regscale-cli 6.24.0.1__py3-none-any.whl → 6.25.0.0__py3-none-any.whl

regscale/integrations/commercial/microsoft_defender/defender_api.py

@@ -2,15 +2,18 @@
 Module to handle API calls to Microsoft Defender for Cloud
 """
 
+import os.path
 from json import JSONDecodeError
 from logging import getLogger
 from typing import Any, Literal, Optional
+from pathlib import Path
 
 from requests import Response
 
 from regscale.core.app.api import Api
-from regscale.core.app.utils.app_utils import error_and_exit
-from .defender_constants import APP_JSON
+from regscale.core.app.utils.app_utils import error_and_exit, get_current_datetime, check_file_path, save_data_to
+from urllib.parse import urljoin
+from .defender_constants import APP_JSON, DATA_TYPE, GRAPH_BASE_URL, ENTRA_ENDPOINTS, ENTRA_SAVE_DIR
 
 logger = getLogger("regscale")
 
@@ -22,10 +25,10 @@ class DefenderApi:
     :param Literal["cloud", "365"] system: Which system to make API calls to, either cloud or 365
     """
 
-    def __init__(self, system: Literal["cloud", "365"]):
+    def __init__(self, system: Literal["cloud", "365", "entra"]):
         self.api: Api = Api()
         self.config: dict = self.api.config
-        self.system: Literal["cloud", "365"] = system
+        self.system: Literal["cloud", "365", "entra"] = system
         self.headers: dict = self.set_headers()
         self.decode_error: str = "JSON Decode error"
         self.skip_token_key: str = "$skipToken"
@@ -57,12 +60,26 @@ class DefenderApi:
             client_secret = self.config["azureCloudSecret"]
             resource = "https://management.azure.com"
             key = "azureCloudAccessToken"
-        data = {
-            "resource": resource,
-            "client_id": client_id,
-            "client_secret": client_secret,
-            "grant_type": "client_credentials",
-        }
+        elif self.system == "entra":
+            url = f'https://login.microsoftonline.com/{self.config["azureEntraTenantId"]}/oauth2/v2.0/token'
+            client_id = self.config["azureEntraClientId"]
+            client_secret = self.config["azureEntraSecret"]
+            resource = "https://graph.microsoft.com/.default"
+            key = "azureEntraAccessToken"
+        if self.system == "entra":
+            data = {
+                "scope": resource,
+                "client_id": client_id,
+                "client_secret": client_secret,
+                "grant_type": "client_credentials",
+            }
+        else:
+            data = {
+                "resource": resource,
+                "client_id": client_id,
+                "client_secret": client_secret,
+                "grant_type": "client_credentials",
+            }
         # get the data
         response = self.api.post(
             url=url,
@@ -91,9 +108,11 @@ class DefenderApi:
             key = "azureCloudAccessToken"
         elif self.system.lower() == "365":
             key = "azure365AccessToken"
+        elif self.system == "entra":
+            key = "azureEntraAccessToken"
         else:
             error_and_exit(
-                f"{self.system.title()} is not supported, only Microsoft 365 Defender and Microsoft Defender for Cloud."
+                f"{self.system.title()} is not supported, only Microsoft 365 Defender, Microsoft Defender for Cloud, and Azure Entra."
             )
         current_token = self.config[key]
         # check the token if it isn't blank
@@ -207,11 +226,12 @@ class DefenderApi:
         # return the defender recommendations
         return defender_data
 
-    def get_items_from_azure(self, url: str) -> list:
+    def get_items_from_azure(self, url: str, parse_value: Optional[bool] = True) -> list:
         """
         Function to get data from Microsoft Defender returns the data as a list while handling pagination
 
