Risk Scan Engine Architecture and Extensibility

Updated Feb 20, 2024

Arctic Wolf Risk Scan Engine architecture

Arctic Wolf Risk Scan Engine (formerly Joval) operates on three layers for managing the process of scanning target machines:

With this three-layer architecture, you can:

Arctic Wolf Risk Scan Engine extensibility

You can customize how Risk Scan Engine ingests data. For more information, see the User Guide files in the zip files for the components you license.

Custom Arctic Wolf Risk Scan Engine plugins

If you want to create a custom plug-in for Risk Scan Engine, you can create your own IPlugin implementations. For example, custom plugins can be helpful if your application stores information about target machines in a database, and you want to retrieve that information from the database instead of from the target machine. In this case, the custom plugin would inspect each object collection request the engine makes, and then either retrieve the information themselves, or delegate the collection to a wrapped Risk Scan Engine plugin instance.

Custom OVAL schemas

If you want to perform compliance assessments on information that existing OVAL tests do not expose, you can use the scap-extensions component in Risk Scan Engine to support custom schemas. See scap-extensions for more information.

Custom jSAF providers

Risk Scan Engine uses the abstract system interface defined by jSAF, so an object adapter can function in multiple contexts. For example, local, remote, and offline scanning. In rare cases, you could define your own jSAF provider.

For example, in a simple case, if you have a database containing configuration data about routers or mobile devices, you might want to create your own offline provider that would source information from that database. In a more complex example, you might already have your own native agent software distributed throughout the environment, and want to leverage that as a mechanism for data collection. Both of these use cases are possible if you can author your own provider implementation of the relevant jSAF interfaces.

See also