Wiz

📘2 versions of the Wiz context integration are available

Use Wiz-2 for new Wiz integrations.

You will see 2 Wiz context integrations in the Fusion Portal (Wiz and Wiz-2). The newest version is Wiz-2. Wiz-2 is built as a NetoFuse module, available for both cloud an on-prem deployment, and has added issue and network exposure handling, along with the flexibility of using NetoFuse transforms to customize the context fields. Both versions will be available for a brief period of time while existing users migrate to the new version, and then Wiz-2 will be renamed Wiz in the Fusion portal.

☁️NetoFuse Modules: Cloud deployment vs. On-Prem deployment

This page documents how to add and configure the NetoFuse module for an on-prem deployment with a container or Python package. If you want to use the cloud deployment model and have this integration run in the Netography Fusion SaaS, you can add it as a context integration in the Netography Fusion Portal instead by consulting the Context Integrations documentation.

About

The Wiz context integration provides enriched asset context to Netography Fusion from the Wiz Cloud Security Platform. It gathers vulnerability data about the cloud assets in your environment from the Wiz API, and adds that as Context Labels in Netography Fusion.

Use cases

Reduce investigation time

An AWS EC2 instance that has only ever communicated to the corporate network makes a new outbound connection to China. You may want to know more about this EC2 instance as you investigate this. The vulnerability context provided by Wiz is immediately available to you without having to pivot to another tool or ask another analyst with direct access to Wiz for this information.

Enhance monitoring for vulnerable assets

Cloud assets with high-severity vulnerabilities are at higher risk of being exploited and becoming the source of malicious activity. Now that the vulnerability state of these assets is directly available, you can use that information to monitor these assets, including:

  • Creating and viewing dashboards focused on activity from the most vulnerable assets

  • Create a custom escalation workflow for network activity, such as potential network scanning or exfiltration when it comes from a highly vulnerable asset

  • Build custom detections that include the vulnerability state of the asset

You can use the following NQL to accomplish this: label.ip.cvss_rating == critical || label.ip.cvss_rating == high

Monitor network activity for assets with high-profile vulnerabilities while they are being remediated

A new vulnerability has been released and is being actively exploited in cloud environments. You can focus your attention on the network activity for assets that Wiz has identified as vulnerable to this issue. By watching the assets with a highly visible vulnerability more closely, you can identify potential indicators of compromise and act on them during the critical period before the vulnerability is remediated.

You can use the following NQL to accomplish this: label.ip.cve == CVE-2023-0123

Context Labels

These context labels are written when using the default module configuration.

Context Name
Description
Examples

vuln_count

The number of vulnerabilities found on the asset

5

cvss_rating

The list CVSS ratings of the vulnerabilities found on the asset

critical

cve

The CVEs of the vulnerabilities found on the asset

CVE-2023-0123

cvss_score

List of CVSS scores of the vulnerabilities found on the asset

9.8, 7.5, 5.0

os

The operating system of the asset

linux

wiz_asset_name

The name of the asset in Wiz

my-ec2-instance

If network exposures are enabled, the following additional context labels are available:

Context Name
Description
Examples

wiz_network_max_severity

The highest severity of the network exposure found on the asset

critical

wiz_network_max_severity_value

The CVSS score of the highest severity network exposure found on the asset

9.8

wiz_network_max_severity_description

The description of the highest severity network exposure found on the asset

Remote Code Execution

If issue monitoring is enabled, the following additional context labels are available:

Context Name
Description
Examples

wiz_issue_id

The IDs of the issue in Wiz

12345

wiz_issue_title

The title list of the issues in Wiz

Remote Code Execution

wiz_issue_severity

The severities list of the issues in Wiz

critical

wiz_issue_status

The status list of the issues in Wiz

open

wiz_issue_type

The type list of the issues in Wiz

vulnerability

Configuring

Configure a service account

A Wiz Service Account is used to authenticate with the Wiz Integration API. The service account must possess these listed permissions:

Permissions Required

create:reports

read:reports

update:reports

read:vulnerabilities

read:issues

read:network_exposures

Consult Wiz documentation for the steps needed to create this account and configure permissions.

API parameters required

All the fields required for this integration are listed here.

Wiz Field
Description

Wiz API Endpoint URL

The URL for the Wiz API endpoint. Find this parameter in your Wiz tenant by clicking Profile > User Settings and copying the API Endpoint URL field. e.g.http://api.<region>.app.wiz.io/graphql

Wiz Token URL

The URL for the Wiz token endpoint. For all Wiz commercial customers, this should be set to:https://auth.app.wiz.io/oauth/token

Wiz Client ID

The client ID for the Wiz service account

Wiz Client Secret

The client secret for the Wiz service account

Configuring Fusion

❗️Wiz can take many hours to execute the first time it runs, causing a Context deadline exceeded errorin Fusion Portal,

The Wiz integration can take many hours to run (up to a day) the first time it executes due to the large number of vulnerabilities that may exist within Wiz in total. This will result in a context deadline exceeded error being reported by the Portal when the integration is run by a user in the Portal manually, either during the initial Create and Run step, or when making changes thereafter.

This error indicates that the integration did not complete quickly enough for it to report its state to the Netography Fusion Portal, but it does not mean that the integration is not working.

Check the audit log to see if the integration completed successfully or if an error was returned by the API.

Check back in the Netography Fusion Portal in 24 hours to see if the context labels have been successfully populated.

Adding a Context Integration

In the Netography Fusion Portal:

  1. Select Settings at the bottom of the left-hand navigation menu

  2. Select Context Integrations in the Data Management section.

  3. Select the Add Integration button.

  4. Select a context integration from the list provided.

  5. Follow the configuration steps in the documentation for the context integration you selected.

Configuration Parameters

Field
Description

Name

A name for the integration

Wiz API Endpoint URL

The URL for the Wiz API endpoint

Wiz Token URL

The URL for the Wiz token endpoint

Wiz Client ID

The client ID for the Wiz service account

Wiz Client Secret

The client secret for the Wiz service account

Wiz Project ID

The Wiz project ID to use for the integration. If you would like this to run as global, leave as the default *

Wiz Severities

If this is set, vulnerabilities and issues are filtered only to include those with the listed severities. Valid values are LOW, MEDIUM, HIGH, CRITICAL The format for this field is a comma-separated list enclosed in brackets, e.g. ["HIGH","CRITICAL"] All severities are included if this is left blank

Fetch Issues Toggle

Enable this toggle if you would like to fetch issues from Wiz

Fetch Network Exposures Toggle

Enable this toggle if you would like to fetch network exposures from Wiz

Wiz Audience

This value should always be set to wiz_api

Advanced Configuration Parameters

In the Advanced Section, you can also configure the following fields (in most cases, you do not need to change these).

Field
Description

Trace Logs

Enable this toggle to capture trace logs for the integration

Issue Report ID

The ID of the report to fetch issues from. This is optional and only required if you are close to your report limit in Wiz and want to fetch issues from a specific report. Leave blank if you want to make a new report if does not exist.

Transform

See the Transforms section for more informatio

Transforms

The Advanced section of the context integration contains the Transform field. This field allows you to add, remove, or change the mapping of fields returned by the vendor API to Netography Fusion context labels.

See the Context Transforms documentation section for more instructions on editing this field.

It may be helpful to first configure all the parameters and the transform field with a NetoFuse container on your local system and then copy those fields into the Portal once you have validated that everything is configured

PreviousTenableNextUnderstand Context Labels

Last updated