Wiz
Wiz.io CLI
This CLI is provided to perform batch processing and orchestration of the Wiz.io Cloud-Native Application Protection Platform (CNAPP). It is designed to perform bulk processing of Wiz data to create, update, and otherwise sync with RegScale to allow for compliance automation reporting. The CLI currently supports the follow functionalities:
authenticate
- Authenticate with Wiz and get a JSON Web Token (JWT) for future requests to Wizinventory
- syncs all Wiz entities into RegScale as assetsissues
- syncs any identified problems as issues/POAMs to RegScalesync_compliance
- syncs compliance posture from Wiz to RegScaleattach_sbom
- downloads SBOM report from wiz into your security plan
Permissions required from Wiz.io
This CLI functionality uses the Wiz API to pull issues and entities from Wiz. We require that the user sets up a service account with the following permissions:
create:reports read:all read:resources read:connectors read:outposts
read:sensors read:security_scans read:scanner_settings read:issue_settings read:users
read:service_accounts read:projects read:issues read:controls read:automation_actions
read:integrations read:action_templates read:reports read:inventory read:vulnerabilities
read:host_configuration read:cloud_accounts read:scan_policies read:security_settings
read:security_frameworks read:system_activities read:cloud_events read:cloud_event_rules
read:licenses read:kubernetes_clusters read:digital_trust_settings read:admission_controllers
read:custom_file_detection read:network_exposure create:reports update:reports write:reports
Update bash environment for CLI
# These environment variables need to be optionally available to the CLI, OR they can be passed as a command line argument.
export WizClientID='WIZ CLIENT ID'
export WizClientSecret='WIZ CLIENT SECRET'
init.yaml Configuration
There are multiple pieces of information needed to configure the Wiz.io integration via the CLI:
maxThreads
- The total number of threads the application is allowed to use for bulk processing. The default value is 1000. (NOTE: Changing this number can have a negative or positive impact on performance.)wizUrl
- GraphQL endpoint for your Wiz.io instancewizAuthUrl
- URL for granting authentication tokens (default set in the example file, but government customers may require an alternate URL)wizExcludes
- flags the specific assets to exclude from syncing to RegScale. For each node, this is based on theentities[0]["name"]
attribute.issues: {wiz: {critical: 30, high: 90, medium: 90, low: 365, status: Open}}
- number of days to add to today's date when setting due dates to RegScale issues based on Wiz severity and the status to use for a new RegScale issue.
Wiz Setup Workfow
- Get the Wiz URL.
- Click the user profile icon in the top right, and navigate to "Tenant Info".
- Copy and paste the API Endpoint URL from this page into the
wizUrl
field.
- Create a service account within Wiz.
- Go to search bar in the top right and enter "Service Accounts"
- Add the service account, give read only permissions to the data you wish to retrieve, and copy and paste the client ID and client secret into the
init.yaml
file. - The
wizAuthUrl
is set by default for commercial customers but you may need to change it if using a specific service such as GovCloud. - The
wizExcludes
flag lets you determine which assets you do not want to sync and will exclude them from processing. - Once done, you should have all configuration necessary to perform Wiz integrations using the RegScale CLI.
Issue Processing Workflow
The CLI currently supports processing Wiz issues. The issue processing workflow is shown below:
- The user first logs into RegScale via the CLI to set the access token or otherwise creates a service account as described in the CLI Login documentation.
- The user then logs into Wiz using the Client ID and Client Secret to generate an access token with the appropriate scope (NOTE: The access token and scope are automatically generated from the Wiz authenticate CLI).
- The user then calls the CLI to process Wiz issues while setting the following flags:
regscale_id
- the ID # of the RegScale record associated with these issuesregscale_module
- the RegScale module of the record associated wit these issues, please view RegScale Modules for options.
- The CLI retrieves all existing issues in RegScale for the key value pair provided above.
- The CLI then creates an automated report in Wiz, waits for it to update and retrieves all open issues in Wiz.io.
- The CLI then processes through all retrieved Wiz issues and does the following:
- Sees if a RegScale issue already exists, if so, it updates it.
- If no RegScale issue exists, it creates a new one.
- The CLI then processes through all existing RegScale issues and sees if the Wiz.io issue still exists. If not, it has been remediated and the CLI closes the RegScale issue.
