBERNETES_PERSISTENT_VOLUME
    • KUBERNETES_PERSISTENT_VOLUME_CLAIM
    • KUBERNETES_POD_SECURITY_POLICY
    • KUBERNETES_SERVICE
    • KUBERNETES_STORAGE_CLASS
    • KUBERNETES_VOLUME
    • LOAD_BALANCER
    • MANAGEMENT_SERVICE
    • MANAGED_CERTIFICATE
    • MAP_REDUCE_CLUSTER
    • MESSAGING_SERVICE
    • MONITOR_ALERT
    • NAMESPACE
    • NETWORK_ADDRESS
    • NETWORK_INTERFACE
    • PEERING
    • POD
    • PRIVATE_ENDPOINT
    • PRIVATE_LINK
    • RAW_ACCESS_POLICY
    • REGISTERED_DOMAIN
    • REGION
    • REPLICA_SET
    • RESOURCE_GROUP
    • ROUTE_TABLE
    • SEARCH_INDEX
    • SECRET
    • SECRET_CONTAINER
    • SERVERLESS
    • SERVERLESS_PACKAGE
    • SERVICE_CONFIGURATION
    • SERVICE_USAGE_TECHNOLOGY
    • SNAPSHOT
    • STATEFUL_SET
    • STORAGE_ACCOUNT
    • SUBNET
    • SUBSCRIPTION
    • VIRTUAL_DESKTOP
    • VIRTUAL_MACHINE
    • VIRTUAL_MACHINE_IMAGE
    • VIRTUAL_NETWORK
    • VOLUME
    • WEB_SERVICE

search String

  • Description: Filter by free text search on cloud resource name.
  • Note: Returns NULL if no match is found.

subscriptionExternalId [String!]

  • Description: Filter cloud resources according to these external subscription IDs (AWS Account, Azure Subscription, GCP Project, and OCI Compartment). You can specify multiple values in an array.
  • Note: If no values are provided, then returns results from all external IDs.

providerUniqueId [String!]

  • Description: Filter cloud resources according to these cloud service provider unique IDs. You can specify multiple values in an array.
  • Note: If no values are provided, then returns results from all provider unique IDs.

updatedAt CloudResourcesDateFilters

  • Description: This object contains cloud resource date filters to narrow down your report results. Use to return cloud resources that were created or updated in the specified date period.
    • before DateTime (Format: yyyy-MM-dd'T'HH:mm:ss'Z' - ISO 8601)
    • after DateTime (Format: yyyy-MM-dd'T'HH:mm:ss'Z' - ISO 8601)

deletedAt CloudResourcesDateFilters

  • Description: This object contains cloud resource date filters to narrow down your report results. Use to return cloud resources that were deleted in the specified date period.
    • before DateTime (Format: yyyy-MM-dd'T'HH:mm:ss'Z' - ISO 8601)
    • after DateTime (Format: yyyy-MM-dd'T'HH:mm:ss'Z' - ISO 8601)

init.yaml Example

For a basic Wiz integration with RegScale, the following init.yaml structure is necessary (example/notional key structure shown below, replace with actual customer keys):

