Wiz
Enrich asset context with vulnerability data from the Wiz cloud security platform
About
The Wiz context integration provides enriched asset context to Netography Fusion from the Wiz Cloud Security Platform. It gathers vulnerability data about the cloud assets in your environment from the Wiz API, and adds that as Context Labels in Netography Fusion.
Use Cases
Reduce investigation time
An AWS EC2 instance that has only ever communicated to the corporate network makes a new outbound connection to China. As you investigate this, you may want to know more about this EC2 instance. The vulnerability context provided by Wiz is immediately available to you without having to pivot to another tool or ask another analyst with direct access to Wiz for this information.
Enhance monitoring for vulnerable assets
Cloud assets with high-severity vulnerabilities are at higher risk of being exploited and becoming the source of malicious activity. Now that the vulnerability state of these assets is directly available, you can use that information to monitor these assets, including:
- Creating and viewing dashboards focused on activity from the most vulnerable assets
- Create a custom escalation workflow for network activity, such as potential network scanning or exfiltration when it comes from a highly vulnerable asset
- Build custom detections that include the vulnerability state of the asset
You can use the following NQL to accomplish this:
label.ip.cvss_rating == critical || label.ip.cvss_rating == high
Monitor network activity for assets with high-profile vulnerabilities while they are being remediated
A new vulnerability is released that is being actively exploited in cloud environments. You can focus your attention on the network activity for assets that Wiz has identified as being vulnerable to this issue. By watching the assets with a highly visible vulnerability more closely, you can identify potential indicators of compromise and act on them during the critical period before the vulnerability is remediated.
You can use the following NQL to accomplish this:
label.ip.cve == CVE-2023-0123
Context Labels
The Wiz context integration will populate the following IP context labels in Netography based on the data that is retrieved via the Wiz API:
| Context Name | Description | Examples |
|---|---|---|
vuln_count | The total number of vulnerabilities (any severity) | 10 |
cvss_rating | The highest CVSS rating of any vulnerability | medium |
cvss_score | The highest CVSS score of any vulnerability | 6.5 |
cve | A list of CVE IDs with a >= high severity (limit of 100 per asset) | CVE-2021-20254 |
Wiz Configuration
Configure a service account
A Wiz Service Account is used to authenticate with the Wiz Integration API. The service account must possess (at least) these listed permissions:
| Permissions Required |
|---|
create:reports |
read:reports |
update:reports |
read:vulnerabilities |
(optional) read:issues (this is not used today, but will be in a future update) |
Wiz Service account requires global scope
The integration requires the service account be configured with a global scope. Project level scopes are not supported at this time. If your organization requires project level scope permissions, contact Netography Support as support for this capability will be added in a future update.
Consult Wiz documentation for the specific steps needed to create this account and configure permissions.
API configuration parameters required
To configure the integration, the following Wiz API configuration parameters are required:
| Wiz API Configuration Parameters | Parameter Information |
|---|---|
API Endpoint URL | URL is based on the region of your Wiz deployment: e.g. http://api.<region>.app.wiz.io/graphql |
Token URL | Used for authentication and the URL may differ depending on the type of authentication you are using with Wiz. e.g. https://auth.app.wiz.io/oauth/token |
Client ID | Gather this when creating the service account in the previous step |
Client Secret | Gather this when creating the service account in the previous step |
Netography Fusion Configuration
Add the context integration
In the Netography Fusion Portal:
- Go to the Setup section on the left-hand navigation menu and select Integrations.
- Select Context Integrations in the tab that appears on the Integrations page.
- Select the Add Integration button.
- Select Wiz.
Configure the context integration
- Fill out the standard fields required for each context integration:
| Field | Description |
|---|---|
Name | A unique name to identify this instance of the integration (e.g. wiz1) |
Update Interval | How frequently to retrieve updated information from Wiz in seconds (86400 is the smallest supported interval based on Wiz integration requirements). 86400 seconds = 24 hours |
Auto Update | Enable to retrieve updated information automatically at the frequency set by theUpdate IntervalIf disabled, the integration can be run manually from the list of configured integrations menu by selecting the ... next to the name of the integration and then selecting Run |
- Enter the configuration parameters you obtained from Wiz.
| Field | Required | Description |
|---|---|---|
API Endpoint URL | yes | The API endpoint for Wiz to use. |
Token URL | yes | The authentication endpoint for Wiz |
Client ID | yes | Authentication field for the Wiz Service Account |
Client Secret | yes | Authentication field for the Wiz Service Account |
- Select Create and Run to save the integration.
- Note the troubleshooting guidance below, which may occur after completing step 3.
Troubleshooting
Context deadline exceeded errors when running Wiz integration in Portal
The Wiz integration can take many hours to run (up to a day) the first time it executes due to the large number of vulnerabilities that may exist within Wiz in total. This will result in a context deadline exceeded error being reported by the Portal when the integration is run by a user in the Portal manually, either during the initial Create and Run step, or when making changes thereafter.
This error indicates that the integration did not complete quickly enough for it to report its state to the Netography Fusion Portal, but it does not mean that the integration is not working.
Check the audit log to see if the integration completed successfully or if an error was returned by the API.
Check back in the Netography Fusion Portal in 24 hours to see if the context labels have been successfully populated.
Updated 6 months ago