The CLI provides detailed logging throughout the process to indicate progress and to provide troubleshooting in case of issues.
Issue CLI Command Example
The following command provide an example of processing Wiz issues for a given RegScale System Security Plan (SSP). These commands can be easily adapted for the customer's specific use case. The steps are shown below:
- Log into RegScale to set the token, which is good for 24 hours, and will secure all future RegScale API calls. (NOTE: You can skip this step if you are using a RegScale Service Account)
regscale login
- Authenticate to Wiz to get an access token for GraphQL calls.
regscale wiz authenticate
- Process the appropriate level of issues for the given security plan.
regscale wiz issues --regscale_id=5 --regscale_module="securityplans"
Inventory Processing Workflow
The CLI currently supports processing Wiz entities as assets into RegScale. The inventory processing workflow is shown below:
- The user first logs into RegScale via the CLI to set the access token or otherwise creates a service account as described in the CLI Login documentation.
- The user then logs into Wiz passing the Client ID and Client Secret to the command line to generate an access token with the appropriate scope (NOTE: The access token and scope are automatically generated from the Wiz authenticate CLI).
- The user then calls the CLI to process Wiz inventory while setting the following flags:
regscale_id
- the ID # of the RegScale record associated with these issuesregscale_module
- the RegScale module of the record associated wit these issues (OPTIONS - securityplans, supplychain, projects, policies, components)
- The CLI then retrieves all existing assets in RegScale for the key value pair provided above.
- The CLI then creates an automated report in Wiz, waits for it to update and retrieves all entities in Wiz.io using a user provided filter (see init.yaml below) or using a default filter.
- The CLI then processes through all retrieved Wiz entities and does the following:
- Sees if a RegScale asset already exists, if so, it updates it.
- If no RegScale asset exists, it creates a new one.
The CLI provides detailed logging throughout the process to indicate progress and to provide troubleshooting in case of any problems.
Inventory CLI Command Example
The following command provide an example of processing Wiz entities for a given RegScale Security Plan. These commands can be easily adapted for the customer's specific use case. The steps are shown below:
- Log into RegScale to set the token, which is good for 24 hours, and will secure all future RegScale API calls. (NOTE: You can skip this step if you are using a RegScale Service Account)
regscale login
- Authenticate to Wiz to get an access token for GraphQL calls.
regscale wiz authenticate
- Process assets for the given security plan.
regscale wiz inventory --regscale_id=5 --regscale_module="securityplans"
There are several advanced features available for the inventory wiz integration new in 5.31.0
--filter_by_override: see below for possible values
--full_inventory: sync all cloud resources from wiz into your security plan if not passed will default to false and use the new last inventory pull date in the yaml file and will sync anything added from wiz from that date forward.
regscale wiz inventory \
--wiz_project_id="123,456" \
--regscale_id=5 \
--regscale_module="securityplans" \
--filter_by_override='{projectId: ["1234"], type: ["VIRTUAL_MACHINE"], subscriptionExternalId: ["1234"], providerUniqueId: ["1234"], updatedAt: {after: "2023-06-14T14:07:06Z"}, search: "test-7"}' \
--full_inventory
Filter Parameters for Inventory filter by override json string may contain any of the follow but must include the projectID
projectID
[String!]
projectID
[String!]- Description: Filter cloud resources by Wiz project ID. You can specify multiple values in an array.
- Note: If no values are provided, then returns results from all projects.
type
[Wiz GraphEntityTypeValue!]
type
[Wiz GraphEntityTypeValue!]- Description: Filter cloud resources by specific entity types. You can specify multiple values in an array.
