Wiz

Wiz is a cloud security tool that scans your cloud environments to provide complete visibility into every technology running in your cloud. You can bring virtual network, virtual machine, vulnerability and more data from Wiz into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Wiz when the data integration runs, and how to obtain that information from Wiz. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Wiz from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Wiz with Brinqa:

API URL: The Wiz API endpoint URL. The default URL is https://api.<region>.app.wiz.io.
Token URL: The Wiz API authentication token URL. The URL is specific to the identity provider (IdP) for the Wiz service account. See Table 1 for more information.
OAuth audience: The audience of your OAuth token. The audience is specific to your IdP. See Table 1 for more information.
Client ID and Client secret: The credentials associated with the Wiz service account, which must have permissions to log in to the API server and return data.

The Token URL and OAuth audience values depend on the IdP you use for the Wiz service account. The following table summarizes the different values:

Table 1. Wiz token URL and audience values

IdP	Token URL	Audience
Amazon Cognito	`https://auth.app.wiz.io/oauth/token`	`wiz-api`
Auth0	`https://auth.wiz.io/oauth/token`	`beyond-api`

Obtain the client ID and client secret from Wiz

For the Wiz connector to use the Wiz API, you must provide the client ID and client secret from an active Wiz service account.

To obtain these credentials, please follow the steps in the official Wiz documentation for Brinqa integration. This guide is maintained by Wiz and outlines the process for creating the required service account and assigning appropriate permissions.

note

If you do not have the permissions to create a service account or assign permissions, contact your Wiz administrator.

The Wiz connector was developed in collaboration with Wiz and adheres to their recommended solutions. It has been certified by Wiz to ensure optimal functionality and security.

Due to limitations with GraphQL in exporting large datasets, the connector generates reports in CSV format.
The Wiz connector generates one report per asset type for Vulnerabilities, with each report prefixed by BRINQA-VULNERABILITIES-REPORT_.
It also generates one report per inventory type for Inventory, with each report prefixed by BRINQA-INVENTORY-REPORT_. This lets you easily identify and monitor said reports.
These reports are automatically deleted from Wiz based on your specified data cleanup frequency.

Additional settings

The Wiz connector contains additional options for specific configuration:

Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
Maximum retries: The maximum number of times that the integration attempts to connect to the Wiz API before giving up and reporting a failure. The default setting is 5.
Report timeout (hours): The maximum number of hours to wait for a report to be generated before giving up and reporting a failure. The default setting is 4 hours.
Request timeout (secs): The maximum number of seconds allotted before a request will time out. The default setting is 600 seconds (10 minutes). Although it is not recommended, you can also enter zero (0) to disable timeouts.

Types of data to retrieve

The Wiz connector can retrieve the following types of data from the Wiz API:

Table 2: Data retrieved from Wiz

Category	Connector Object	Required	Maps to Data Model
Cloud Inventory	API Gateway	No	Not mapped
	Application Endpoint	No	Not mapped
	Backup Service	No	Not mapped
	Bucket	No	Not mapped
	CI/CD Service	No	Not mapped
	Cloud Log Configuration	No	Not mapped
	Compute Instance Group	No	Not mapped
	Container	Yes	Container
	Container Image	Yes	Container Image
	Container Registry	No	Not mapped
	Container Service	No	Not mapped
	Daemon Set	No	Not mapped
	Data Workload	No	Not mapped
	Database Server	Yes	Database Instance
	Deployment	No	Not mapped
	Encryption Key	No	Not mapped
	File System Service	No	Not mapped
	Firewall	No	Not mapped
	Kubernetes Cluster	No	Not mapped
	Load Balancer	No	Not mapped
	Messaging Service	No	Not mapped
	Raw Access Policy	No	Not mapped
	Resource Group	No	Not mapped
	Secret Container	No	Not mapped
	Serverless	Yes	Serverless
	Snapshot	No	Not mapped
	Storage Account	No	Not mapped
	Subnet	No	Not mapped
	Subscription	No	Not mapped
	Virtual Machine	Yes	Host
	Virtual Machine Image	Yes	Host Image
	Virtual Network	Yes	Network Segment
	Volume	No	Not mapped
	Web Service	No	Not mapped
Configuration	Configuration Finding	No	Violation
	Configuration Finding Definition	Yes	Violation Definition
Issue	Issue	Yes	Violation
	Issue Definition	Yes	Violation Definition
	Issue V2	No	Violation
	Issue Definition V2	No	Violation Definition
Secret	Secret Finding	No	Not mapped
	Secret Finding Definition	No	Not mapped
Vulnerability	Critical Vulnerability	No	Vulnerability
	High Vulnerability	No	Vulnerability
	Low Vulnerability	No	Vulnerability
	Medium Vulnerability	No	Vulnerability
	None Vulnerability	No	Vulnerability
	Vulnerability	Yes	Vulnerability
	Vulnerability Definition	Yes	Vulnerability Definition

This diagram shows how Configuration Finding, Issue, Secret Finding, and Vulnerability connector objects relate to their definitions and the inventory assets they are found in.

Figure 1: Connector object relationships

info

For detailed steps on how to view the data retrieved from Wiz in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Cloud Inventory

Common Inventory Attributes

The following attributes are shared across all cloud inventory connector objects (e.g., Virtual Machine, Container, Container Image, Database Server, Serverless, Virtual Network).

Table 3: Common inventory attribute mappings

Source Field	Attribute Name
graphEntity.providerUniqueId / externalId	UID
name / graphEntity.properties.name	NAME
graphEntity.properties.name	DESCRIPTION
(generated)	CATEGORIES
status / graphEntity.properties.status	STATUS
status / graphEntity.properties.status	PROVIDER_STATUS
status / graphEntity.properties.status	SOURCE_STATUS
region / graphEntity.properties.region	REGION
cloudPlatform	CLOUD_PLATFORM
cloudProviderURL	CLOUD_PROVIDER_URL
nativeType	NATIVE_TYPE
graphEntity.providerUniqueId	PROVIDER_ID
externalId	EXTERNAL_ID
type	RESOURCE_TYPE
cloudAccount.externalId	SUBSCRIPTION_ID
cloudAccount.name	SUBSCRIPTION_NAME
projects[].id	PROJECT_IDS
projects[].name	PROJECT_NAMES
tags / graphEntity.properties.tags	TAGS
lastSeen	LAST_SEEN
createdAt / graphEntity.properties.creationDate	SOURCE_CREATED_DATE
updatedAt	SOURCE_LAST_MODIFIED
firstSeen	FIRST_SEEN
isOpenToAllInternet	OPEN_TO_ALL_INTERNET
isAccessibleFromInternet	IS_ACCESSIBLE_FROM_INTERNET
hasAdminPrivileges	HAS_ADMIN_PRIVILEGES
hasHighPrivileges	HAS_HIGH_PRIVILEGES
hasSensitiveData	HAS_SENSITIVE_DATA
hasAccessToSensitiveData	HAS_ACCESS_TO_SENSITIVE_DATA
graphEntity.properties.applicationEndpoint.validatedOpenPorts	VALIDATED_OPEN_PORTS
technology.name	TECHNOLOGY_NAME
technology.stackLayer	TECHNOLOGY_STACK_LAYER
cloudAccount.cloudProvider	CLOUD_PROVIDER
regionLocation	REGION_LOCATION
typeFields.instanceType	INSTANCE_TYPE
resourceGroup.id	RESOURCE_GROUP_ID
resourceGroup.externalId	RESOURCE_GROUP_EXTERNAL_ID
graphEntity.properties.accessibleFrom.VPN	ACCESSIBLE_FROM_VPN
graphEntity.properties.accessibleFrom.otherSubscriptions	ACCESSIBLE_FROM_OTHER_SUBSCRIPTIONS
graphEntity.properties.accessibleFrom.otherVnets	ACCESSIBLE_FROM_OTHER_VNETS
projects[].name	PROJECTS

