Risk Scan Engine Architecture and Extensibility

Updated Sep 7, 2023

Risk Scan Engine architecture

Arctic Wolf Risk Scan Engine (formerly Joval) operates on three layers for managing the process of scanning target machines:

With this three-layer architecture, you can:

Risk Scan Engine extensibility

You can customize how Risk Scan Engine ingests data. For more information, see the User Guide files in the zip files for the components you license.

Custom Risk Scan Engine plugins

If you want to create a custom plug-in for Risk Scan Engine, you can create your own IPlugin implementations. Custom plugins can be helpful, for example, if your application stores information about target machines in a database and you want to retrieve that information from the database instead of the target machine. The custom plugin in this instance would inspect each object collection request the engine makes, and then either retrieve the information themselves, or delegate the collection to a wrapped Risk Scan Engine plugin instance.

Custom OVAL schemas

If you want to perform compliance assessments on information that existing OVAL tests do not expose, you can use the scap-extensions component in Risk Scan Engine to support custom schemas. For more information, see scap-extensions on the Risk Scan Engine GitHub.

Custom jSAF providers

Risk Scan Engine uses the abstract system interface defined by jSAF, so an object adapter can function in multiple contexts, such as local, remote, and offline scanning. In rare cases, you may want to define your own jSAF provider.

For example, in a simple case, if you have a database containing configuration data about routers or mobile devices, you might want to create your own offline provider that would source information from that database. In a more complex example, you might already have your own native agent software distributed throughout the environment, and would want to leverage that as a mechanism for data collection. Both of these use cases are possible if you can author your own provider implementation of the relevant jSAF interfaces.

See also