- Possible values:
- ACCESS_ROLE
- ACCESS_ROLE_BINDING
- ACCESS_ROLE_PERMISSION
- API_GATEWAY
- BACKUP_SERVICE
- BUCKET
- CDN
- CICD_SERVICE
- CLOUD_LOG_CONFIGURATION
- CLOUD_ORGANIZATION
- COMPUTE_INSTANCE_GROUP
- CONFIG_MAP
- CONTAINER
- CONTAINER_GROUP
- CONTAINER_IMAGE
- CONTAINER_REGISTRY
- CONTAINER_REPOSITORY
- CONTAINER_SERVICE
- CONTROLLER_REVISION
- DAEMON_SET
- DATABASE
- DATA_WORKFLOW
- DATA_WORKLOAD
- DB_SERVER
- DEPLOYMENT
- DNS_RECORD
- DNS_ZONE
- DOMAIN
- EMAIL_SERVICE
- ENCRYPTION_KEY
- FILE_SYSTEM_SERVICE
- FIREWALL
- GATEWAY
- GOVERNANCE_POLICY
- GOVERNANCE_POLICY_GROUP
- KUBERNETES_CLUSTER
- KUBERNETES_CRON_JOB
- KUBERNETES_INGRESS
- KUBERNETES_INGRESS_CONTROLLER
- KUBERNETES_JOB
- KUBERNETES_NETWORK_POLICY
- KUBERNETES_NODE
- KUBERNETES_PERSISTENT_VOLUME
- KUBERNETES_PERSISTENT_VOLUME_CLAIM
- KUBERNETES_POD_SECURITY_POLICY
- KUBERNETES_SERVICE
- KUBERNETES_STORAGE_CLASS
- KUBERNETES_VOLUME
- LOAD_BALANCER
- MANAGEMENT_SERVICE
- MANAGED_CERTIFICATE
- MAP_REDUCE_CLUSTER
- MESSAGING_SERVICE
- MONITOR_ALERT
- NAMESPACE
- NETWORK_ADDRESS
- NETWORK_INTERFACE
- PEERING
- POD
- PRIVATE_ENDPOINT
- PRIVATE_LINK
- RAW_ACCESS_POLICY
- REGISTERED_DOMAIN
- REGION
- REPLICA_SET
- RESOURCE_GROUP
- ROUTE_TABLE
- SEARCH_INDEX
- SECRET
- SECRET_CONTAINER
- SERVERLESS
- SERVERLESS_PACKAGE
- SERVICE_CONFIGURATION
- SERVICE_USAGE_TECHNOLOGY
- SNAPSHOT
- STATEFUL_SET
- STORAGE_ACCOUNT
- SUBNET
- SUBSCRIPTION
- VIRTUAL_DESKTOP
- VIRTUAL_MACHINE
- VIRTUAL_MACHINE_IMAGE
- VIRTUAL_NETWORK
- VOLUME
- WEB_SERVICE
search
String
search
String- Description: Filter by free text search on cloud resource name.
- Note: Returns NULL if no match is found.
subscriptionExternalId
[String!]
subscriptionExternalId
[String!]- Description: Filter cloud resources according to these external subscription IDs (AWS Account, Azure Subscription, GCP Project, and OCI Compartment). You can specify multiple values in an array.
- Note: If no values are provided, then returns results from all external IDs.
providerUniqueId
[String!]
providerUniqueId
[String!]- Description: Filter cloud resources according to these cloud service provider unique IDs. You can specify multiple values in an array.
- Note: If no values are provided, then returns results from all provider unique IDs.
updatedAt
CloudResourcesDateFilters
updatedAt
CloudResourcesDateFilters- Description: This object contains cloud resource date filters to narrow down your report results. Use to return cloud resources that were created or updated in the specified date period.
before
DateTime (Format: yyyy-MM-dd'T'HH:mm:ss'Z' - ISO 8601)after
DateTime (Format: yyyy-MM-dd'T'HH:mm:ss'Z' - ISO 8601)
deletedAt
CloudResourcesDateFilters
deletedAt
CloudResourcesDateFilters- Description: This object contains cloud resource date filters to narrow down your report results. Use to return cloud resources that were deleted in the specified date period.