         :param str url: URL to use for the API call
+        :param Optional[bool] parse_value: Whether to parse the value from the API response, defaults to True
         :return: list of recommendations
         :rtype: list
         """
@@ -226,7 +246,10 @@ class DefenderApi:
         try:
             response_data = response.json()
             # try to get the values from the api response
-            defender_data = response_data["value"]
+            if parse_value:
+                defender_data = response_data["value"]
+            else:
+                defender_data = response_data
         except JSONDecodeError:
             # notify user if there was a json decode error from API response and exit
             error_and_exit(self.decode_error)
@@ -236,7 +259,7 @@ class DefenderApi:
                 f"Received unexpected response from Microsoft Defender.\n{response.status_code}: {response.text}"
             )
         # check if pagination is required to fetch all data from Microsoft Defender
-        if next_link := response_data.get("nextLink"):
+        if next_link := (response_data.get("nextLink") or response_data.get("@odata.nextLink")):
             # get the rest of the data
             defender_data.extend(self.get_items_from_azure(url=next_link))
         # return the defender recommendations
@@ -284,3 +307,314 @@ class DefenderApi:
             )
         query_string = response.json().get("properties", {}).get("query")
         return self.execute_resource_graph_query(query=query_string)
+
+    def get_and_save_entra_evidence(self, endpoint_key: str, **kwargs) -> list[Path]:
+        """
+        Function to get Azure Entra evidence data from Microsoft Graph API and saves it to a csv file
+
+        :param str endpoint_key: Key from ENTRA_ENDPOINTS to specify which endpoint to call
+        :param kwargs: Additional parameters for URL formatting
+        :return: List of Paths to the saved csv files
+        :rtype: list[Path]
+        """
+        if self.system != "entra":
+            error_and_exit("This method can only be used with system='entra'")
+
+        if endpoint_key not in ENTRA_ENDPOINTS:
+            error_and_exit(f"Unknown endpoint key: {endpoint_key}")
+
+        endpoint = ENTRA_ENDPOINTS[endpoint_key]
+
+        # Handle URL parameter substitution
+        if "{start_date}" in endpoint:
+            start_date = kwargs.get("start_date", get_current_datetime("%Y-%m-%dT00:00:00Z"))
+            endpoint = endpoint.replace("{start_date}", start_date)
+
+        if "{group-id}" in endpoint:
+            group_id = kwargs.get("group_id")
+            if not group_id:
+                error_and_exit("group_id parameter is required for this endpoint")
+            endpoint = endpoint.replace("{group-id}", group_id)
+
+        if "{def_id}" in endpoint:
+            def_id = kwargs.get("def_id")
+            if not def_id:
+                error_and_exit("def_id parameter is required for this endpoint")
+            endpoint = endpoint.replace("{def_id}", def_id)
+
+        if "{instance_id}" in endpoint:
+            instance_id = kwargs.get("instance_id")
+            if not instance_id:
+                error_and_exit("instance_id parameter is required for this endpoint")
+            endpoint = endpoint.replace("{instance_id}", instance_id)
+
+        url = f"{GRAPH_BASE_URL}{endpoint}"
+        logger.info(f"Retrieving Azure Entra evidence from: {endpoint_key}")
+
+        data = self.get_items_from_azure(url=url, parse_value=kwargs.get("parse_value", True))
+        save_path = Path(
+            os.path.join(ENTRA_SAVE_DIR, f"azure_entra_{endpoint_key}_{get_current_datetime('%Y%m%d')}.csv")
+        )
+        save_data_to(file=save_path, data=data, transpose_data=False)
+        return [save_path]
+
+    def collect_all_entra_evidence(self, days_back: int = 30) -> dict[str, list[Path]]:
+        """
+        Function to collect all Azure Entra evidence data for FedRAMP compliance
+
+        :param int days_back: Number of days back to collect audit logs, defaults to 30
+        :return: Dict containing all evidence data categorized by type and list of Paths to the saved csv evidence files
+        :rtype: dict[str, list[Path]]
+        """
+        from datetime import datetime, timedelta
+
+        evidence_data = {}