domain: https://mycompany.regscale.com
token: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVC38.eyJzdWIiOiJob3dpZWF2cCIsImp0aSI6ImI0NDIxMjRhLTYxOWEtNGI1Mi1hMzUzLTA5YzdjZTRmM2JmOCIsImlhdCI6MTY0NDc4NzY4MiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZWlkZW50aWZpZXIiOiJjOWY1NzllMi1hOGM4LTRjMDItOGU5MS1jZTEyMmExYWE1MTciLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiaG93aWVhdnAiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOiJBZG1pbmlzdHJhdG9yIiwibmJmIjoxNjQ0Nzg3NjgyLCJleHAiOjE2NDQ4NzQwODIsImlzcyI6IkF0bGFzIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwLyJ9.SkjmRktGLkljysVeoRqcx_hHiVR2gjcA2uZiSJbVkPc
maxThreads: 1000
userId: c9f579e2-a8c9-4c02-8e91-ce122a1aa518
wizAccessToken: ztJhbGciOiTHUzI1NiIsInR5cCI5IkpXVCIsImtpZCI6IndJUnZwVWpBTU93WHQ5ZG5CXzRrVCU8.eyJodHRwczovL3dpei5pbyI6eyJ0ZW5hbnRJZCI6IjljZWQ3NmZjLTM3YjMtNDMxNy05OWQ3LTUwYjE1MDA4MDc3MiIsImVtYWlsIjoidGhvd2VydG9uQGMybGFicy5jb20iLCJkYXRhQ2VudGVyIjoidXM4IiwiaXNTZXJ2aWNlQWNjb3VudCI6dHJ1ZSwicHJvZHVjdElkcyI6WyIqIl19LCJpc3MiOiJodHRwczovL2F1dGgud2l6LmlvLyIsInN1YiI6InRGdzhWZVNnVnlsaTlXd0N4UkZCTDZzemZ6eW9DV3lzQGNsaWVudHMiLCJhdWQiOiJiZXlvbmQtYXBpIiwiaWF0IjoxNjQ0Nzg3NzM2LCJleHAiOjE2NDQ4NzQxMzYsImF6cCI6InRGdzhWZVNnVnlsaTlXd0N4UkZCTDZzemZ6eW9DV3lzIiwic2NvcGUiOiJjcmVhdGU6Y29udHJvbHMgY3JlYXRlOnNlY3VyaXR5X2ZyYW1ld29ya3MgZGVsZXRlOmNvbnRyb2xzIGRlbGV0ZTpzZWN1cml0eV9mcmFtZXdvcmtzIHJlYWQ6aXNzdWVzIHJlYWQ6Y29udHJvbHMgcmVhZDppbnZlbnRvcnkgcmVhZDp2dWxuZXJhYmlsaXRpZXMgcmVhZDpzZWN1cml0eV9mcmFtZXdvcmtzIHVwZGF0ZTppc3N1ZXMgdXBkYXRlOmNvbnRyb2xzIHVwZGF0ZTppbnZlbnRvcnkgdXBkYXRlOnNlY3VyaXR5X2ZyYW1ld29ya3MiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMiLCJwZXJtaXNzaW9ucyI6WyJjcmVhdGU6Y29udHJvbHMiLCJjcmVhdGU6c2VjdXJpdHlfZnJhbWV3b3JrcyIsImRlbGV0ZTpjb250cm9scyIsImRlbGV0ZTpzZWN1cml0eV9mcmFtZXdvcmtzIiwicmVhZDppc3N1ZXMiLCJyZWFkOmNvbnRyb2xzIiwicmVhZDppbnZlbnRvcnkiLCJyZWFkOnZ1bG5lcmFiaWxpdGllcyIsInJlYWQ6c2VjdXJpdHlfZnJhbWV3b3JrcyIsInVwZGF0ZTppc3N1ZXMiLCJ1cGRhdGU6Y29udHJvbHMiLCJ1cGRhdGU6aW52ZW50b3J5IiwidXBkYXRlOnNlY3VyaXR5X2ZyYW1ld29ya3MiXX0.ql8YFHdwbTkKkNjHxOSWvcsi9t7n1NeFQ4IXGP3-WGGwsPob14jK9_hLQpqYq9TF4lj_J82wGp57GHBN0VEc5E3sHW035ED4H8g9yxMRnCHgFuC9m8rTyIP6FKdxk8ttJ7nmNE5BVQAYAgpV0SeAUTiu0AD64s_2ocesfQ6P3pb_7xSsHsuU3ZzKLhZtvwcAjYbWXu2YAu9JXVci354m6e38ZVK7d8m5Tc0_lVCRHRsmVYgwBJKbvnGfP9czhZ7GVt9vxRxuJJu7jph-gXgbHj4ma6dQCIHLQ5-jEFSkHiQfVsVXD1McR1A2y80-ix7I8Ygj0nq-lQlEx3ADf-iBzQ
wizClientId: jth895StaYLli9WwCxRFBL6szfzyobeth
wizClientSecret: SarahLy58hzLvy37830TfpozrKpexLhaPcoGU2hY4fJiIBwVAelbTHkupjTdknox
wizScope: create:controls create:security_frameworks delete:controls delete:security_frameworks
  read:issues read:controls read:inventory read:vulnerabilities read:security_frameworks
  update:issues update:controls update:inventory update:security_frameworks
wizUrl: https://api.us7.app.wiz.io/graphql
wizAuthUrl: https://auth.wiz.io/oauth/token
wizStigMapperFile: /<file_path_to_file_sample>/<user>/artifacts/stig_mapper_rules.json
wizEntities:
-  API_GATEWAY
-  APPLICATION
-  BACKUP_SERVICE
-  BUCKET
-  CDN
-  CONTAINER
-  DATABASE
-  DB_SERVER
-  DOMAIN
-  POD
-  REGISTERED_DOMAIN
-  SWITCH
-  VIRTUAL_DESKTOP
-  VIRTUAL_MACHINE
-  VIRTUAL_MACHINE_IMAGE
-  VOLUME
-  WEB_SERVICE
wizInventoryReportId:
- 937a4c31-3036-4069-a35b-2efblah0880
- 19sklb70-5653-4a1f-bd2e-ed5612f8ec75
- a6booab07-888a-4e30-a286-fe8cb8e458f5
- 1a92d35e-e9ad-421d-b55d-275wsa1150
wizIssuesReportId:
  last_seen: '2023-01-23 08:22:12'
  report_id: 63asaq6f-d361-415f-b68b-6dfewb9883f
wizExcludes: Azure AD Builtin Application Service Principal, Azure Active Directory (AAD) User
issues:
  wiz:
    critical: 30
    high: 90
    low: 365
    medium: 90
    status: Open
 