before
DateTime (Format: yyyy-MM-dd'T'HH:mm:ss'Z' - ISO 8601)after
DateTime (Format: yyyy-MM-dd'T'HH:mm:ss'Z' - ISO 8601)
init.yaml Example
For a basic Wiz integration with RegScale, the following init.yaml
structure is necessary (example/notional key structure shown below, replace with actual customer keys):
domain: https://mycompany.regscale.com
token: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVC38.eyJzdWIiOiJob3dpZWF2cCIsImp0aSI6ImI0NDIxMjRhLTYxOWEtNGI1Mi1hMzUzLTA5YzdjZTRmM2JmOCIsImlhdCI6MTY0NDc4NzY4MiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZWlkZW50aWZpZXIiOiJjOWY1NzllMi1hOGM4LTRjMDItOGU5MS1jZTEyMmExYWE1MTciLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiaG93aWVhdnAiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOiJBZG1pbmlzdHJhdG9yIiwibmJmIjoxNjQ0Nzg3NjgyLCJleHAiOjE2NDQ4NzQwODIsImlzcyI6IkF0bGFzIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwLyJ9.SkjmRktGLkljysVeoRqcx_hHiVR2gjcA2uZiSJbVkPc
maxThreads: 1000
userId: c9f579e2-a8c9-4c02-8e91-ce122a1aa518
wizAccessToken: ztJhbGciOiTHUzI1NiIsInR5cCI5IkpXVCIsImtpZCI6IndJUnZwVWpBTU93WHQ5ZG5CXzRrVCU8.eyJodHRwczovL3dpei5pbyI6eyJ0ZW5hbnRJZCI6IjljZWQ3NmZjLTM3YjMtNDMxNy05OWQ3LTUwYjE1MDA4MDc3MiIsImVtYWlsIjoidGhvd2VydG9uQGMybGFicy5jb20iLCJkYXRhQ2VudGVyIjoidXM4IiwiaXNTZXJ2aWNlQWNjb3VudCI6dHJ1ZSwicHJvZHVjdElkcyI6WyIqIl19LCJpc3MiOiJodHRwczovL2F1dGgud2l6LmlvLyIsInN1YiI6InRGdzhWZVNnVnlsaTlXd0N4UkZCTDZzemZ6eW9DV3lzQGNsaWVudHMiLCJhdWQiOiJiZXlvbmQtYXBpIiwiaWF0IjoxNjQ0Nzg3NzM2LCJleHAiOjE2NDQ4NzQxMzYsImF6cCI6InRGdzhWZVNnVnlsaTlXd0N4UkZCTDZzemZ6eW9DV3lzIiwic2NvcGUiOiJjcmVhdGU6Y29udHJvbHMgY3JlYXRlOnNlY3VyaXR5X2ZyYW1ld29ya3MgZGVsZXRlOmNvbnRyb2xzIGRlbGV0ZTpzZWN1cml0eV9mcmFtZXdvcmtzIHJlYWQ6aXNzdWVzIHJlYWQ6Y29udHJvbHMgcmVhZDppbnZlbnRvcnkgcmVhZDp2dWxuZXJhYmlsaXRpZXMgcmVhZDpzZWN1cml0eV9mcmFtZXdvcmtzIHVwZGF0ZTppc3N1ZXMgdXBkYXRlOmNvbnRyb2xzIHVwZGF0ZTppbnZlbnRvcnkgdXBkYXRlOnNlY3VyaXR5X2ZyYW1ld29ya3MiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMiLCJwZXJtaXNzaW9ucyI6WyJjcmVhdGU6Y29udHJvbHMiLCJjcmVhdGU6c2VjdXJpdHlfZnJhbWV3b3JrcyIsImRlbGV0ZTpjb250cm9scyIsImRlbGV0ZTpzZWN1cml0eV9mcmFtZXdvcmtzIiwicmVhZDppc3N1ZXMiLCJyZWFkOmNvbnRyb2xzIiwicmVhZDppbnZlbnRvcnkiLCJyZWFkOnZ1bG5lcmFiaWxpdGllcyIsInJlYWQ6c2VjdXJpdHlfZnJhbWV3b3JrcyIsInVwZGF0ZTppc3N1ZXMiLCJ1cGRhdGU6Y29udHJvbHMiLCJ1cGRhdGU6aW52ZW50b3J5IiwidXBkYXRlOnNlY3VyaXR5X2ZyYW1ld29ya3MiXX0.ql8YFHdwbTkKkNjHxOSWvcsi9t7n1NeFQ4IXGP3-WGGwsPob14jK9_hLQpqYq9TF4lj_J82wGp57GHBN0VEc5E3sHW035ED4H8g9yxMRnCHgFuC9m8rTyIP6FKdxk8ttJ7nmNE5BVQAYAgpV0SeAUTiu0AD64s_2ocesfQ6P3pb_7xSsHsuU3ZzKLhZtvwcAjYbWXu2YAu9JXVci354m6e38ZVK7d8m5Tc0_lVCRHRsmVYgwBJKbvnGfP9czhZ7GVt9vxRxuJJu7jph-gXgbHj4ma6dQCIHLQ5-jEFSkHiQfVsVXD1McR1A2y80-ix7I8Ygj0nq-lQlEx3ADf-iBzQ
wizClientId: jth895StaYLli9WwCxRFBL6szfzyobeth
wizClientSecret: SarahLy58hzLvy37830TfpozrKpexLhaPcoGU2hY4fJiIBwVAelbTHkupjTdknox
wizScope: create:controls create:security_frameworks delete:controls delete:security_frameworks
read:issues read:controls read:inventory read:vulnerabilities read:security_frameworks
update:issues update:controls update:inventory update:security_frameworks
wizUrl: https://api.us7.app.wiz.io/graphql
wizAuthUrl: https://auth.wiz.io/oauth/token