+        start_date = (datetime.now() - timedelta(days=days_back)).strftime("%Y-%m-%dT00:00:00Z")
+
+        check_file_path(ENTRA_SAVE_DIR)
+
+        # Users and Groups
+        try:
+            evidence_data["users"] = self.get_and_save_entra_evidence("users")
+            evidence_data["users_delta"] = self.get_and_save_entra_evidence("users_delta")
+            evidence_data["guest_users"] = self.get_and_save_entra_evidence("guest_users")
+            evidence_data["groups_and_members"] = self.get_and_save_entra_evidence("groups_and_members")
+            evidence_data["security_groups"] = self.get_and_save_entra_evidence("security_groups")
+            logger.info("Successfully collected user and group evidence")
+        except Exception as e:
+            logger.error(f"Error collecting user/group evidence: {e}")
+            evidence_data["users"] = []
+            evidence_data["users_delta"] = []
+            evidence_data["guest_users"] = []
+            evidence_data["groups_and_members"] = []
+            evidence_data["security_groups"] = []
+
+        # RBAC and PIM
+        try:
+            evidence_data["role_assignments"] = self.get_and_save_entra_evidence("role_assignments")
+            evidence_data["role_definitions"] = self.get_and_save_entra_evidence("role_definitions")
+            evidence_data["pim_assignments"] = self.get_and_save_entra_evidence("pim_assignments")
+            evidence_data["pim_eligibility"] = self.get_and_save_entra_evidence("pim_eligibility")
+            logger.info("Successfully collected RBAC and PIM evidence")
+        except Exception as e:
+            logger.error(f"Error collecting RBAC/PIM evidence: {e}")
+            evidence_data["role_assignments"] = []
+            evidence_data["role_definitions"] = []
+            evidence_data["pim_assignments"] = []
+            evidence_data["pim_eligibility"] = []
+
+        # Conditional Access
+        try:
+            evidence_data["conditional_access"] = self.get_and_save_entra_evidence("conditional_access")
+            logger.info("Successfully collected conditional access evidence")
+        except Exception as e:
+            logger.error(f"Error collecting conditional access evidence: {e}")
+            evidence_data["conditional_access"] = []
+
+        # Authentication Methods
+        try:
+            evidence_data["auth_methods_policy"] = self.get_and_save_entra_evidence(
+                "auth_methods_policy", parse_value=False
+            )
+            evidence_data["user_mfa_registration"] = self.get_and_save_entra_evidence("user_mfa_registration")
+            evidence_data["mfa_registered_users"] = self.get_and_save_entra_evidence("mfa_registered_users")
+            logger.info("Successfully collected authentication methods evidence")
+        except Exception as e:
+            logger.error(f"Error collecting authentication methods evidence: {e}")
+            evidence_data["auth_methods_policy"] = []
+            evidence_data["user_mfa_registration"] = []
+            evidence_data["mfa_registered_users"] = []
+
+        # Audit Logs (may require additional permissions)
+        try:
+            evidence_data["sign_in_logs"] = self.get_and_save_entra_evidence("sign_in_logs", start_date=start_date)
+            evidence_data["directory_audits"] = self.get_and_save_entra_evidence(
+                "directory_audits", start_date=start_date
+            )
+            evidence_data["provisioning_logs"] = self.get_and_save_entra_evidence(
+                "provisioning_logs", start_date=start_date
+            )
+            logger.info("Successfully collected audit log evidence")
+        except Exception as e:
+            logger.error(f"Error collecting audit log evidence (may require additional permissions): {e}")
+            evidence_data["sign_in_logs"] = []
+            evidence_data["directory_audits"] = []
+            evidence_data["provisioning_logs"] = []
+
+        # Access Reviews
+        try:
+            evidence_data["access_review_definitions"] = self.collect_entra_access_reviews()
+            logger.info("Successfully collected access review evidence")
+        except Exception as e:
+            logger.error(f"Error collecting access review evidence: {e}")
+            evidence_data["access_review_definitions"] = []
+
+        return evidence_data
+
+    def collect_entra_access_reviews(self) -> list[Path]:
+        """