Application Endpoint

Includes all Common Inventory Attributes plus:

Table 4: Application Endpoint attribute mappings

Source Field	Attribute Name
graphEntity.properties.applicationEndpoint.additionalIds	ADDITIONAL_IDS
graphEntity.properties.tlsInfo.base64Certificate	BASE_64_CERTIFICATE
graphEntity.properties.tlsInfo.cipherSuite	CERTIFICATE_CIPHER_SUITE
graphEntity.properties.exposedProxies[].externalId	EXPOSED_PROXIES_EXTERNAL_IDS
graphEntity.properties.exposedProxies[].nativeType	EXPOSED_PROXIES_NATIVE_TYPES
graphEntity.properties.exposedProxies[].objectType	EXPOSED_PROXIES_OBJECT_TYPES
graphEntity.properties.exposedResources[].externalId	EXPOSED_RESOURCES_EXTERNAL_IDS
graphEntity.properties.exposedResources[].nativeType	EXPOSED_RESOURCES_NATIVE_TYPES
graphEntity.properties.exposedResources[].objectType	EXPOSED_RESOURCES_OBJECT_TYPES
graphEntity.properties.tlsInfo.handshakeComplete	HANDSHAKE_COMPLETE
graphEntity.properties.tlsInfo.negotiatedProtocol	NEGOTIATED_PROTOCOL
graphEntity.properties.tlsInfo.serverName	SERVER_NAME
graphEntity.properties.tlsInfo.tlsVersion	TLS_VERSION

Bucket

Includes all Common Inventory Attributes plus:

Table 5: Bucket attribute mappings

Source Field	Attribute Name
providerData.encrypted	ENCRYPTED
providerData.encryptionInTransit	ENCRYPTION_IN_TRANSIT
providerData.isPublic	IS_PUBLIC
providerData.loggingEnabled	LOGGING_ENABLED
providerData.publicExposure	PUBLIC_EXPOSURE
providerData.regionType	REGION_TYPE
providerData.retentionPeriod	RETENTION_PERIOD
providerData.versioningEnabled	VERSIONING_ENABLED
providerData.webHostingEnabled	WEB_HOSTING_ENABLED

Compute Instance Group

Includes all Common Inventory Attributes plus:

Table 6: Compute Instance Group attribute mappings

Source Field	Attribute Name
providerData.AvailabilityZones	AVAILABILITY_ZONES
providerData.DesiredCapacity	DESIRED_CAPACITY
providerData.Instances[].InstanceId	INSTANCES
providerData.MaxSize	MAX_SIZE
providerData.MinSize	MIN_SIZE

Container

Includes all Common Inventory Attributes plus:

Table 7: Container attribute mappings

Source Field	Attribute Name
graphEntity.properties.kubernetes.baseExtraData.clusterExternalId	CLUSTER_EXTERNAL_ID
graphEntity.properties.kubernetes.baseExtraData.clusterName	CLUSTER_NAME
graphEntity.properties.virtualMachineExternalId	HOST
graphEntity.properties.imageExternalId	IMAGE
graphEntity.properties.kubernetes.baseExtraData.flavour	KUBERNETES_FLAVOUR
graphEntity.properties.kubernetes.namespaceExternalId	KUBERNETES_NAMESPACE_EXTERNAL_ID
graphEntity.properties.Runtime	RUNTIME

Container Image

Includes all Common Inventory Attributes plus:

Table 8: Container Image attribute mappings

Source Field	Attribute Name
graphEntity.properties.kubernetes.baseExtraData.clusterExternalId	CLUSTER_EXTERNAL_ID
graphEntity.properties.kubernetes.baseExtraData.clusterName	CLUSTER_NAME
graphEntity.properties.imageTag / graphEntity.properties.registry	IMAGE
graphEntity.properties.repoExternalId	REPO_EXTERNAL_ID

Database Server

Includes all Common Inventory Attributes plus:

Table 9: Database Server attribute mappings

Source Field	Attribute Name
graphEntity.properties.atRestEncryption	ENCRYPTED
graphEntity.properties.engine / providerData.Engine	ENGINE
graphEntity.properties.engineVersion / providerData.EngineVersion	ENGINE_VERSION
graphEntity.properties.hasBackups	HAS_BACKUPS
providerData.DBInstanceIdentifier	INSTANCE_ID
providerData.Endpoint.Address	IP_ADDRESSES
graphEntity.properties.kind	KIND
graphEntity.properties.isManaged	MANAGED
graphEntity.properties.port / providerData.Endpoint.Port	PORT
graphEntity.properties.requiresAuth	REQUIRES_AUTH
graphEntity.properties.requiresSSL	REQUIRES_SSL
graphEntity.properties.runsOn.vertexObjectExternalId	RUNS_ON

Serverless

Includes all Common Inventory Attributes plus:

Table 10: Serverless attribute mappings

Source Field	Attribute Name
providerData.CodeSha256	CODE_SHA_256
providerData.CodeSize	CODE_SIZE
providerData.Environment	ENVIRONMENT
providerData.Handler	HANDLER
providerData.kind	KIND
providerData.MemorySize	MEMORY_SIZE
providerData.PackageType	PACKAGE_TYPE
providerData.requiresAuth	REQUIRES_AUTH
providerData.RevisionId	REVISION_ID
providerData.Role	ROLE
providerData.Runtime	RUNTIME
providerData.EphemeralStorage.Size	STORAGE_SIZE
providerData.Timeout	TIMEOUT

Virtual Machine

Includes all Common Inventory Attributes plus:

Table 11: Virtual Machine attribute mappings

Source Field	Attribute Name
providerData.Architecture	ARCHITECTURE
providerData (combined)	DNS_NAMES
graphEntity.properties.creationDate	FIRST_SEEN
providerData.PublicDnsName / providerData.properties.computerName / name	HOSTNAMES
graphEntity.properties.image.common.providerUniqueId	IMAGE
graphEntity.providerUniqueId (Azure, preferred) / graphEntity.properties.externalId (fallback)	INSTANCE_ID
typeFields.ipAddresses	IP_ADDRESSES
graphEntity.properties.isContainerHost	IS_CONTAINER_HOST
graphEntity.properties.isEphemeral	IS_EPHEMERAL
providerData.LaunchTime / providerData.lastStartTimestamp	LAST_STARTED
providerData.lastStopTimestamp	LAST_STOPPED
providerData.NetworkInterfaces[].MacAddress	MAC_ADDRESSES
providerData (cloud-specific)	MACHINE_TYPE
providerData.Monitoring.State	MONITORING
providerData.VpcId / providerData.networkInterfaces[].network	NETWORK_ID
graphEntity.properties.operatingSystem / typeFields.operatingSystem	OPERATING_SYSTEM
providerData.PrivateDnsName	PRIVATE_DNS_NAMES
typeFields.ipAddresses (filtered)	PRIVATE_IP_ADDRESSES
providerData.PublicDnsName	PUBLIC_DNS_NAMES
typeFields.ipAddresses (filtered)	PUBLIC_IP_ADDRESSES
providerData.StateReason	STATE_REASON
providerData.SubnetId / providerData.networkInterfaces[].subnetwork	SUBNET_ID