wizStigMapperFile: /<file_path_to_file_sample>/<user>/artifacts/stig_mapper_rules.json
wizEntities:
- API_GATEWAY
- APPLICATION
- BACKUP_SERVICE
- BUCKET
- CDN
- CONTAINER
- DATABASE
- DB_SERVER
- DOMAIN
- POD
- REGISTERED_DOMAIN
- SWITCH
- VIRTUAL_DESKTOP
- VIRTUAL_MACHINE
- VIRTUAL_MACHINE_IMAGE
- VOLUME
- WEB_SERVICE
wizInventoryReportId:
- 937a4c31-3036-4069-a35b-2efblah0880
- 19sklb70-5653-4a1f-bd2e-ed5612f8ec75
- a6booab07-888a-4e30-a286-fe8cb8e458f5
- 1a92d35e-e9ad-421d-b55d-275wsa1150
wizIssuesReportId:
last_seen: '2023-01-23 08:22:12'
report_id: 63asaq6f-d361-415f-b68b-6dfewb9883f
wizExcludes: Azure AD Builtin Application Service Principal, Azure Active Directory (AAD) User
issues:
wiz:
critical: 30
high: 90
low: 365
medium: 90
status: Open
NOTE: The wizScope
and wizAccessToken
will auto-populate after authenticated to Wiz via the CLI.
Building a Bash Script to Execute the CLI
You can chain together RegScale CLI commands using scripts. These scripts could be in Bash, Python, PowerShell, etc. Below is an example Bash file (named "regscaleScheduler.sh") in Ubuntu for executing the Wiz CLI that pulls all issues and inventory after authenticating and assigns them to a specific Security Plan in RegScale:
#!/bin/sh
# Wiz will now authenticate for a fresh token on every execution of the issues or inventory functions.
regscale wiz issues --regscale_id=5 --regscale_module="securityplans"
regscale wiz inventory --regscale_id=5 --regscale_module="securityplans"
To execute the Bash file, run this command: . regscaleScheduler.sh
. You can chain together any arbitrary set of CLI commands to have them execute sequentially.
sync_compliance - Sync compliance posture from Wiz to RegScale
regscale wiz sync_compliance --help
Usage: regscale wiz sync_compliance [OPTIONS]
Sync compliance posture from Wiz to RegScale
Options:
-p, --wiz_project_id TEXT Enter the Wiz Project ID. Options include:
projects, policies, supplychain,
securityplans, components. [required]
--regscale_id INTEGER RegScale will create and update issues as
children of this record. [required]
--regscale_module TEXT Enter the RegScale module name.
RegScale Module Accepted Value
Assessment | assessments
Asset | assets
Case | cases
Catalogue | catalogues
Causal Analysis | causalanalysis
Component | components
Data Call | datacalls
Exception | exceptions
Incident | incidents
Interconnect | interconnects
Issue(POAM) | issues
Policy | policies
Project | projects
Questionnaire | questionnaires
Requirement | requirements
Risk | risks
Security Control |
securitycontrols Security Control
Implementation | controls
Security Plan | securityplans
Security Profile | profiles
Supply Chain(Contract) | supplychain
Task | tasks
Threat | threats
[required]
-i, --client_id TEXT Wiz Client ID. Can also be set as an
environment variable: WIZ_CLIENT_ID
-s, --client_secret TEXT Wiz Client Secret. Can also be set as an
environment variable: WIZ_CLIENT_SECRET
-c, --catalog_id TEXT RegScale Catalog ID for the selected
framework. [required]
-f, --framework [CSF|NIST800-53R5|NIST800-53R4]
Choose either one of the Frameworks
[required]
-n, --include_not_implemented Include not implemented controls
--help Show this message and exit.