+        Function to collect access reviews from Microsoft Graph API
+
+        :return: List of paths to the saved csv files
+        :rtype: list[Path]
+        """
+        file_paths = []
+        url = GRAPH_BASE_URL + ENTRA_ENDPOINTS["access_review_definitions"]
+        definitions = self.get_items_from_azure(url=url)
+        current_date = get_current_datetime("%Y-%m-%d")
+
+        for definition in definitions:
+            definition_name = definition["displayName"].replace("/", "_").replace(" ", "_")
+
+            # Save flattened definition data
+            definition_path = Path(
+                os.path.join(ENTRA_SAVE_DIR, f"access_reviews_definitions_{definition_name}_{current_date}.csv")
+            )
+            flattened_definition = self._flatten_access_review_definition(definition)
+            save_data_to(file=definition_path, data=[flattened_definition], transpose_data=False)
+            file_paths.append(definition_path)
+
+            # Get instances and decisions
+            instance_url = GRAPH_BASE_URL + ENTRA_ENDPOINTS["access_review_instances"].format(def_id=definition["id"])
+            instances = self.get_items_from_azure(url=instance_url)
+
+            # Save flattened instances data
+            instances_path = Path(
+                os.path.join(ENTRA_SAVE_DIR, f"access_reviews_instances_{definition_name}_{current_date}.csv")
+            )
+            flattened_instances = []
+            for instance in instances:
+                flattened_instance = self._flatten_access_review_instance(definition["id"], instance)
+                flattened_instances.append(flattened_instance)
+
+            if flattened_instances:
+                save_data_to(file=instances_path, data=flattened_instances, transpose_data=False)
+                file_paths.append(instances_path)
+
+            # Save flattened decisions data
+            decisions_path = Path(
+                os.path.join(ENTRA_SAVE_DIR, f"access_reviews_decisions_{definition_name}_{current_date}.csv")
+            )
+            all_decisions = []
+            for instance in instances:
+                decision_url = GRAPH_BASE_URL + ENTRA_ENDPOINTS["access_review_decisions"].format(
+                    def_id=definition["id"], instance_id=instance["id"]
+                )
+                decisions = self.get_items_from_azure(url=decision_url)
+                for decision in decisions:
+                    flattened_decision = self._flatten_access_review_decision(
+                        definition["id"], instance["id"], decision
+                    )
+                    all_decisions.append(flattened_decision)
+
+            if all_decisions:
+                save_data_to(file=decisions_path, data=all_decisions, transpose_data=False)
+                file_paths.append(decisions_path)
+
+        return file_paths
+
+    @staticmethod
+    def _flatten_access_review_definition(definition: dict) -> dict:
+        """
+        Flatten access review definition for CSV export
+
+        :param dict definition: Definition data
+        :return: Flattened definition data
+        :rtype: dict
+        """
+        return {
+            "id": definition.get("id"),
+            "displayName": definition.get("displayName"),
+            "status": definition.get("status"),
+            "createdDateTime": definition.get("createdDateTime"),
+            "lastModifiedDateTime": definition.get("lastModifiedDateTime"),
+            "descriptionForAdmins": definition.get("descriptionForAdmins"),
+            "descriptionForReviewers": definition.get("descriptionForReviewers"),
+            "createdBy_displayName": definition.get("createdBy", {}).get("displayName"),
+            "createdBy_id": definition.get("createdBy", {}).get("id"),
+            "createdBy_userPrincipalName": definition.get("createdBy", {}).get("userPrincipalName"),
+            "scope_type": definition.get("scope", {}).get(DATA_TYPE),
+            "scope_query": definition.get("scope", {}).get("query"),
+            "scope_inactiveDuration": definition.get("scope", {}).get("inactiveDuration"),
+            "instanceEnumerationScope_type": definition.get("instanceEnumerationScope", {}).get(DATA_TYPE),
+            "instanceEnumerationScope_query": definition.get("instanceEnumerationScope", {}).get("query"),
