Wiz
Enrich asset context with vulnerability, network exposure, and issue data from the Wiz cloud security platform
2 versions of the Wiz context integration are available
Use Wiz-2 for new Wiz integrations.
You will see 2 Wiz context integrations in the Fusion Portal (Wiz and Wiz-2). The newest version is Wiz-2. Wiz-2 is built as a NetoFuse module, available for both cloud an on-prem deployment, and has added issue and network exposure handling, along with the flexibility of using NetoFuse transforms to customize the context fields. Both versions will be available for a brief period of time while existing users migrate to the new version, and then
Wiz-2will be renamedWizin the Fusion portal.
NetoFuse Modules: Cloud deployment vs. On-Prem deployment
This page documents how to add and configure the NetoFuse module for an on-prem deployment with a container or Python package. If you want to use the cloud deployment model and have this integration run in the Netography Fusion SaaS, you can add it as a context integration in the Netography Fusion Portal instead by consulting the Context Integrations documentation.
About
The Wiz context integration provides enriched asset context to Netography Fusion from the Wiz Cloud Security Platform. It gathers vulnerability data about the cloud assets in your environment from the Wiz API, and adds that as Context Labels in Netography Fusion.
Use cases
Reduce investigation time
An AWS EC2 instance that has only ever communicated to the corporate network makes a new outbound connection to China. You may want to know more about this EC2 instance as you investigate this. The vulnerability context provided by Wiz is immediately available to you without having to pivot to another tool or ask another analyst with direct access to Wiz for this information.
Enhance monitoring for vulnerable assets
Cloud assets with high-severity vulnerabilities are at higher risk of being exploited and becoming the source of malicious activity. Now that the vulnerability state of these assets is directly available, you can use that information to monitor these assets, including:
- Creating and viewing dashboards focused on activity from the most vulnerable assets
- Create a custom escalation workflow for network activity, such as potential network scanning or exfiltration when it comes from a highly vulnerable asset
- Build custom detections that include the vulnerability state of the asset
You can use the following NQL to accomplish this:
label.ip.cvss_rating == critical || label.ip.cvss_rating == high
Monitor network activity for assets with high-profile vulnerabilities while they are being remediated
A new vulnerability has been released and is being actively exploited in cloud environments. You can focus your attention on the network activity for assets that Wiz has identified as vulnerable to this issue. By watching the assets with a highly visible vulnerability more closely, you can identify potential indicators of compromise and act on them during the critical period before the vulnerability is remediated.
You can use the following NQL to accomplish this:
label.ip.cve == CVE-2023-0123
Context Labels
These context labels are written when using the default module configuration.
| Context Name | Description | Examples |
|---|---|---|
| vuln_count | The number of vulnerabilities found on the asset | 5 |
| cvss_rating | The list CVSS ratings of the vulnerabilities found on the asset | critical |
| cve | The CVEs of the vulnerabilities found on the asset | CVE-2023-0123 |
| cvss_score | List of CVSS scores of the vulnerabilities found on the asset | 9.8, 7.5, 5.0 |
| os | The operating system of the asset | linux |
| wiz_asset_name | The name of the asset in Wiz | my-ec2-instance |
If network exposures are enabled, the following additional context labels are available:
| Context Name | Description | Examples |
|---|---|---|
| wiz_network_max_severity | The highest severity of the network exposure found on the asset | critical |
| wiz_network_max_severity_value | The CVSS score of the highest severity network exposure found on the asset | 9.8 |
| wiz_network_max_severity_description | The description of the highest severity network exposure found on the asset | Remote Code Execution |
If issue monitoring is enabled, the following additional context labels are available:
| Context Name | Description | Examples |
|---|---|---|
| wiz_issue_id | The IDs of the issue in Wiz | 12345 |
| wiz_issue_title | The title list of the issues in Wiz | Remote Code Execution |
| wiz_issue_severity | The severities list of the issues in Wiz | critical |
| wiz_issue_status | The status list of the issues in Wiz | open |
| wiz_issue_type | The type list of the issues in Wiz | vulnerability |
Configuring
Configure a service account
A Wiz Service Account is used to authenticate with the Wiz Integration API. The service account must possess these listed permissions:
| Permissions Required |
|---|
| create:reports |
| read:reports |
| update:reports |
| read:vulnerabilities |
| read:issues |
| read:network_exposures |
Consult Wiz documentation for the steps needed to create this account and configure permissions.