Virtual Machine Image

Includes all Common Inventory Attributes plus:

Table 12: Virtual Machine Image attribute mappings

Source Field	Attribute Name
providerData.family	FAMILY
providerData.ImageLocation	IMAGE_LOCATION
providerData.PlatformDetails	IMAGE_OS
providerData.ImageOwnerAlias	IMAGE_OWNER
providerData.isPublic	IS_PUBLIC
graphEntity.properties.operatingSystem	OPERATING_SYSTEM

Virtual Network

Includes all Common Inventory Attributes plus:

Table 13: Virtual Network attribute mappings

Source Field	Attribute Name
providerData.addressRangeEdges	ADDRESS_RANGE_EDGES
providerData.properties.enableDdosProtection	DDOS_PROTECTION_ENABLED
providerData.flowLogsEnabled	FLOW_LOGS_ENABLED
providerData.hasDeployedInstances	HAS_DEPLOYED_INSTANCES
providerData.addressRanges / providerData.CidrBlock	IPV4_RANGES
providerData.isDefault / providerData.IsDefault	IS_DEFAULT

Configuration

Configuration Finding

Table 14: Configuration Finding attribute mappings

Source Field	Attribute Name
AnalyzedAt	ANALYZED_AT
CloudSourceLink	CLOUD_SOURCE_LINK
ScopeObjectId	CLOUD_ACCOUNT_ID
CurrentConfigurationValue	CURRENT_CONFIGURATION_VALUE
ObjectName	ENTITY_NAME
ObjectType	ENTITY_TYPE
ExpectedConfigurationValue + CurrentConfigurationValue	EVIDENCE
ExpectedConfigurationValue	EXPECTED_CONFIGURATION_VALUE
FirstDetectedAt	FIRST_SEEN
LastDetectedAt	LAST_SEEN
Note	NOTE
ObjectCloudPlatform	OBJECT_CLOUD_PLATFORM
ObjectNativeType	OBJECT_NATIVE_TYPE
ObjectProviderId	OBJECT_PROVIDER_ID
ObjectRegion	OBJECT_REGION
ObjectTags	OBJECT_TAGS
ConfigurationPath	PATH
ProductIds	PRODUCT_IDS
Projects	PROJECTS
Status	PROVIDER_STATUS
Remediation	RECOMMENDATION
ResourceStatus	RESOURCE_STATUS
ScopeObjectProviderId	SCOPE_OBJECT_PROVIDER_ID
ScopeObjectType	SCOPE_OBJECT_TYPE
Severity	SEVERITY
Severity	SEVERITY_SCORE
Severity	SOURCE_SEVERITY
Status	SOURCE_STATUS
StatusChangedAt	SOURCE_LAST_MODIFIED
SubscriptionName	SUBSCRIPTION_NAME
ObjectExternalId / ObjectId / ObjectProviderId	TARGETS
ConfigurationRuleTags	CONFIGURATION_RULE_TAGS
ConfigurationRuleID / ConfigurationRuleName	TYPE
Id	UID

Configuration Finding Definition

Table 15: Configuration Finding Definition attribute mappings

Source Field	Attribute Name
Category	CATEGORIES
ConfigurationRuleDescription	DESCRIPTION
Framework	FRAMEWORKS
ConfigurationRuleName	NAME
Remediation	RECOMMENDATION
Severity	SEVERITY
Severity	SEVERITY_SCORE
Severity	SOURCE_SEVERITY
SubCategory	SUB_CATEGORIES
ConfigurationRuleID / ConfigurationRuleName	UID

Issue

Issue

Table 16: Issue attribute mappings

Source Field	Attribute Name
issue.dueAt	DUE_AT
issue.entitySnapshot.name	ENTITY_NAME
issue.entitySnapshot.nativeType	ENTITY_TYPE
issue.createdAt	FIRST_SEEN
issue.updatedAt	LAST_SEEN
issue.id	NAME
issue.control.resolutionRecommendation	RECOMMENDATION
issue.severity	SEVERITY
issue.status	STATUS
issue.entitySnapshot.providerId	TARGETS
issue.control.id	TYPE
issue.id	UID

Issue Definition

Table 17: Issue Definition attribute mappings

Source Field	Attribute Name
(generated)	CATEGORIES
control.description	DESCRIPTION
control.name	NAME
control.resolutionRecommendation	RECOMMENDATION
control.securityCategories	SECURITY_CATEGORIES
control.securitySubCategories	SECURITY_SUBCATEGORIES
control.severity	SEVERITY
control.type	TYPE
control.id	UID

Issue V2

Table 18: Issue V2 attribute mappings

Source Field	Attribute Name
issue.dueAt	DUE_AT
issue.entitySnapshot.name	ENTITY_NAME
issue.entitySnapshot.nativeType	ENTITY_TYPE
issue.createdAt	FIRST_SEEN
issue.updatedAt	LAST_SEEN
issue.id	NAME
issue.resolutionReason	RESOLUTION_REASON
issue.severity	SEVERITY
issue.status	STATUS
issue.entitySnapshot.providerId	TARGETS
issue.control.id	TYPE
issue.id	UID

Issue Definition V2

Table 19: Issue Definition V2 attribute mappings

Source Field	Attribute Name
(generated)	CATEGORIES
control.description	DESCRIPTION
control.enabled	ENABLED
control.name	NAME
control.resolutionRecommendation	RECOMMENDATION
control.securitySubCategories[].title	SECURITY_SUB_CATEGORIES
control.severity	SEVERITY
control.id	UID

Vulnerability

Vulnerability

Table 20: Vulnerability attribute mappings

Source Field	Attribute Name
vulnerability.vulnerableAsset.type	ASSET_TYPE
vulnerability.criticalRelatedIssuesCount	CRITICAL_RELATED_ISSUES_COUNT
vulnerability.cvssSeverity	CVSS_SEVERITY
Privileges Required (CVSS V3)	CVSS_V3_PR
User Interaction Required (CVSS V3)	CVSS_V3_UI
vulnerability.description	DESCRIPTION
vulnerability.detailedName	DESCRIPTION
vulnerability.detectionMethod	DETECTION_METHOD
vulnerability.vulnerableAsset.name	ENTITY_NAME
vulnerability.vulnerableAsset.type	ENTITY_TYPE
vulnerability.hasExploit	EXPLOIT_AVAILABLE
vulnerability.exploitabilityScore	EXPLOITABILITY_SCORE
vulnerability.firstDetectedAt	FIRST_SEEN
Is High Profile Threat	HIGH_PROFILE_THREAT
vulnerability.highRelatedIssuesCount	HIGH_RELATED_ISSUES_COUNT
vulnerability.impactScore	IMPACT_SCORE
vulnerability.infoRelatedIssuesCount	INFO_RELATED_ISSUES_COUNT
Initial Access Potential	INITIAL_ACCESS_POTENTIAL
vulnerability.lastDetectedAt	LAST_SEEN
vulnerability.limitedInternetAccess	LIMITED_INTERNET_ACCESS
vulnerability.locationPath	LOCATION_PATH
vulnerability.lowRelatedIssuesCount	LOW_RELATED_ISSUES_COUNT
vulnerability.mediumRelatedIssuesCount	MEDIUM_RELATED_ISSUES_COUNT
vulnerability.name	NAME
vulnerability.nvdSeverity	NVD_SEVERITY
vulnerability.resolutionReason	RESOLUTION_REASON
vulnerability.score	SCORE
vulnerability.vendorSeverity	SEVERITY
vulnerability.status	STATUS
vulnerability.vulnerableAsset.providerId	TARGETS
vulnerability.CVEDescription / vulnerability.name	TYPE
vulnerability.id	UID
vulnerability.vendorSeverity	VENDOR_SEVERITY
vulnerability.wideInternetAccess	WIDE_INTERNET_ACCESS
vulnerability.wizUrl	WIZ_URL