+            "settings_defaultDecision": definition.get("settings", {}).get("defaultDecision"),
+            "settings_autoApplyDecisionsEnabled": definition.get("settings", {}).get("autoApplyDecisionsEnabled"),
+            "settings_instanceDurationInDays": definition.get("settings", {}).get("instanceDurationInDays"),
+            "settings_justificationRequiredOnApproval": definition.get("settings", {}).get(
+                "justificationRequiredOnApproval"
+            ),
+            "settings_mailNotificationsEnabled": definition.get("settings", {}).get("mailNotificationsEnabled"),
+            "settings_recommendationsEnabled": definition.get("settings", {}).get("recommendationsEnabled"),
+            "settings_recurrence_type": definition.get("settings", {})
+            .get("recurrence", {})
+            .get("pattern", {})
+            .get("type"),
+            "settings_recurrence_interval": definition.get("settings", {})
+            .get("recurrence", {})
+            .get("pattern", {})
+            .get("interval"),
+        }
+
+    @staticmethod
+    def _flatten_access_review_instance(definition_id: str, instance: dict) -> dict:
+        """
+        Flatten access review instance for CSV export
+
+        :param str definition_id: ID of the access review definition
+        :param dict instance: Instance data
+        :return: Flattened instance data
+        :rtype: dict
+        """
+        return {
+            "definition_id": definition_id,
+            "id": instance.get("id"),
+            "status": instance.get("status"),
+            "startDateTime": instance.get("startDateTime"),
+            "endDateTime": instance.get("endDateTime"),
+            "scope_type": instance.get("scope", {}).get(DATA_TYPE),
+            "scope_query": instance.get("scope", {}).get("query"),
+            "scope_inactiveDuration": instance.get("scope", {}).get("inactiveDuration"),
+            "reviewers_count": len(instance.get("reviewers", [])),
+            "fallbackReviewers_count": len(instance.get("fallbackReviewers", [])),
+        }
+
+    @staticmethod
+    def _flatten_access_review_decision(definition_id: str, instance_id: str, decision: dict) -> dict:
+        """
+        Flatten access review decision for CSV export
+
+        :param str definition_id: ID of the access review definition
+        :param str instance_id: ID of the access review instance
+        :param dict decision: Decision data
+        :return: Flattened decision data
+        :rtype: dict
+        """
+        return {
+            "definition_id": definition_id,
+            "instance_id": instance_id,
+            "decision_id": decision.get("id"),
+            "accessReviewId": decision.get("accessReviewId"),
+            "decision": decision.get("decision"),
+            "recommendation": decision.get("recommendation"),
+            "justification": decision.get("justification"),
+            "reviewedDateTime": decision.get("reviewedDateTime"),
+            "appliedDateTime": decision.get("appliedDateTime"),
+            "applyResult": decision.get("applyResult"),
+            "principalLink": decision.get("principalLink"),
+            "resourceLink": decision.get("resourceLink"),
+            "reviewedBy_id": decision.get("reviewedBy", {}).get("id"),
+            "reviewedBy_displayName": decision.get("reviewedBy", {}).get("displayName"),
+            "reviewedBy_userPrincipalName": decision.get("reviewedBy", {}).get("userPrincipalName"),
+            "appliedBy_id": decision.get("appliedBy", {}).get("id"),
+            "appliedBy_displayName": decision.get("appliedBy", {}).get("displayName"),
+            "appliedBy_userPrincipalName": decision.get("appliedBy", {}).get("userPrincipalName"),
+            "target_type": decision.get("target", {}).get(DATA_TYPE),
+            "target_userId": decision.get("target", {}).get("userId"),
+            "target_userDisplayName": decision.get("target", {}).get("userDisplayName"),
+            "target_userPrincipalName": decision.get("target", {}).get("userPrincipalName"),
+            "principal_type": decision.get("principal", {}).get(DATA_TYPE),
+            "principal_id": decision.get("principal", {}).get("id"),
+            "principal_displayName": decision.get("principal", {}).get("displayName"),
+            "principal_userPrincipalName": decision.get("principal", {}).get("userPrincipalName"),
+        }

