Wiz
Enrich asset context with vulnerability, network exposure, and issue data from the Wiz cloud security platform
About
The Wiz NetoFuse module provides enriched asset context to Netography Fusion from the Wiz Cloud Security Platform. It gathers vulnerability, issue, and network exposure data about the cloud assets in your environment from the Wiz API, and uploads that data as Context Labels to the Netography Fusion API.
NetoFuse Modules: Cloud deployment vs. On-Prem deployment
This page documents how to add and configure the NetoFuse module for an on-prem deployment with a container or Python package. If you want to use the cloud deployment model and have this integration run in the Netography Fusion SaaS, you can add it as a context integration in the Netography Fusion Portal instead by consulting the Context Integrations documentation.
Use cases
Reduce investigation time
An AWS EC2 instance that has only ever communicated to the corporate network makes a new outbound connection to China. You may want to know more about this EC2 instance as you investigate this. The vulnerability context provided by Wiz is immediately available to you without having to pivot to another tool or ask another analyst with direct access to Wiz for this information.
Enhance monitoring for vulnerable assets
Cloud assets with high-severity vulnerabilities are at higher risk of being exploited and becoming the source of malicious activity. Now that the vulnerability state of these assets is directly available, you can use that information to monitor these assets, including:
- Creating and viewing dashboards focused on activity from the most vulnerable assets
- Create a custom escalation workflow for network activity, such as potential network scanning or exfiltration when it comes from a highly vulnerable asset
- Build custom detections that include the vulnerability state of the asset
You can use the following NQL
to accomplish this:
label.ip.cvss_rating == critical || label.ip.cvss_rating == high
Monitor network activity for assets with high-profile vulnerabilities while they are being remediated
A new vulnerability has been released and is being actively exploited in cloud environments. You can focus your attention on the network activity for assets that Wiz has identified as vulnerable to this issue. By watching the assets with a highly visible vulnerability more closely, you can identify potential indicators of compromise and act on them during the critical period before the vulnerability is remediated.
You can use the following NQL
to accomplish this:
label.ip.cve == CVE-2023-0123
Context Labels
These context labels are written when using the default module configuration.
Context Name | Description | Examples |
---|---|---|
vuln_count | The number of vulnerabilities found on the asset | 5 |
cvss_rating | The list CVSS ratings of the vulnerabilities found on the asset | critical |
cve | The CVEs of the vulnerabilities found on the asset | CVE-2023-0123 |
cvss_score | List of CVSS scores of the vulnerabilities found on the asset | 9.8, 7.5, 5.0 |
os | The operating system of the asset | linux |
wiz_asset_name | The name of the asset in Wiz | my-ec2-instance |
If network exposures are enabled, the following additional context labels are available:
Context Name | Description | Examples |
---|---|---|
wiz_network_max_severity | The highest severity of the network exposure found on the asset | critical |
wiz_network_max_severity_value | The CVSS score of the highest severity network exposure found on the asset | 9.8 |
wiz_network_max_severity_description | The description of the highest severity network exposure found on the asset | Remote Code Execution |
If issue monitoring is enabled, the following additional context labels are available:
Context Name | Description | Examples |
---|---|---|
wiz_issue_id | The IDs of the issue in Wiz | 12345 |
wiz_issue_title | The title list of the issues in Wiz | Remote Code Execution |
wiz_issue_severity | The severities list of the issues in Wiz | critical |
wiz_issue_status | The status list of the issues in Wiz | open |
wiz_issue_type | The type list of the issues in Wiz | vulnerability |
The Wiz NetoFuse module is named
wiz2
The first version of Wiz context integration pre-dated NetoFuse and was available only for cloud deployment. The new version is a NetoFuse module, so it is named
wiz2
to differentiate it from the original context integration.
Configuring
Configure a service account
A Wiz Service Account is used to authenticate with the Wiz Integration API. The service account must possess these listed permissions:
Permissions Required |
---|
create:reports |
read:reports |
update:reports |
read:vulnerabilities |
read:issues |
read:network_exposures |
Consult Wiz documentation for the steps needed to create this account and configure permissions.
API parameters required
All the fields required for this integration are listed here.
Wiz Field | Description |
---|---|
Wiz API Endpoint URL | The URL for the Wiz API endpoint. Find this parameter in your Wiz tenant by clicking Profile > User Settings and copying the API Endpoint URL field. e.g.http://api.<region>.app.wiz.io/graphql |
Wiz Token URL | The URL for the Wiz token endpoint. For all Wiz commercial customers, this should be set to:https://auth.app.wiz.io/oauth/token |
Wiz Client ID | The client ID for the Wiz service account |
Wiz Client Secret | The client secret for the Wiz service account |
wiz2
NetoFuse Module Configuration
wiz2
NetoFuse Module ConfigurationAll the fields required for this integration are listed above in the API Configuration Parameters section. See Configure > module for additional options for setting configuration fields and Credential Storage for additional options for setting credentials.
Advanced Configuration Options
The following configuration options are available for the module.
Configuration Option | Description | Default Value |
---|---|---|
severities | If this is set, vulnerabilities and issues are filtered only to include those with the listed severities. Valid values are LOW, MEDIUM, HIGH, CRITICAL Format (in Fusion Portal or JSON config): Comma-separated list enclosed in brackets, e.g. ["HIGH","CRITICAL"] Format in YAML: a YAML list, e.g.: severities: - CRITICAL - HIGH All severities are included if this is left blank | None |
fetch_issues | Set to true to fetch issues from Wiz | false |
fetch_network_exposures | Set to true to fetch network exposures from Wiz | false |
project_id | The Wiz project ID to use for the integration. If you would like this to run as global, leave as the default * | * |
issue_report_id | The ID of the report to fetch issues from. If left blank, this will create a new report. This can typically be left blank. | None |
audience | This value is passed to the Wiz API and is used internally by Wiz. | wiz-api |
Default wiz2
Module Configuration
wiz2
Module Configurationwiz2:
token_url:
endpoint_url:
audience:
project_id:
credentials:
client_id:
client_secret:
severities:
fetch_issues:
fetch_network_exposures:
issue_report_id:
transform:
vulnerableAsset.ipAddresses:
context: ip
vulnerableAsset.operatingSystem:
context: os
function:
function: transform_os
score:
context: cvss_score
cve:
context: cve
CVSSSeverity:
context: cvss_rating
vulnerableAsset.name:
context: wiz_asset_name
issue_id:
context: wiz_issue_id
issue_title:
context: wiz_issue_title
issue_severity:
context: wiz_issue_severity
issue_status:
context: wiz_issue_status
issue_type:
context: wiz_issue_type
vuln_count:
context: vuln_count
network_max_severity:
context: wiz_network_max_severity
network_max_severity_value:
context: wiz_network_max_severity_value
network_max_severity_description:
context: wiz_network_max_severity_description
removed:
context: removed
Updated about 2 months ago