Vulnerability Definition

Table 21: Vulnerability Definition attribute mappings

Source Field	Attribute Name
vulnerability.affectedSoftware	AFFECTED
(generated)	CATEGORIES
vulnerability.cisaKevReleaseDate	CISA_ADDED_DATE
vulnerability.cisaKevDueDate	CISA_DUE_DATE
vulnerability.hasCisaKevExploit	CISA_EXPLOITED
vulnerability.cvssV2.attackComplexity	CVSS_V2_ACCESS_COMPLEXITY
vulnerability.cvssV2.attackVector	CVSS_V2_ATTACK_VECTOR
vulnerability.cvssV2.baseScore	CVSS_V2_BASE_SCORE
vulnerability.cvssV2.confidentialityImpact	CVSS_V2_CONFIDENTIALITY_IMPACT
vulnerability.cvssV2.integrityImpact	CVSS_V2_INTEGRITY_IMPACT
vulnerability.cvssV2.privilegesRequired	CVSS_V2_AUTHENTICATION
vulnerability.cvssV3.attackComplexity	CVSS_V3_ATTACK_COMPLEXITY
vulnerability.cvssV3.attackVector	CVSS_V3_ATTACK_VECTOR
vulnerability.cvssV3.confidentialityImpact	CVSS_V3_CONFIDENTIALITY_IMPACT
vulnerability.cvssV3.integrityImpact	CVSS_V3_INTEGRITY_IMPACT
vulnerability.cvssV3.privilegesRequired	CVSS_V3_PRIVILEGES_REQUIRED
vulnerability.cvssV3.userInteractionRequired	CVSS_V3_USER_INTERACTION
vulnerability.CVEDescription / vulnerability.description	DESCRIPTION
vulnerability.epssPercentile	EPSS_PERCENTILE
vulnerability.epssScore	EPSS_SCORE
vulnerability.hasExploit	EXPLOIT_AVAILABLE
vulnerability.hasExploit / vulnerability.hasCisaKevExploit	EXPLOITABILITY
vulnerability.exploitabilityScore	EXPLOITABILITY_SCORE
vulnerability.externalId	EXTERNAL_UIDS
vulnerability.name	NAME
vulnerability.nvdSeverity	NVD_SEVERITY
vulnerability.publishedAt	PUBLISHED_DATE
vulnerability.remediation	RECOMMENDATION
vulnerability.references / vulnerability.sourceUrl	REFERENCES
vulnerability.score	SCORE
vulnerability.vendorSeverity	SEVERITY
vulnerability.name	UID
vulnerability.vendorSeverity	VENDOR_SEVERITY

Secret

Secret Finding

Table 22: Secret Finding attribute mappings

Source Field	Attribute Name
applicationServices	APPLICATION_SERVICES
resource.cloudAccount.*	CLOUD_ACCOUNT_ID / CLOUD_ACCOUNT_NAME / CLOUD_PROVIDER / CLOUD_PROVIDER_URL
resource.typedProperties.repository.id	CODE_REPOSITORY_ID
resource.typedProperties.repository.name	CODE_REPOSITORY_NAME
resource.typedProperties.repository.platform	CODE_REPOSITORY_PLATFORM
codeToCloudPipelineStage	CODE_TO_CLOUD_PIPELINE_STAGE
confidence	CONFIDENCE
resource.typedProperties.registry.id	CONTAINER_REGISTRY_ID
resource.typedProperties.registry.name	CONTAINER_REGISTRY_NAME
environments	ENVIRONMENTS
firstSeenAt	FIRST_FOUND
resource.typedProperties.isDefaultBranch	IS_DEFAULT_BRANCH
isEncrypted	IS_ENCRYPTED
isManaged	IS_MANAGED
resolvedAt	LAST_FIXED
lastSeenAt	LAST_FOUND
resource.typedProperties.networkProperties.hasLimitedInternetExposure	LIMITED_INTERNET_ACCESS
projects	PROJECTS
relatedApplicationServices	RELATED_APPLICATION_SERVICES
relatedIssueAnalytics.*SeverityCount / issueCount	*_RELATED_ISSUES_COUNT
resolutionReason	RESOLUTION_REASON
resource.id / resource.name / resource.type / resource.nativeType / resource.region / resource.status / resource.tags	RESOURCE_*
scanType	SCAN_TYPE
secretDataId	SECRET_DATA_ID
type	SECRET_TYPE
severity	SEVERITY / SOURCE_SEVERITY / SEVERITY_SCORE
status	STATUS / SOURCE_STATUS / PROVIDER_STATUS / STATUS_CATEGORY
resource.id / resource.externalId / repo / registry IDs	TARGETS
rule.id (fallback rule.name, type)	TYPE
id	UID
validationStatus	VALIDATION_STATUS
vcsCodeAuthors	VCS_CODE_AUTHORS
vcsCodeOwners	VCS_CODE_OWNERS
resource.typedProperties.networkProperties.hasWideInternetExposure	WIDE_INTERNET_ACCESS

Secret Finding Definition

Table 23: Secret Finding Definition attribute mappings

Source Field	Attribute Name
["Secret", rule.type]	CATEGORIES
rule.description	DESCRIPTION
rule.name	NAME
rule.remediationInstructions	RECOMMENDATION
rule.severity	SEVERITY / SOURCE_SEVERITY / SEVERITY_SCORE
type	TAGS
rule.id (fallback rule.name, type)	UID

Operation options

The Wiz connector supports the following operation options. See connector operation options for information about how to apply them.

Expand the sections below to view the supported operation options per connector object.

Cloud Inventory

Common Inventory Operation Options

All cloud inventory objects share the following operation options. These options filter the data retrieved from Wiz V2 Cloud Inventory Reports.