regscale/integrations/commercial/microsoft_defender/defender_constants.py

@@ -2,11 +2,168 @@
 Module to store constants for Microsoft Defender for Cloud
 """
 
+import os
+
 DATE_FORMAT = "%Y-%m-%dT%H:%M:%S"
 IDENTIFICATION_TYPE = "Vulnerability Assessment"
 CLOUD_RECS = "Microsoft Defender for Cloud Recommendation"
 APP_JSON = "application/json"
 AFD_ENDPOINTS = "microsoft.cdn/profiles/afdendpoints"
+DATA_TYPE = "@odata.type"
+ENTRA_SAVE_DIR = os.path.join("artifacts", "defender", "entra")
+
+# Azure Entra (Azure AD) Microsoft Graph API endpoints
+GRAPH_BASE_URL = "https://graph.microsoft.com/v1.0"
+GRAPH_BETA_URL = "https://graph.microsoft.com/beta"
+
+# Azure Entra API endpoints for FedRAMP evidence collection
+ENTRA_ENDPOINTS = {
+    "users": "/users?$select=id,displayName,userPrincipalName,accountEnabled,userType,createdDateTime&$top=999",
+    "users_delta": "/users/delta?$select=id,displayName,userPrincipalName,accountEnabled,userType,createdDateTime",
+    "guest_users": "/users?$filter=userType eq 'Guest'&$select=id,displayName,userPrincipalName,accountEnabled",
+    "security_groups": "/groups?$filter=securityEnabled eq true&$select=id,displayName,securityEnabled",
+    "groups_and_members": "/groups?$expand=members($select=id,displayName,userPrincipalName)",
+    # "groups": "/groups",
+    # "group_members": "/groups/{group-id}/members?$select=id,displayName,userPrincipalName",
+    "role_assignments": "/roleManagement/directory/roleAssignments?$expand=roleDefinition",
+    "role_definitions": "/roleManagement/directory/roleDefinitions?$select=id,displayName,description",
+    "pim_assignments": "/roleManagement/directory/roleAssignmentScheduleInstances?$expand=activatedUsing,principal,roleDefinition",
+    "pim_eligibility": "/roleManagement/directory/roleEligibilityScheduleInstances?$expand=roleDefinition",
+    "conditional_access": "/identity/conditionalAccess/policies",
+    "auth_methods_policy": "/policies/authenticationMethodsPolicy",
+    "user_mfa_registration": "/reports/authenticationMethods/userRegistrationDetails?$top=999",
+    "mfa_registered_users": "/reports/authenticationMethods/userRegistrationDetails?$filter=isMfaRegistered eq true",
+    "sign_in_logs": "/auditLogs/signIns?$filter=createdDateTime ge {start_date}&$top=1000",
+    "directory_audits": "/auditLogs/directoryAudits?$filter=activityDateTime ge {start_date}&$top=1000",
+    "provisioning_logs": "/auditLogs/provisioning?$filter=activityDateTime ge {start_date}&$top=1000",
+    "access_review_definitions": "/identityGovernance/accessReviews/definitions",
+    "access_review_instances": "/identityGovernance/accessReviews/definitions/{def_id}/instances",
+    "access_review_decisions": "/identityGovernance/accessReviews/definitions/{def_id}/instances/{instance_id}/decisions?$top=100",
+}
+
+# Evidence categories for FedRAMP controls
+EVIDENCE_CATEGORIES = {
+    "users_groups": "Users & Groups Management",
+    "rbac_pim": "Role-Based Access Control & Privileged Identity Management",
+    "conditional_access": "Conditional Access Policies",
+    "authentication": "Authentication Methods & Multi-Factor Authentication",
+    "audit_logs": "Audit & Sign-in Logs",
+    "access_reviews": "Access Reviews & Governance",
+}
+
+AC_1 = "AC-1"
+AC_2 = "AC-2"
+AC_2_1 = "AC-2(1)"
