Adding in document for Goggles Output File Schema#938
Open
Adding in document for Goggles Output File Schema#938
Conversation
3 tasks
ahuynhECS
requested changes
Mar 11, 2026
| | Result | String | The decision made by the ScubaGear assessment whether the tenant ScubaGear was run against meets required configuration stated by the policy. | Warning | Possible values include:<ul><li><code>Pass</code></li><li><code>Fail</code></li><li><code>Warning</code></li><li><code>N/A</code> (typically indicates a manual check needed)</li><li><code>Omitted</code></li><li><code>Incorrect Result</code></li><li><code>Error - Test results missing</code></li><li><code>Error</code></li><li><code>No events found</code> (this is a ScubaGoggles only item and should eventually disappear someday)</li></ul> | | ||
| | Criticality | String | Based RFC 2119. SHALL means the policy is required, SHOULD means the policy is recommend, 3rd Party means that the policy may be implemented via a 3rd Party service (e.g., malware protections are required don't have to be done via Defender). | Should | Possible values include:<ul><li><code>Shall</code></li><li><code>Should</code></li><li><code>Shall/3rd Party</code></li><li><code>Should/3rd Party</code></li><li><code>Shall/Not-implemented</code></li><li><code>Should/Not-implemented</code></li></ul> | | ||
| | Details | String | The exact information of either how the tenant ScubaGear is run against either does or does not meet the SCuBA Secure Configuration Baseline Policy Requirement | 1 meeting policy(ies) found that does not restrict installation of Microsoft Apps by default: Global | Any annotations will be included in HTML formatted string | | ||
| | OmittedEvaluationResult | String | For controls, that were omitted, what the result would have been if it hadn't been omitted. For controls that were not omitted, this value will be set to "N/A". | Fail | Will continue to be output by ScubaGear for backwards compatibility, but we are deprecating this field and it will be removed in the next major release | |
Collaborator
There was a problem hiding this comment.
dont have this in goggles
Collaborator
There was a problem hiding this comment.
whoops my comments selected the entire section rather than pinpoint what wasn't appliable to goggles. The sections / information to delete because they are not in the goggles reports are below:
Control Object section
- OmittedEvaluationResult
- OmittedEvaluationDetails
- IncorrectResult
- IncorrectResultDetails
| | query_method | String | The method used for resolving the DNS query: either "traditional" or "DoH." | traditional | | ||
| | query_result | String | String description of the result of the DNS query. | Query returned 1 txt records | | ||
| | query_name | String | The domain name. | example.onmicrosoft.com | | ||
|
|
Collaborator
There was a problem hiding this comment.
we also have query_answers which is when the query returned txt recods. example: "v=DMARC1; p=reject; rua=mailto:reports@dmarc.cyber.dhs.gov; pct=100; ruf=mailto:reports@dmarc.cyber.dhs.gov"
|
|
||
| | Field Name | Type | Description | Example | | ||
| | --- | --- | --- | --- | | ||
| | AlertName | String | The name of the rule associated with the alert. | New user added | |
| </details> | ||
|
|
||
| <details> | ||
| <summary>License Object</summary> |
Collaborator
There was a problem hiding this comment.
license objects not found in goggles
ahuynhECS
reviewed
Mar 11, 2026
| | AnnotatedFailedPolicies | Object | Collection of failed SHALL policies along with any annotations for those policies the user included in their config file. Maps control IDs to '<AnnotationObject>' objects. See the "Annotation Object" tab of this spreadsheet for more details. | Annotations are appended to the "Details" column. | "AnnotatedFailedPolicies": {"MS.EXO.4.2v1": {"Comment": "We're failing because reasons, we will fix soon.", "RemediationDate": "2024-08-01", "IncorrectResult": false}} | | ||
| | Summary | Object | Map of product names to numerical summaries of the assessment results for each SCuBA product (`<SummaryObject>` objects). See the "Summary Object" tab of this spreadsheet for more details. The specific keys included under the Summary key are the short forms of the names of the products assessed (see both MetaData.ProductsAssessed and MetaData.ProductAbbreviationMapping). | N/A| "Results": {"gmail": `<SummaryObject>`, "calendar": `<SummaryObject>`} | | ||
| | Results | Object | Map of product names to the assessment results for each SCuBA product (arrays of `<ResultsObject>` objects). See the "Results Object" tab of this spreadsheet for more details. The specific keys included under the Summary key are the short forms of the names of the products assessed (see both MetaData.ProductsAssessed and MetaData.ProductAbbreviationMapping). | On each individual HTML report page. The policy group numbers, policy names and the html tables containing the assessment results. | "Results": {"gmail": [`<ResultsObject>`, `<ResultsObject>`], "calendar": [`<ResultsObject>`]} | | ||
| | Raw | Object | The raw JSON output of a ScubaGear assessment. This contains the data returned by the various API calls used by ScubaGear/Goggles to conduct a conformance assessment of the tenant's configuration against SCuBA's Security Configuration Baseline policies. This is the original ProviderSettingsExport.json file found from a normal ScubaGear run. Values under this field may or may not be present, depending on which products were included in an assessment for a given execution of ScubaGear/ScubaGoggles. | N/A| N/A| |
Collaborator
There was a problem hiding this comment.
overall raw section needs to be updated to match GWS variant and applicable objects
mitchelbaker-cisa
requested changes
Mar 11, 2026
Collaborator
mitchelbaker-cisa
left a comment
mitchelbaker-cisa
left a comment
There was a problem hiding this comment.