Table 15: Common inventory operation options

Connector Object	Option	All Possible Values	Description	Example
All inventory objects	subscriptionId	Any cloud subscription or account ID(s).	A comma-separated list to filter inventory objects by their cloud subscription or account ID.	Key: `subscriptionId`, Value: `sub-123,sub-456`. This key and value combination only retrieves inventory objects for subscription IDs `sub-123` and `sub-456`.
	region	Any cloud region string.	A comma-separated list to filter inventory objects by their cloud region.	Key: `region`, Value: `us-east-1,eu-west-1`. This key and value combination only retrieves inventory objects in the `us-east-1` and `eu-west-1` regions.
	cloudPlatform	AWS, Azure, GCP, OCI, Alibaba, VMware vSphere	A comma-separated list to filter inventory objects by their cloud platform.	Key: `cloudPlatform`, Value: `AWS,Azure`. This key and value combination only retrieves inventory objects for the `AWS` and `Azure` cloud platforms.
	hasAdminPrivileges	true or false	Filter inventory objects by whether the resource has admin privileges.	Key: `hasAdminPrivileges`, Value: `true`. This key and value combination only retrieves inventory objects with admin privileges.
	hasHighPrivileges	true or false	Filter inventory objects by whether the resource has high privileges.	Key: `hasHighPrivileges`, Value: `true`. This key and value combination only retrieves inventory objects with high privileges.
	hasSensitiveData	true or false	Filter inventory objects by whether the resource has sensitive data.	Key: `hasSensitiveData`, Value: `true`. This key and value combination only retrieves inventory objects with sensitive data.
	hasAccessToSensitiveData	true or false	Filter inventory objects by whether the resource has access to sensitive data.	Key: `hasAccessToSensitiveData`, Value: `true`. This key and value combination only retrieves inventory objects with access to sensitive data.
	isAccessibleFromInternet	true or false	Filter inventory objects by whether the resource is accessible from the internet.	Key: `isAccessibleFromInternet`, Value: `true`. This key and value combination only retrieves inventory objects accessible from the internet.
	isOpenToAllInternet	true or false	Filter inventory objects by whether the resource is open to all internet.	Key: `isOpenToAllInternet`, Value: `true`. This key and value combination only retrieves inventory objects open to all internet.
	hasNote	true or false	Filter inventory objects by whether the resource has associated notes.	Key: `hasNote`, Value: `true`. This key and value combination only retrieves inventory objects with notes.
	technologyName	Any technology name string.	A comma-separated list to filter inventory objects by their technology name.	Key: `technologyName`, Value: `Apache,Nginx`. This key and value combination only retrieves inventory objects with the technology names `Apache` and `Nginx`.
	technologyCategory	Any technology category string.	A comma-separated list to filter inventory objects by their technology category.	Key: `technologyCategory`, Value: `Web Server,Database`. This key and value combination only retrieves inventory objects with the technology categories `Web Server` and `Database`.
	technologyStackLayer	Application & Data, Cloud Entitlements, Data Stores, Machine Learning & AI, Networking, Security & Identity	A comma-separated list to filter inventory objects by their technology stack layer.	Key: `technologyStackLayer`, Value: `Application & Data,Networking`. This key and value combination only retrieves inventory objects with the specified technology stack layers.

Configuration

Configuration Finding

Table 16: Configuration Finding operation options

Connector Object	Option	All Possible Values	Description	Example
Configuration Finding	frameworkCategory	Any Wiz framework category ID(s).	A comma-separated list to filter configuration findings by their associated framework category.	Key: `frameworkCategory`, Value: `wct-id-4,wct-id-7`. This key and value combination only retrieves configuration findings for framework categories `wct-id-4` and `wct-id-7`.
	includeDeleted	true or false	Include or exclude deleted configuration findings in the results. Leave the value blank to indicate all findings.	Key: `includeDeleted`, Value: `false`. This key and value combination excludes deleted configuration findings from the results.
	ruleName	Any string identifying a rule name.	A comma-separated list to filter configuration findings by the specified rule names.	Key: `ruleName`, Value: `ruleName1`,`ruleName2`. This key and value combination only retrieves findings related to the `ruleName1` and `ruleName2` rules.
	resourceType	Any string identifying a resource type.	A comma-separated list to filter configuration findings by the specified resource type.	Key: `resourceType`, Value: `type1`,`type2`. This key and value combination only retrieves configuration findings for resources of type `Server`.
	result	ERROR, FAIL, NOT_ASSESSED, PASSED	A comma-separated list to filter configuration findings based on their result status. Leave the value blank to indicate all result statuses.	Key: `result`, Value: `ERROR`,`FAIL`. This key and value combination only retrieves findings with an `ERROR` or `FAIL` result status.
	severity	NONE, LOW, MEDIUM, HIGH, CRITICAL	A comma-separated list to filter configuration findings based on severity.	Key: `severity`, Value: `HIGH`,`CRITICAL`. This key and value combination only retrieves findings with a severity of `HIGH` or `CRITICAL`.
	status	OPEN, RESOLVED, REJECTED	A comma-separated list to filter configuration findings by their status.	Key: `status`, Value: `OPEN`,`REJECTED`. This key and value combination only retrieves findings that are in the `OPEN` or `REJECTED` status.

Configuration Finding Definition

Table 26: Configuration Finding Definition operation options

Connector Object	Option	All Possible Values	Description	Example
Configuration Finding Definition	frameworkCategory	Any Wiz framework category ID(s).	A comma-separated list to filter configuration finding definitions by their associated framework category.	Key: `frameworkCategory`, Value: `wct-id-4,wct-id-7`. This key and value combination only retrieves configuration finding definitions for framework categories `wct-id-4` and `wct-id-7`.
	includeDeleted	true or false	Include or exclude deleted configuration finding definitions in the results. Leave the value blank to indicate all configuration finding definitions.	Key: `includeDeleted`, Value: `false`. This key and value combination excludes deleted configuration finding definitions from the results.
	resourceType	Any string identifying a resource type.	A comma-separated list to filter configuration finding definitions by the specified resource type.	Key: `resourceType`, Value: `type1`,`type2`. This key and value combination only retrieves configuration finding definitions for resources of type `Server`.
	ruleName	Any string identifying a rule name.	A comma-separated list to filter configuration finding definitions by the specified rule names.	Key: `ruleName`, Value: `ruleName1`,`ruleName2`. This key and value combination only retrieves configuration finding definitions related to the `ruleName1` and `ruleName2` rules.
	result	ERROR, FAIL, NOT_ASSESSED, PASSED	A comma-separated list to filter configuration finding definitions based on their result status. Leave the value blank to indicate all result statuses.	Key: `result`, Value: `ERROR`,`FAIL`. This key and value combination only retrieves configuration finding definitions with an `ERROR` or `FAIL` result status.
	severity	NONE, LOW, MEDIUM, HIGH, CRITICAL	A comma-separated list to filter configuration finding definitions based on severity.	Key: `severity`, Value: `HIGH`,`CRITICAL`. This key and value combination only retrieves configuration finding definitions with a severity of `HIGH` or `CRITICAL`.
	status	OPEN, RESOLVED, REJECTED	A comma-separated list to filter configuration finding definitions by their status.	Key: `status`, Value: `OPEN`,`REJECTED`. This key and value combination only retrieves configuration finding definitions that are in the `OPEN` or `REJECTED` status.