+AC_2_3 = "AC-2(3)"
+AC_2_5 = "AC-2(5)"
+AC_2_7 = "AC-2(7)"
+AC_2_12 = "AC-2(12)"
+AC_365 = ["AC-3", "AC-6", "AC-5"]
+AU_2 = "AU-2"
+AU_3 = "AU-3"
+AU_6 = "AU-6"
+AU_12 = "AU-12"
+IA_2 = "IA-2"
+IA_2_1 = "IA-2(1)"
+IA_2_2 = "IA-2(2)"
+IA_2_3 = "IA-2(3)"
+IA_2_4 = "IA-2(4)"
+IA_2_5 = "IA-2(5)"
+IA_2_6 = "IA-2(6)"
+IA_2_7 = "IA-2(7)"
+IA_2_8 = "IA-2(8)"
+IA_2_9 = "IA-2(9)"
+IA_2_10 = "IA-2(10)"
+IA_2_11 = "IA-2(11)"
+IA_2_12 = "IA-2(12)"
+IA_4 = "IA-4"
+IA_5 = "IA-5"
+
+# Mapping between Azure Entra evidence types and FedRAMP control identifiers
+# Based on Azure_Entra_FedRAMP_High_Evidence.docx mapping table
+EVIDENCE_TO_CONTROLS_MAPPING = {
+    # Users & Groups evidence maps to Account Management controls
+    "users": [AC_1, AC_2, AC_2_1, AC_2_3, AC_2_5, AC_2_7, AC_2_12],
+    "users_delta": [AC_1, AC_2, AC_2_1, AC_2_3, AC_2_5, AC_2_7, AC_2_12],
+    "guest_users": [AC_1, AC_2, AC_2_1, AC_2_3, AC_2_5, AC_2_7, AC_2_12, "IA-8", "IA-8(1)"],
+    "security_groups": [AC_1, AC_2, AC_2_1, AC_2_3, AC_2_5, AC_2_7, AC_2_12],
+    "groups_and_members": [AC_1, AC_2, AC_2_1, AC_2_3, AC_2_5, AC_2_7, AC_2_12],
+    # RBAC & PIM evidence maps to Access Control and Privilege Management controls
+    "role_assignments": AC_365,
+    "role_definitions": AC_365,
+    "pim_assignments": AC_365,
+    "pim_eligibility": AC_365,
+    # Conditional Access maps to Access Enforcement controls
+    "conditional_access": ["AC-17", "AC-19"],
+    # Authentication methods map to Identification & Authentication controls
+    "auth_methods_policy": [
+        IA_2,
+        IA_2_1,
+        IA_2_2,
+        IA_2_3,
+        IA_2_4,
+        IA_2_5,
+        IA_2_6,
+        IA_2_7,
+        IA_2_8,
+        IA_2_9,
+        IA_2_10,
+        IA_2_11,
+        IA_2_12,
+        IA_4,
+        IA_5,
+    ],
+    "user_mfa_registration": [
+        IA_2,
+        IA_2_1,
+        IA_2_2,
+        IA_2_3,
+        IA_2_4,
+        IA_2_5,
+        IA_2_6,
+        IA_2_7,
+        IA_2_8,
+        IA_2_9,
+        IA_2_10,
+        IA_2_11,
+        IA_2_12,
+        IA_4,
+        IA_5,
+    ],
+    "mfa_registered_users": [
+        IA_2,
+        IA_2_1,
+        IA_2_2,
+        IA_2_3,
+        IA_2_4,
+        IA_2_5,
+        IA_2_6,
+        IA_2_7,
+        IA_2_8,
+        IA_2_9,
+        IA_2_10,
+        IA_2_11,
+        IA_2_12,
+        IA_4,
+        IA_5,
+    ],
+    # Sign-in logs map to Unsuccessful Logon controls and Audit controls
+    "sign_in_logs": ["AC-7", AU_2, AU_3, AU_6, AU_12],
+    # Directory audits map to Audit controls and Account Management
+    "directory_audits": [AU_2, AU_3, AU_6, AU_12, IA_4, IA_5],
+    # Provisioning logs map to Audit controls
+    "provisioning_logs": [AU_2, AU_3, AU_6, AU_12],
+    # Access reviews map to Account Management and Privilege controls
+    "access_review_definitions": ["AC-3", "AC-6", "AC-5", "IA-8", "IA-8(1)"],
+}
+
+# Reverse mapping for easy lookup of which evidence types are needed for a control
+CONTROLS_TO_EVIDENCE_MAPPING = {}
+for evidence_type, controls in EVIDENCE_TO_CONTROLS_MAPPING.items():
+    for control in controls:
+        if control not in CONTROLS_TO_EVIDENCE_MAPPING:
+            CONTROLS_TO_EVIDENCE_MAPPING[control] = []
+        CONTROLS_TO_EVIDENCE_MAPPING[control].append(evidence_type)
 
 
 RESOURCES_QUERY = """