API parameters required
All the fields required for this integration are listed here.
| Wiz Field | Description |
|---|---|
| Wiz API Endpoint URL | The URL for the Wiz API endpoint e.g.http://api.<region>.app.wiz.io/graphql |
| Wiz Token URL | The URL for the Wiz token endpoint e.g. https://auth.app.wiz.io/oauth/token |
| Wiz Client ID | The client ID for the Wiz service account |
| Wiz Client Secret | The client secret for the Wiz service account |
Configuring Fusion
Wiz can take many hours to execute the first time it runs, causing a
Context deadline exceeded errorin Fusion Portal,The Wiz integration can take many hours to run (up to a day) the first time it executes due to the large number of vulnerabilities that may exist within Wiz in total. This will result in a context deadline exceeded error being reported by the Portal when the integration is run by a user in the Portal manually, either during the initial Create and Run step, or when making changes thereafter.
This error indicates that the integration did not complete quickly enough for it to report its state to the Netography Fusion Portal, but it does not mean that the integration is not working.
Check the audit log to see if the integration completed successfully or if an error was returned by the API.
Check back in the Netography Fusion Portal in 24 hours to see if the context labels have been successfully populated.
Adding a Context Integration
In the Netography Fusion Portal:
- Select Settings at the bottom of the left-hand navigation menu
- Select Context Integrations in the Data Management section.
- Select the Add Integration button.
- Select a context integration from the list provided.
- Follow the configuration steps in the documentation for the context integration you selected.
Configuration Parameters
| Field | Description |
|---|---|
| Name | A name for the integration |
| Wiz API Endpoint URL | The URL for the Wiz API endpoint |
| Wiz Token URL | The URL for the Wiz token endpoint |
| Wiz Client ID | The client ID for the Wiz service account |
| Wiz Client Secret | The client secret for the Wiz service account |
| Wiz Project ID | The Wiz project ID to use for the integration. If you would like this to run as global, leave as the default * |
| Wiz Severities | If this is set, vulnerabilities and issues are filtered only to include those with the listed severities. Valid values are LOW, MEDIUM, HIGH, CRITICAL The format for this field is a comma-separated list enclosed in brackets, e.g. ["HIGH","CRITICAL"] All severities are included if this is left blank |
| Fetch Issues Toggle | Enable this toggle if you would like to fetch issues from Wiz |
| Fetch Network Exposures Toggle | Enable this toggle if you would like to fetch network exposures from Wiz |
| Wiz Audience | This value should always be set to wiz_api |
Advanced Configuration Parameters
In the Advanced Section, you can also configure the following fields (in most cases, you do not need to change these).
| Field | Description |
|---|---|
| Trace Logs | Enable this toggle to capture trace logs for the integration |
| Issue Report ID | The ID of the report to fetch issues from. This is optional and only required if you are close to your report limit in Wiz and want to fetch issues from a specific report. Leave blank if you want to make a new report if does not exist. |
| Transform | See the Transforms section for more informatio |
Transforms
The Advanced section of the context integration contains the Transform field. This field allows you to add, remove, or change the mapping of fields returned by the vendor API to Netography Fusion context labels.
See the Context Transforms documentation section for more instructions on editing this field.
It may be helpful to first configure all the parameters and the transform field with a NetoFuse container on your local system and then copy those fields into the Portal once you have validated that everything is configured
Updated about 1 month ago