Issue

Issue & Issue Definition

Table 18: Issue and Issue Definition operation options

Connector Object	Option	All Possible Values	Description	Example
Issue	type	CLOUD_CONFIGURATION, THREAT_DETECTION, TOXIC_COMBINATION	A comma-separated list of issue types. You can use this option to filter issues by their issue type, as determined by Wiz.	Key: `type` Value: `THREAT_DETECTION`,`TOXIC_COMBINATION`. This key and value combination only retrieves issues with the specified type.
Issue, Issue Definition	fetchInterval	A duration string using `d` (days), `h` (hours), or `M` (months).	The time window of data to query during synchronization. The default is `30d` (30 days).	Key: `fetchInterval`, Value: `7d`. This key and value combination retrieves data from the last 7 days.
	frameworkCategory	Any Wiz framework category ID(s).	A comma-separated list to filter issues by their associated framework category.	Key: `frameworkCategory`, Value: `wct-id-4,wct-id-7`. This key and value combination only retrieves issues for framework categories `wct-id-4` and `wct-id-7`.
	hasAutoRemediation	true or false	Filter issues with or without auto remediation.	Key: `hasAutoRemediation` Value: `true`. This key and value combination only retrieves issues with auto remediation.
	hasRemediation	true or false	Filter issues with or without remediation.	Key: `hasRemediation` Value: `false`. This key and value combination only retrieves issues without a remediation.
	hasServiceTicket	true or false	Filter issues with or without a related service ticket.	Key: `hasServiceTicket` Value: `true`. This key and value combination only retrieves issues with related service tickets.
	issueFetchThreads	Integer	The number of threads used for concurrent fetching of issue details. Default is 4.	Key: `issueFetchThreads` Value: `8`. This key and value combination uses 8 threads for fetching issue details.
	projectId	Any project ID(s).	Filter issues associated with the specified project ID. Leave the value blank to indicate all project IDs.	Key: `projectId` Value: `1234`. This key and value combination only retrieves issues for project ID `1234`.
	resolutionReason	CONTROL_CHANGED, CONTROL_DISABLED, CONTROL_DELETED, EXCEPTION, FALSE_POSITIVE, ISSUE_FIXED, OBJECT_DELETED, WONT_FIX	A comma-separated list to filter issues by resolution reason. Leave the value blank to indicate all resolution reasons.	Key: `resolutionReason` Value: `FALSE_POSITIVE`. This key and value combination only retrieves issues that are false positives.
	severity	CRITICAL, HIGH, INFORMATIONAL, LOW, MEDIUM	A comma-separated list to filter issues based on severity. Leave the value blank to indicate all severities.	Key: `severity` Value: `LOW, MEDIUM`. This key and value combination only retrieves issues of low or medium severity.
	stackLayer	APPLICATION_AND_DATA, CI_CD, CLOUD_ENTITLEMENTS, CODE, COMPUTE_PLATFORMS, DATA_STORES, SECURITY_AND_IDENTITY	A comma-separated list to filter issues from a specified stack layer. Leave the value blank to indicate all stack layers.	Key: `stackLayer` Value: ``. This key and value combination retrieves issues from all stack layers.
	status	IN_PROGRESS, OPEN, REJECTED, RESOLVED	A comma-separated list to filter issues by their status. Leave the value blank to indicate all statuses.	Key: `status` Value: `OPEN`. This key and value combination only retrieves open issues.

Vulnerability

Vulnerability

Table 19: Vulnerability operation options

Connector Object	Option	All Possible Values	Description	Example
Vulnerability	assetHasAdminPrivileges	true or false	Filter vulnerabilities for assets with or without admin privileges.	Key: `assetHasAdminPrivileges` Value: `true`. This key and value combination only retrieves vulnerabilities for assets with admin privileges.
	assetHasHighPrivileges	true or false	Filter vulnerabilities for assets with or without high privileges.	Key: `assetHasHighPrivileges`, Value: `false`. This key and value combination only retrieves vulnerabilities for assets without high privileges.
	assetId	Any Wiz asset ID(s).	A comma-separated list to filter vulnerabilities by the asset ID. Leave the value blank to indicate all asset IDs.	Key: `assetId`, Value: `1234,5678`. This key and value combination only retrieves vulnerabilities for asset IDs `1234` and `5678`.
	assetStatus	Active, Error, Inactive	A comma-separated list to filter vulnerabilities for assets with the specified status. Leave the value blank to indicate all asset statuses.	Key: `assetStatus`, Value: `Active,Error`. This key and value combination only retrieves vulnerabilities from assets with statuses `Active` and `Error`.
	assetType	VIRTUAL_MACHINE, CONTAINER, CONTAINER_IMAGE, REPOSITORY_BRANCH, SERVERLESS	A comma-separated list to filter vulnerabilities by the asset type. Leave the value blank to indicate all asset types.	Key: `assetType`, Value: `CONTAINER,SERVERLESS`. This key and value combination only retrieves vulnerabilities for the asset types `CONTAINER` and `SERVERLESS`.
	baseContainerImage	Any string identifying a base container image.	A comma-separated list to filter vulnerabilities by their base container image.	Key: `baseContainerImage`, Value: `ubuntu:latest,alpine:3.15`. This key and value combination only retrieves vulnerabilities for the base container images `ubuntu:latest` and `alpine:3.15`.
	cnaScore	Any numeric value from 0.1-10.0	Retrieve all vulnerabilities with a CVE Numbering Authority (CNA) score of the specified value or higher.	Key: `cnaScore`, Value: `7.5`. This key and value combination only retrieves vulnerabilities with a CNA score of `7.5` or higher.
	cloudPlatforms	Any string identifying a cloud platform.	A comma-separated list to filter vulnerabilities by their associated cloud platform.	Key: `cloudPlatforms`, Value: `AWS,Azure`. This key and value combination only retrieves vulnerabilities for the cloud platforms `AWS` and `Azure`.
	containerRegistry	Any name identifying a container registry.	A comma-separated list to filter vulnerabilities associated with the specified container registry.	Key: `containerRegistry`, Value: `ECR,GCR`. This key and value combination only retrieves vulnerabilities related to the container registries `ECR` and `GCR`.
	containerRepository	Any name identifying a container repository.	A comma-separated list to filter vulnerabilities associated with the specified container repository.	Key: `containerRepository`, Value: `Azure Container Repository,Docker Hub`. This key and value combination only retrieves vulnerabilities in the repositories `Azure Container Repository` and `Docker Hub`.
	containerServiceId	Any string identifying a container service ID.	A comma-separated list to filter vulnerabilities by their associated container service ID.	Key: `containerServiceId`, Value: `service-123,service-456`. This key and value combination only retrieves vulnerabilities for the container service IDs `service-123` and `service-456`.
	detailedName	Any string identifying a detailed name.	A comma-separated list to filter vulnerabilities by their detailed name.	Key: `detailedName`, Value: `Critical Vulnerability,High Risk`. This key and value combination only retrieves vulnerabilities with the detailed names `Critical Vulnerability` and `High Risk`.
	detectionMethod	DEFAULT_PACKAGE, FILE_PATH, INSTALLED_PROGRAM, INSTALLED_PROGRAM_BY_SERVICE, LIBRARY, OS, PACKAGE	A comma-separated list to filter vulnerabilities found by the specified detection method. Leave the value blank to indicate all detection methods.	Key: `detectionMethod`, Value: `FILE_PATH,PACKAGE`. This key and value combination only retrieves vulnerabilities detected through `FILE_PATH` and `PACKAGE`.
	effectiveAttackVector	Any string identifying an attack vector.	A comma-separated list to filter vulnerabilities by their effective attack vector.	Key: `effectiveAttackVector`, Value: `NETWORK,PHYSICAL`. This key and value combination only retrieves vulnerabilities with the effective attack vectors `NETWORK` and `PHYSICAL`.
	hasCisaKevExploit	true or false	Filter vulnerabilities with or without an available Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) exploit.	Key: `hasCisaKevExploit`, Value: `true`. This key and value combination only retrieves vulnerabilities with a CISA KEV exploit.
	hasExploit	true or false	Filter vulnerabilities with or without an available exploit.	Key: `hasExploit`, Value: `false`. This key and value combination only retrieves vulnerabilities without an exploit.
	hasFix	true or false	Filter vulnerabilities with or without an available fix.	Key: `hasFix`, Value: `true`. This key and value combination only retrieves vulnerabilities with a fix.
	hasTriggerableRemediation	true or false	Filter vulnerabilities by whether they have triggerable remediation.	Key: `hasTriggerableRemediation`, Value: `true`. This key and value combination only retrieves vulnerabilities with triggerable remediation.
	isAssetAccessibleFromInternet	true or false	Filter vulnerabilities for assets by whether the associated asset is accessible from the internet, as determined by Wiz.	Key: `isAssetAccessibleFromInternet`, Value: `true`. This key and value combination only retrieves vulnerabilities for assets accessible from the internet.
	isAssetOpenToAllInternet	true or false	Filter vulnerabilities for assets by whether they are publicly accessible over the internet.	Key: `isAssetOpenToAllInternet`, Value: `true`. This key and value combination only retrieves vulnerabilities for assets publicly accessible over the internet.
	isBaseLayer	true or false	Filter vulnerabilities for container images by whether they are attributed to a base image.	Key: `isBaseLayer`, Value: `false`. This key and value combination only retrieves vulnerabilities for container images not attributed to a base image.
	isEndOfLife	true or false	Filter vulnerabilities by whether the associated asset is end-of-life.	Key: `isEndOfLife`, Value: `true`. This key and value combination only retrieves vulnerabilities for end-of-life assets.
	isOperatingSystemEndOfLife	true or false	Filter vulnerabilities by whether the associated operating system is end-of-life.	Key: `isOperatingSystemEndOfLife`, Value: `true`. This key and value combination only retrieves vulnerabilities for end-of-life operating systems.
	isScannedFromRegistry	true or false	Filter vulnerabilities by whether they are scanned from a container registry.	Key: `isScannedFromRegistry`, Value: `true`. This key and value combination only retrieves vulnerabilities scanned from a container registry.
	isScannedFromWorkload	true or false	Filter vulnerabilities by whether they are scanned from a workload.	Key: `isScannedFromWorkload`, Value: `true`. This key and value combination only retrieves vulnerabilities scanned from a workload.
	nvdSeverity	NONE, LOW, MEDIUM, HIGH, CRITICAL	A comma-separated list to filter vulnerabilities by their NVD severity.	Key: `nvdSeverity`, Value: `HIGH,CRITICAL`. This key and value combination only retrieves vulnerabilities with NVD severities `HIGH` and `CRITICAL`.
	projectId	Any Wiz project ID(s).	A comma-separated list to filter vulnerabilities associated with the specified project ID(s). Leave the value blank to indicate all project IDs.	Key: `projectId`, Value: `1234,5678`. This key and value combination only retrieves vulnerabilities for project IDs `1234` and `5678`.
	relatedIssueSeverity	NONE, LOW, MEDIUM, HIGH, CRITICAL	A comma-separated list to filter vulnerabilities by the severity of related issues.	Key: `relatedIssueSeverity`, Value: `CRITICAL,HIGH`. This key and value combination only retrieves vulnerabilities with related issues of severities `CRITICAL` and `HIGH`.
	score	Any numeric value from 0.1-10.0	Retrieve all vulnerabilities with a CVSS3 (Common Vulnerability Scoring System) score of the specified value or higher.	Key: `score`, Value: `8.0`. This key and value combination only retrieves vulnerabilities with a CVSS3 score of `8.0` or higher.
	severity	CRITICAL, HIGH, MEDIUM, LOW, NONE	A comma-separated list to filter vulnerabilities by severity. If not provided, all severities are returned.	Key: `severity`, Value: `CRITICAL,HIGH`. This key and value combination only retrieves vulnerabilities with severities `CRITICAL` and `HIGH`.
	status	OPEN, REJECTED, RESOLVED	A comma-separated list to filter vulnerabilities by their status.	Key: `status`, Value: `OPEN,RESOLVED`. This key and value combination only retrieves vulnerabilities with statuses `OPEN` and `RESOLVED`.
	subscriptionExternalId	AWS Account, Azure Subscription, GCP Project, OCI Compartment	A comma-separated list to filter vulnerabilities by their associated external subscription ID.	Key: `subscriptionExternalId`, Value: `AWS Account,Azure Subscription`. This key and value combination only retrieves vulnerabilities associated with the external subscription IDs `AWS Account` and `Azure Subscription`.
	validatedInRuntime	true or false	Filter vulnerabilities by whether they have been validated in runtime.	Key: `validatedInRuntime`, Value: `true`. This key and value combination only retrieves vulnerabilities validated in runtime.
	vcsRepositoryId	Any string identifying a VCS repository ID.	A comma-separated list to filter vulnerabilities by their associated VCS repository ID.	Key: `vcsRepositoryId`, Value: `repo-123,repo-456`. This key and value combination only retrieves vulnerabilities for the VCS repository IDs `repo-123` and `repo-456`.
	vendorScore	Any numeric value from 0.1-10.0	Retrieve all vulnerabilities with a vendor score of the specified value or higher.	Key: `vendorScore`, Value: `8.0`. This key and value combination only retrieves vulnerabilities with a vendor score of `8.0` or higher.
	vendorSeverity	NONE, LOW, MEDIUM, HIGH, CRITICAL	A comma-separated list to filter vulnerabilities by their vendor severity.	Key: `vendorSeverity`, Value: `HIGH,CRITICAL`. This key and value combination only retrieves vulnerabilities with vendor severities `HIGH` and `CRITICAL`.
	vulnerabilityExternalId	Any CVE ID(s)	A comma-separated list of CVE IDs to filter vulnerabilities by their associated CVE ID.	Key: `vulnerabilityExternalId`, Value: `CVE-2023-12345,CVE-2023-44487`. This key and value combination only retrieves vulnerabilities with the CVE IDs `CVE-2023-12345` and `CVE-2023-44487`.
	vulnerabilityId	Any Wiz vulnerability ID(s).	A comma-separated list to filter vulnerabilities by their vulnerability ID.	Key: `vulnerabilityId`, Value: `vuln-123,vuln-456`. This key and value combination only retrieves vulnerabilities with the vulnerability IDs `vuln-123` and `vuln-456`.
	weightedSeverity	NONE, LOW, MEDIUM, HIGH, CRITICAL	A comma-separated list to filter vulnerabilities by their weighted severity.	Key: `weightedSeverity`, Value: `MEDIUM,HIGH`. This key and value combination only retrieves vulnerabilities with weighted severities.

