Wiz
About
The Wiz NetoFuse module provides enriched asset context to Netography Fusion from the Wiz Cloud Security Platform. It gathers vulnerability, issue, and network exposure data about the cloud assets in your environment from the Wiz API, and uploads that data as Context Labels to the Netography Fusion API.
Use cases
Reduce investigation time
An AWS EC2 instance that has only ever communicated to the corporate network makes a new outbound connection to China. You may want to know more about this EC2 instance as you investigate this. The vulnerability context provided by Wiz is immediately available to you without having to pivot to another tool or ask another analyst with direct access to Wiz for this information.
Enhance monitoring for vulnerable assets
Cloud assets with high-severity vulnerabilities are at higher risk of being exploited and becoming the source of malicious activity. Now that the vulnerability state of these assets is directly available, you can use that information to monitor these assets, including:
Creating and viewing dashboards focused on activity from the most vulnerable assets
Create a custom escalation workflow for network activity, such as potential network scanning or exfiltration when it comes from a highly vulnerable asset
Build custom detections that include the vulnerability state of the asset
You can use the following NQL to accomplish this:
label.ip.cvss_rating == critical || label.ip.cvss_rating == high
Monitor network activity for assets with high-profile vulnerabilities while they are being remediated
A new vulnerability has been released and is being actively exploited in cloud environments. You can focus your attention on the network activity for assets that Wiz has identified as vulnerable to this issue. By watching the assets with a highly visible vulnerability more closely, you can identify potential indicators of compromise and act on them during the critical period before the vulnerability is remediated.
You can use the following NQL to accomplish this:
label.ip.cve == CVE-2023-0123
Context Labels
These context labels are written when using the default module configuration.
vuln_count
The number of vulnerabilities found on the asset
5
cvss_rating
The list CVSS ratings of the vulnerabilities found on the asset
critical
cve
The CVEs of the vulnerabilities found on the asset
CVE-2023-0123
cvss_score
List of CVSS scores of the vulnerabilities found on the asset
9.8, 7.5, 5.0
os
The operating system of the asset
linux
wiz_asset_name
The name of the asset in Wiz
my-ec2-instance
If network exposures are enabled, the following additional context labels are available:
wiz_network_max_severity
The highest severity of the network exposure found on the asset
critical
wiz_network_max_severity_value
The CVSS score of the highest severity network exposure found on the asset
9.8
wiz_network_max_severity_description
The description of the highest severity network exposure found on the asset
Remote Code Execution
If issue monitoring is enabled, the following additional context labels are available:
wiz_issue_id
The IDs of the issue in Wiz
12345
wiz_issue_title
The title list of the issues in Wiz
Remote Code Execution
wiz_issue_severity
The severities list of the issues in Wiz
critical
wiz_issue_status
The status list of the issues in Wiz
open
wiz_issue_type
The type list of the issues in Wiz
vulnerability
Configuring
Configure a service account
A Wiz Service Account is used to authenticate with the Wiz Integration API. The service account must possess these listed permissions:
create:reports
read:reports
update:reports
read:vulnerabilities
read:issues
read:network_exposures
Consult Wiz documentation for the steps needed to create this account and configure permissions.
API parameters required
All the fields required for this integration are listed here.
Wiz API Endpoint URL
The URL for the Wiz API endpoint. Find this parameter in your Wiz tenant by clicking Profile > User Settings and copying the API Endpoint URL field. e.g.http://api.<region>.app.wiz.io/graphql
Wiz Token URL
The URL for the Wiz token endpoint. For all Wiz commercial customers, this should be set to:https://auth.app.wiz.io/oauth/token
Wiz Client ID
The client ID for the Wiz service account
Wiz Client Secret
The client secret for the Wiz service account
wiz2 NetoFuse Module Configuration
wiz2 NetoFuse Module ConfigurationAll the fields required for this integration are listed above in the API Configuration Parameters section. See Configure > module for additional options for setting configuration fields and Credential Storage for additional options for setting credentials.
Advanced Configuration Options
The following configuration options are available for the module.
severities
If this is set, vulnerabilities and issues are filtered only to include those with the listed severities. Valid values are LOW, MEDIUM, HIGH, CRITICAL
Format (in Fusion Portal or JSON config): Comma-separated list enclosed in brackets, e.g. ["HIGH","CRITICAL"]
Format in YAML: a YAML list, e.g.:
severities:
- CRITICAL
- HIGH
All severities are included if this is left blank
None
fetch_issues
Set to true to fetch issues from Wiz
false
fetch_network_exposures
Set to true to fetch network exposures from Wiz
false
project_id
The Wiz project ID to use for the integration. If you would like this to run as global, leave as the default *
*
issue_report_id
The ID of the report to fetch issues from. If left blank, this will create a new report. This can typically be left blank.
None
audience
This value is passed to the Wiz API and is used internally by Wiz.
wiz-api
Default wiz2 Module Configuration
wiz2 Module ConfigurationLast updated