NOTE: The wizScope and wizAccessToken will auto-populate after authenticated to Wiz via the CLI.

Building a Bash Script to Execute the CLI

You can chain together RegScale CLI commands using scripts. These scripts could be in Bash, Python, PowerShell, etc. Below is an example Bash file (named "regscaleScheduler.sh") in Ubuntu for executing the Wiz CLI that pulls all issues and inventory after authenticating and assigns them to a specific Security Plan in RegScale:

#!/bin/sh
# Wiz will now authenticate for a fresh token on every execution of the issues or inventory functions.
regscale wiz issues --regscale_id=5  --regscale_module="securityplans"
regscale wiz inventory --regscale_id=5 --regscale_module="securityplans"

To execute the Bash file, run this command: . regscaleScheduler.sh. You can chain together any arbitrary set of CLI commands to have them execute sequentially.

sync_compliance - Sync compliance posture from Wiz to RegScale

regscale wiz sync_compliance --help

Usage: regscale wiz sync_compliance [OPTIONS]

Sync compliance posture from Wiz to RegScale

Options:
-p, --wiz_project_id TEXT Enter the Wiz Project ID. Options include:
projects, policies, supplychain,
securityplans, components. [required]
--regscale_id INTEGER RegScale will create and update issues as
children of this record. [required]
--regscale_module TEXT Enter the RegScale module name.

                              RegScale Module           Accepted Value
                             Assessment                | assessments
                             Asset                     | assets
                             Case                      | cases
                             Catalogue                 | catalogues
                             Causal Analysis           | causalanalysis
                             Component                 | components
                             Data Call                 | datacalls
                             Exception                 | exceptions
                             Incident                  | incidents
                             Interconnect              | interconnects
                             Issue(POAM)               | issues
                             Policy                    | policies
                             Project                   | projects
                             Questionnaire             | questionnaires
                             Requirement               | requirements
                             Risk                      | risks
                             Security Control          |
                              securitycontrols         Security Control
                              Implementation | controls
                             Security Plan             | securityplans
                             Security Profile          | profiles
                             Supply Chain(Contract)    | supplychain
                             Task                      | tasks
                             Threat                    | threats
                              [required]

-i, --client_id TEXT Wiz Client ID. Can also be set as an
environment variable: WIZ_CLIENT_ID
-s, --client_secret TEXT Wiz Client Secret. Can also be set as an
environment variable: WIZ_CLIENT_SECRET
-c, --catalog_id TEXT RegScale Catalog ID for the selected
framework. [required]
-f, --framework [CSF|NIST800-53R5|NIST800-53R4]
Choose either one of the Frameworks
[required]
-n, --include_not_implemented Include not implemented controls
--help Show this message and exit.

attach_sbom Command Documentation

Overview

The attach_sbom command is a CLI (Command-Line Interface) tool for attaching a Software Bill of Materials (SBOM) report to a parent asset or Security System Plan (SSP) using Wiz reports. This command can be executed as part of the Wiz CLI to interact with Wiz's API for retrieving SBOM reports.