Secret

Secret Finding

Table 20: Secret Finding operation options

Connector Object	Option	All Possible Values	Description	Example
Secret Finding	severity	CRITICAL, HIGH, MEDIUM, LOW	A comma-separated list to filter secret findings by severity. Default includes Critical, High, Medium, and Low. Pass all five values explicitly to include Informational.	Key: `severity`, Value: `CRITICAL,HIGH`. This key and value combination only retrieves secret findings with severities `CRITICAL` and `HIGH`.
	status	OPEN, RESOLVED, REJECTED	A comma-separated list to filter secret findings by their status.	Key: `status`, Value: `OPEN`. This key and value combination only retrieves open secret findings.
	type	Any Wiz secret type string.	A comma-separated list to filter secret findings by their secret type.	Key: `type`, Value: `API_KEY,CERTIFICATE`. This key and value combination only retrieves secret findings of the specified types.
	validationStatus	VALIDATED, NOT_VALIDATED, UNKNOWN	A comma-separated list to filter secret findings by their validation status.	Key: `validationStatus`, Value: `VALIDATED`. This key and value combination only retrieves validated secret findings.
	scanType	CLOUD, CODE, ATTACK_SURFACE	A comma-separated list to filter secret findings by their scan type.	Key: `scanType`, Value: `CLOUD,CODE`. This key and value combination only retrieves secret findings from cloud and code scans.

Wiz operation options

The Wiz connector operation options were developed in collaboration with Wiz and adhere to their supported API filters. If you require an operation option that isn’t listed in the above tables, please refer to the Wiz API documentation, or contact your Wiz Support team. They can coordinate with Brinqa Support to determine whether the Wiz API supports the request and whether it can be added to the connector.

The option keys and possible values are case-sensitive as they are shown in this documentation.