attach_sbom
Command Documentation
attach_sbom
Command DocumentationOverview
The attach_sbom
command is a CLI (Command-Line Interface) tool for attaching a Software Bill of Materials (SBOM) report to a parent asset or Security System Plan (SSP) using Wiz reports. This command can be executed as part of the Wiz CLI to interact with Wiz's API for retrieving SBOM reports.
Command
wiz attach_sbom
Options
--client_id
, -ci
--client_id
, -ci
- Description: The Wiz Client ID. Can also be set as an environment variable
WizClientID
. - Usage:
- If the
--client_id
is not provided, the command will use the environment variableWizClientID
if set.
- If the
- Type:
str
- Required:
False
- Default: Value of the
WizClientID
environment variable. - Example:
--client_id YOUR_CLIENT_ID
--client_secret
, -cs
--client_secret
, -cs
- Description: The Wiz Client Secret. Can also be set as an environment variable
WizClientSecret
. - Usage:
- If the
--client_secret
is not provided, the command will use the environment variableWizClientSecret
if set. - Input is hidden for security.
- If the
- Type:
str
- Required:
False
- Default: Value of the
WizClientSecret
environment variable. - Example:
--client_secret YOUR_CLIENT_SECRET
--parent_id
, -pid
--parent_id
, -pid
- Description: The ID of the parent asset or Security System Plan (SSP).
- Type:
str
- Required:
True
- Example:
--parent_id YOUR_PARENT_ASSET_OR_SSP_ID
--report_id
, -r
--report_id
, -r
- Description: The Wiz report ID.
- Type:
str
- Required:
True
- Example:
--report_id YOUR_WIZ_REPORT_ID
--standard
, -s
--standard
, -s
- Description: The SBOM standard. Can be either
CycloneDX
orSPDX
. Defaults toCycloneDX
. - Type:
str
- Required:
False
- Default:
CycloneDX
- Example:
--standard SPDX
Function: attach_sbom
attach_sbom
Parameters:
client_id
(str): Wiz Client ID.client_secret
(str): Wiz Client Secret.parent_id
(str): The ID of the parent SSP.report_id
(str): The Wiz report ID.standard
(str, optional): The SBOM standard (default isCycloneDX
).
Description:
This function performs the following actions:
- Authenticates to Wiz using the provided
client_id
andclient_secret
. - Fetches the SBOM report identified by
report_id
. - Attaches the report to the evidence locker for the given
parent_id
.
Usage Example:
wiz attach_sbom --client_id YOUR_CLIENT_ID --client_secret YOUR_CLIENT_SECRET --parent_id YOUR_PARENT_ASSET_OR_SSP_ID --report_id YOUR_WIZ_REPORT_ID --standard SPDX
This command will authenticate with Wiz using the provided credentials, fetch the SBOM report in SPDX or CycloneDX format, and attach it to the specified parent SSP.
New in Version 5.73.0 wizStigMapperFile setting in init.yaml allows mapping STIGs to assets
STIG Mapper Module Documentation
Overview
The STIGMapper
module is designed to map Security Technical Implementation Guides (STIGs) to assets using a predefined set of rules. It utilizes string comparison functions to check asset properties and determine which assets should be associated with each STIG.
To use the STIG mapper integrated into scanner integration, the following steps are required:
add variable to app for init.yaml like the one for wiz
wizStigMapperFile: /<file_path_to>/stig_mapper_rules.json
Dependencies
The module relies on:
json
: For loading rules from a JSON file.
Functions
comparator_functions
comparator_functions
A dictionary that holds all the comparison functions used for evaluating string values based on operators.