Command

wiz attach_sbom

Options

--client_id, -ci

  • Description: The Wiz Client ID. Can also be set as an environment variable WizClientID.
  • Usage:
    • If the --client_id is not provided, the command will use the environment variable WizClientID if set.
  • Type: str
  • Required: False
  • Default: Value of the WizClientID environment variable.
  • Example:
    --client_id YOUR_CLIENT_ID
    

--client_secret, -cs

  • Description: The Wiz Client Secret. Can also be set as an environment variable WizClientSecret.
  • Usage:
    • If the --client_secret is not provided, the command will use the environment variable WizClientSecret if set.
    • Input is hidden for security.
  • Type: str
  • Required: False
  • Default: Value of the WizClientSecret environment variable.
  • Example:
    --client_secret YOUR_CLIENT_SECRET
    

--parent_id, -pid

  • Description: The ID of the parent asset or Security System Plan (SSP).
  • Type: str
  • Required: True
  • Example:
    --parent_id YOUR_PARENT_ASSET_OR_SSP_ID
    

--report_id, -r

  • Description: The Wiz report ID.
  • Type: str
  • Required: True
  • Example:
    --report_id YOUR_WIZ_REPORT_ID
    

--standard, -s

  • Description: The SBOM standard. Can be either CycloneDX or SPDX. Defaults to CycloneDX.
  • Type: str
  • Required: False
  • Default: CycloneDX
  • Example:
    --standard SPDX
    

Function: attach_sbom

Parameters:

  • client_id (str): Wiz Client ID.
  • client_secret (str): Wiz Client Secret.
  • parent_id (str): The ID of the parent SSP.
  • report_id (str): The Wiz report ID.
  • standard (str, optional): The SBOM standard (default is CycloneDX).

Description:

This function performs the following actions:

  1. Authenticates to Wiz using the provided client_id and client_secret.
  2. Fetches the SBOM report identified by report_id.
  3. Attaches the report to the evidence locker for the given parent_id.

Usage Example:

wiz attach_sbom --client_id YOUR_CLIENT_ID --client_secret YOUR_CLIENT_SECRET --parent_id YOUR_PARENT_ASSET_OR_SSP_ID --report_id YOUR_WIZ_REPORT_ID --standard SPDX

This command will authenticate with Wiz using the provided credentials, fetch the SBOM report in SPDX or CycloneDX format, and attach it to the specified parent SSP.

New in Version 5.73.0 wizStigMapperFile setting in init.yaml allows mapping STIGs to assets

STIG Mapper Module Documentation

Overview

The STIGMapper module is designed to map Security Technical Implementation Guides (STIGs) to assets using a predefined set of rules. It utilizes string comparison functions to check asset properties and determine which assets should be associated with each STIG.

To use the STIG mapper integrated into scanner integration, the following steps are required:
add variable to app for init.yaml like the one for wiz

wizStigMapperFile: /<file_path_to>/stig_mapper_rules.json

Dependencies

The module relies on:

  • json: For loading rules from a JSON file.

Functions

comparator_functions

A dictionary that holds all the comparison functions used for evaluating string values based on operators.

Available operators and their corresponding functions:

  • equals: Checks if two strings are equal.
  • contains: Checks if one string contains another.
  • startswith: Checks if one string starts with another.
  • notin: Checks if one string does not contain another.
  • endswith: Checks if one string ends with another.
  • gt: Checks if one string is greater than another.
  • lt: Checks if one string is less than another.
  • gte: Checks if one string is greater than or equal to another.
  • lte: Checks if one string is less than or equal to another.
  • ne: Checks if two strings are not equal.
  • in: Checks if a string is present in another.
  • nin: Checks if a string is not present in another.