@mdueltgen Went through the spreadsheet you sent. Additional fields not included in the "Raw" section of the ScubaGoggles output:
Raw.date
Raw.timestamp_zulu
Raw.tenant_details
Raw.dkim_config (we have Raw.dkim_records)
| | MetaData.TenantId | String | A unique identifier assigned to each M365 tenant/GWS customer. | On the report summary page under "Tenant ID" (ScubaGear only). | 32c412d2-b044-3425-8ed1-ab220b70d3d1 | | ||
| | MetaData.DisplayName | String | The display name of the M365 tenant/GWS customer. | On both the report summary page and the individual report for each baseline under "Tenant Display Name" (ScubaGear only). | Example Tenant Name | | ||
| | MetaData.DomainName | String | The primary domain of the customer (ScubaGoggles) or the initial and immutable .onmicrosoft.com domain of an Entra ID tenant (ScubaGear). | On the report summary page under "Customer Domain" (ScubaGoggles) or "Tenant Domain Name" (ScubaGear). | example.com | | ||
| | MetaData.ProductSuite | String | Name of the SCuBA baseline product suite that is being assessed with the current SCuBA tool. | N/A| Microsoft 365 | |
Collaborator
There was a problem hiding this comment.
Switch to the GWS respective product suite.
Suggested change
| | MetaData.ProductSuite | String | Name of the SCuBA baseline product suite that is being assessed with the current SCuBA tool. | N/A| Microsoft 365 | | |
| | MetaData.ProductSuite | String | Name of the SCuBA baseline product suite that is being assessed with the current SCuBA tool. | N/A| Google Workspace | |
| | MetaData.DisplayName | String | The display name of the M365 tenant/GWS customer. | On both the report summary page and the individual report for each baseline under "Tenant Display Name" (ScubaGear only). | Example Tenant Name | | ||
| | MetaData.DomainName | String | The primary domain of the customer (ScubaGoggles) or the initial and immutable .onmicrosoft.com domain of an Entra ID tenant (ScubaGear). | On the report summary page under "Customer Domain" (ScubaGoggles) or "Tenant Domain Name" (ScubaGear). | example.com | | ||
| | MetaData.ProductSuite | String | Name of the SCuBA baseline product suite that is being assessed with the current SCuBA tool. | N/A| Microsoft 365 | | ||
| | MetaData.ProductsAssessed | Array | List of products scanned by the SCuBA tool. | On the report summary page, the values in the "Baseline Conformance Reports" column. | ["Azure Active Directory", "Microsoft 365 Defender"] | |
Collaborator
There was a problem hiding this comment.
Same with ProductsAssessed and ProductAbbreviationMapping. Use ["Common Controls", "Gmail"] and GWS specific names.
| | MetaData.ProductSuite | String | Name of the SCuBA baseline product suite that is being assessed with the current SCuBA tool. | N/A| Microsoft 365 | | ||
| | MetaData.ProductsAssessed | Array | List of products scanned by the SCuBA tool. | On the report summary page, the values in the "Baseline Conformance Reports" column. | ["Azure Active Directory", "Microsoft 365 Defender"] | | ||
| | MetaData.ProductAbbreviationMapping | Object | A mapping of the list of products assessed during a run of the SCuBA tool to the abbreviations used in the policy identifiers and policy groups in the SCuBA secure configuration baseline documents. | N/A| {"Azure Active Directory": "AAD", "Microsoft 365 Defender": "Defender"} | | ||
| | MetaData.Tool | String | Name of the current SCuBA tool conducting the assessment. | On the footer of the report summary page, e.g., "Report generated with CISA's ScubaGear tool v1.7.1." | ScubaGear | |
Collaborator
There was a problem hiding this comment.
Suggested change
| | MetaData.Tool | String | Name of the current SCuBA tool conducting the assessment. | On the footer of the report summary page, e.g., "Report generated with CISA's ScubaGear tool v1.7.1." | ScubaGear | | |
| | MetaData.Tool | String | Name of the current SCuBA tool conducting the assessment. | On the footer of the report summary page, e.g., "Report generated with CISA's ScubaGoggles tool v0.6.0." | ScubaGoggles | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🗣 Description
Creates markdown file, based on the previously used stand-alone spreadsheet, to document the output schema for the ScubaResults.json file
💭 Motivation and context
Closes #937
🧪 Testing
Since it is just an additional MD file for users to read, testing would just be done by comparing to the spreadsheet that was used in the past to document the ouput schema
✅ Pre-approval checklist
✅ Pre-merge Checklist
Squash and mergebutton.✅ Post-merge Checklist