Available operators and their corresponding functions:
equals
: Checks if two strings are equal.contains
: Checks if one string contains another.startswith
: Checks if one string starts with another.notin
: Checks if one string does not contain another.endswith
: Checks if one string ends with another.gt
: Checks if one string is greater than another.lt
: Checks if one string is less than another.gte
: Checks if one string is greater than or equal to another.lte
: Checks if one string is less than or equal to another.ne
: Checks if two strings are not equal.in
: Checks if a string is present in another.nin
: Checks if a string is not present in another.
Mappable Asset properties
Required Properties
• id (int)
• name (str)
• assetType (Union[AssetType, str])
• status (Union[AssetStatus, str])
• assetCategory (Union[AssetCategory, str])
• parentId (int)
• parentModule (str)
• isPublic (bool)
• assetOwnerId (str)
• dateCreated (str)
• dateLastUpdated (str)
Optional Properties
• otherTrackingNumber (Optional[str])
• ram (Optional[int])
• location (Optional[str])
• diagramLevel (Optional[str])
• cpu (Optional[int])
• description (Optional[str])
• diskStorage (Optional[int])
• ipAddress (Optional[str])
• macAddress (Optional[str])
• manufacturer (Optional[str])
• model (Optional[str])
• osVersion (Optional[str])
• operatingSystem (Optional[str])
• uuid (Optional[str])
• serialNumber (Optional[str])
• createdById (Optional[str])
• lastUpdatedById (Optional[str])
• endOfLifeDate (Optional[str])
• purchaseDate (Optional[str])
• tenantsId (Optional[int])
• facilityId (Optional[int])
• orgId (Optional[int])
• cmmcAssetType (Optional[str])
• wizId (Optional[str])
• wizInfo (Optional[str])
• assetTagNumber (Optional[str])
• baselineConfiguration (Optional[str])
• fqdn (Optional[str])
• netBIOS (Optional[str])
• softwareName (Optional[str])
• softwareVendor (Optional[str])
• softwareVersion (Optional[str])
• softwareAcronym (Optional[str])
• vlanId (Optional[str])
• bAuthenticatedScan (Optional[bool])
• bPublicFacing (Optional[bool])
• bVirtual (Optional[bool])
• notes (Optional[str])
• patchLevel (Optional[str])
• softwareFunction (Optional[str])
• systemAdministratorId (Optional[str])
• bLatestScan (Optional[bool])
• managementType (Optional[str])
• qualysId (Optional[str])
• sicuraId (Optional[Union[str, int]])
• tenableId (Optional[str])
• firmwareVersion (Optional[str])
• purpose (Optional[str])
• awsIdentifier (Optional[str])
• azureIdentifier (Optional[str])
• googleIdentifier (Optional[str])
• otherCloudIdentifier (Optional[str])
• iPv6Address (Optional[str])
• scanningTool (Optional[str])
• uri (Optional[str])
• bScanDatabase (Optional[bool])
• bScanInfrastructure (Optional[bool])
• bScanWeb (Optional[bool])
• cpe (Optional[str])
• dadmsId (Optional[str])
• approvalStatus (Optional[str])
• processStatus (Optional[str])
• networkApproval (Optional[str])
• lastDateAllowed (Optional[str])
• bFamAccepted (Optional[bool])
• bExternallyAuthorized (Optional[bool])
This documentation covers all the major functions and methods within the STIGMapper
module that if mapping file path leading to a file like below is include in your init yaml in wizStigMapperFile
variable will automatically map new assets that match to STIGS.
{
"rules": [
{"stig": "Windows 2012 Configuration STIG",
"comparators": [
{"comparator": "contains", "value": "Windows 2012", "property": "name"},
{"comparator": "notin", "value": "Windows 2012 Account Access Group", "property": "name"}
]
},
{"stig": "Windows 7 Server STIG",
"comparators": [
{"comparator": "contains", "value": "Windows 7 Server", "property": "name"},
{"comparator": "notin", "value": "Workstation", "property": "name"}
]
},
{"stig": "Network Security STIG",
"comparators": [
{"comparator": "startswith", "value": "Kubernetes", "property": "name"},
{"comparator": "endswith", "value": "Security", "property": "name"}
]
},
{"stig": "AI Stig",
"comparators": [
{"comparator": "equals", "value": "regml-container", "property": "name"}
]
}
]
}
NOTE: See All Scanner Integrations for information about how this updates Issues/POAMs
Updated 17 days ago