Mappable Asset properties

Required Properties

	•	id (int)
	•	name (str)
	•	assetType (Union[AssetType, str])
	•	status (Union[AssetStatus, str])
	•	assetCategory (Union[AssetCategory, str])
	•	parentId (int)
	•	parentModule (str)
	•	isPublic (bool)
	•	assetOwnerId (str)
	•	dateCreated (str)
	•	dateLastUpdated (str)

Optional Properties

	•	otherTrackingNumber (Optional[str])
	•	ram (Optional[int])
	•	location (Optional[str])
	•	diagramLevel (Optional[str])
	•	cpu (Optional[int])
	•	description (Optional[str])
	•	diskStorage (Optional[int])
	•	ipAddress (Optional[str])
	•	macAddress (Optional[str])
	•	manufacturer (Optional[str])
	•	model (Optional[str])
	•	osVersion (Optional[str])
	•	operatingSystem (Optional[str])
	•	uuid (Optional[str])
	•	serialNumber (Optional[str])
	•	createdById (Optional[str])
	•	lastUpdatedById (Optional[str])
	•	endOfLifeDate (Optional[str])
	•	purchaseDate (Optional[str])
	•	tenantsId (Optional[int])
	•	facilityId (Optional[int])
	•	orgId (Optional[int])
	•	cmmcAssetType (Optional[str])
	•	wizId (Optional[str])
	•	wizInfo (Optional[str])
	•	assetTagNumber (Optional[str])
	•	baselineConfiguration (Optional[str])
	•	fqdn (Optional[str])
	•	netBIOS (Optional[str])
	•	softwareName (Optional[str])
	•	softwareVendor (Optional[str])
	•	softwareVersion (Optional[str])
	•	softwareAcronym (Optional[str])
	•	vlanId (Optional[str])
	•	bAuthenticatedScan (Optional[bool])
	•	bPublicFacing (Optional[bool])
	•	bVirtual (Optional[bool])
	•	notes (Optional[str])
	•	patchLevel (Optional[str])
	•	softwareFunction (Optional[str])
	•	systemAdministratorId (Optional[str])
	•	bLatestScan (Optional[bool])
	•	managementType (Optional[str])
	•	qualysId (Optional[str])
	•	sicuraId (Optional[Union[str, int]])
	•	tenableId (Optional[str])
	•	firmwareVersion (Optional[str])
	•	purpose (Optional[str])
	•	awsIdentifier (Optional[str])
	•	azureIdentifier (Optional[str])
	•	googleIdentifier (Optional[str])
	•	otherCloudIdentifier (Optional[str])
	•	iPv6Address (Optional[str])
	•	scanningTool (Optional[str])
	•	uri (Optional[str])
	•	bScanDatabase (Optional[bool])
	•	bScanInfrastructure (Optional[bool])
	•	bScanWeb (Optional[bool])
	•	cpe (Optional[str])
	•	dadmsId (Optional[str])
	•	approvalStatus (Optional[str])
	•	processStatus (Optional[str])
	•	networkApproval (Optional[str])
	•	lastDateAllowed (Optional[str])
	•	bFamAccepted (Optional[bool])
	•	bExternallyAuthorized (Optional[bool])


This documentation covers all the major functions and methods within the STIGMapper module that if mapping file path leading to a file like below is include in your init yaml in wizStigMapperFile variable will automatically map new assets that match to STIGS.

{
    "rules": [
        {"stig": "Windows 2012 Configuration STIG",
            "comparators": [
                {"comparator": "contains", "value": "Windows 2012", "property": "name"},
                {"comparator": "notin", "value": "Windows 2012 Account Access Group", "property": "name"}
            ]
        },
        {"stig": "Windows 7 Server STIG",
            "comparators": [
                {"comparator": "contains", "value": "Windows 7 Server", "property": "name"},
                {"comparator": "notin", "value": "Workstation", "property": "name"}
            ]
        },
        {"stig": "Network Security STIG",
          "comparators": [
              {"comparator": "startswith", "value": "Kubernetes", "property": "name"},
              {"comparator": "endswith", "value": "Security", "property": "name"}
          ]
        },
        {"stig":  "AI Stig",
            "comparators": [
                {"comparator": "equals", "value": "regml-container", "property": "name"}
            ]
        }
    ]
}

📘

NOTE: See All Scanner Integrations for information about how this updates Issues/POAMs