APIs

The Wiz connector uses the Wiz API. Specifically, it executes the following GraphQL queries to retrieve data:

Table 20: Wiz API GraphQL queries

Category	Connector Object	GraphQL Query
Cloud Inventory	API Gateway	Reports GraphQL queries
	Application Endpoint	Reports GraphQL queries
	Backup Service	Reports GraphQL queries
	Bucket	Reports GraphQL queries
	CI/CD Service	Reports GraphQL queries
	Cloud Log Configuration	Reports GraphQL queries
	Compute Instance Group	Reports GraphQL queries
	Container	Reports GraphQL queries
	Container Image	Reports GraphQL queries
	Container Registry	Reports GraphQL queries
	Container Service	Reports GraphQL queries
	Daemon Set	Reports GraphQL queries
	Data Workload	Reports GraphQL queries
	Database Server	Reports GraphQL queries
	Deployment	Reports GraphQL queries
	Encryption Key	Reports GraphQL queries
	File System Service	Reports GraphQL queries
	Firewall	Reports GraphQL queries
	Kubernetes Cluster	Reports GraphQL queries
	Load Balancer	Reports GraphQL queries
	Messaging Service	Reports GraphQL queries
	Raw Access Policy	Reports GraphQL queries
	Resource Group	Reports GraphQL queries
	Secret Container	Reports GraphQL queries
	Serverless	Reports GraphQL queries
	Snapshot	Reports GraphQL queries
	Storage Account	Reports GraphQL queries
	Subnet	Reports GraphQL queries
	Subscription	Reports GraphQL queries
	Virtual Machine	Reports GraphQL queries
	Virtual Machine Image	Reports GraphQL queries
	Virtual Network	Reports GraphQL queries
	Volume	Reports GraphQL queries
	Web Service	Reports GraphQL queries
Configuration	Configuration Finding	Reports GraphQL queries
	Configuration Finding Definition	Reports GraphQL queries
Issue	Issue	Issue GraphQL queries
	Issue Definition	Issue GraphQL queries
	Issue V2	Reports GraphQL queries
	Issue Definition V2	Reports GraphQL queries
Secret	Secret Finding	Reports GraphQL queries
	Secret Finding Definition	Reports GraphQL queries
Vulnerability	Critical Vulnerability	Reports GraphQL queries
	High Vulnerability	Reports GraphQL queries
	Low Vulnerability	Reports GraphQL queries
	Medium Vulnerability	Reports GraphQL queries
	None Vulnerability	Reports GraphQL queries
	Vulnerability	Reports GraphQL queries
	Vulnerability Definition	Vulnerability Definition GraphQL query

Cloud Configuration Finding queries

Click to expand

The following query retrieves information about cloud configuration findings:

query CloudConfigurationFindingsPage($filterBy: ConfigurationFindingFilters, $first: Int, $after: String, $orderBy: ConfigurationFindingOrder) {  
  page: configurationFindings(filterBy: $filterBy, first: $first, after: $after, orderBy: $orderBy) {  
    nodes {  
      id  
      targetExternalId  
      deleted  
      targetObjectProviderUniqueId  
      firstSeenAt  
      severity  
      result  
      status  
      remediation  
      resource {  
        id  
        providerId  
        name  
        nativeType  
        type  
        region  
        subscription {  
          id  
          name  
          externalId  
          cloudProvider  
        }  
        projects {  
          id  
          name  
          riskProfile {  
            businessImpact  
          }  
        }  
        tags {  
          key  
          value  
        }  
      }  
      rule {  
        id  
        graphId  
        name  
        description  
        remediationInstructions  
        functionAsControl  
      }  
      securitySubCategories {  
        id  
        title  
        category {  
          id  
          name  
          framework {  
            id  
            name  
          }  
        }  
      }  
      ignoreRules {  
        id  
        name  
        enabled  
        expiredAt  
      }  
    }  
    pageInfo {  
      hasNextPage  
      endCursor  
    }  
  }  
}

Issue GraphQL queries

Click to expand

The following query retrieves information about issue and issue definition:

query issueFindings($filterBy: IssueFilters, $first: Int, $after: String $orderBy: IssueOrder) {  
  page: issuesV2(filterBy: $filterBy, first: $first, after: $after, orderBy: $orderBy) {  
    nodes {  
      id  
      status  
      severity  
      type  
      openReason  
      resolutionReason  
      suggestions  
      resolvedAt  
      createdAt  
      updatedAt  
      dueAt  
      statusChangedAt  
      rejectionExpiredAt  
      sourceRule {  
        __typename  
        ... on Control {  
          id  
          name  
          description  
          severity  
          resolutionRecommendation  
          securitySubCategories {  
            id  
            title  
            category {  
              id  
              name  
              framework {  
                id  
                name  
              }  
            }  
          }  
        }  
        ... on CloudEventRule {  
          id  
          name  
          description  
          sourceType  
          type  
          cloudEventRuleSeverity: severity  
          securitySubCategories {  
            id  
            title  
            category {  
              id  
              name  
              framework {  
                id  
                name  
              }  
            }  
          }  
        }  
        ... on CloudConfigurationRule {  
          id  
          name  
          description  
          remediationInstructions  
          serviceType  
          severity  
          securitySubCategories {  
            id  
            title  
            category {  
              id  
              name  
              framework {  
                id  
                name  
              }  
            }  
          }  
        }  
      }  
      entity: entitySnapshot {  
        id  
        type  
        nativeType  
        name  
        status  
        cloudPlatform  
        cloudProviderURL  
        providerId  
        region  
        resourceGroupExternalId  
        subscriptionExternalId  
        subscriptionName  
        subscriptionTags  
        tags  
        externalId  
      }  
      projects {  
        id  
        name  
        description  
        slug  
        businessUnit  
        riskProfile {  
          businessImpact  
        }  
      }  
      serviceTickets {  
        id  
        externalId  
        name  
        url  
      }  
      notes {  
        id  
        createdAt  
        updatedAt  
        text  
        user {  
          id  
          name  
          email  
        }  
        serviceAccount {  
          id  
          name  
          type  
        }  
      }  
    }  
    pageInfo {  
      hasNextPage  
      endCursor  
    }  
  }  
}

Reports GraphQL queries

Click to expand

The following queries retrieve data for cloud inventory and vulnerability connector objects from the reports endpoint. The rest of the queries create a report and generate the URL to download the report:

query ReportsSearch($filterBy: ReportFilters, $first: Int, $after: String) {
  page: reports(first: $first, after: $after, filterBy: $filterBy) {
    nodes {
      id
      name
      createdBy {
        id
        email
      }
      lastRun {
        id
        runAt
      }
      lastSuccessfulRun {
        id
        runAt
      }
      type {
        id
        name
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}

mutation CreateReport($input: CreateReportInput!) { 
  operation: createReport(input: $input) { 
    node: report { 
      id 
    } 
  } 
} 

mutation RerunReport($reportId: ID!) { 
  operation: rerunReport(input: {id: $reportId}) { 
    node: report { 
      id 
    } 
  } 
}

query ReportDownloadUrl($reportId: ID!) { 
  node: report(id: $reportId) { 
    id
    name 
    lastRun { 
      id 
      url 
      status 
    } 
  } 
}

Vulnerability Definition GraphQL query

Click to expand

The following query retrieves information about vulnerability definition:

query VulnerabilityDefinitions($filterBy: VulnerabilityFilters, $first: Int, $after: String) { 
  page: vulnerabilities(filterBy: $filterBy, first: $first, after: $after) { 
    nodes { 
      affectedTechnologies { 
        id 
        name 
      } 
      baseScore 
      cisaKevDueDate 
      cisaKevReleaseDate 
      cvssv2 { 
        attackComplexity 
        attackVector 
        confidentialityImpact 
        integrityImpact 
        privilegesRequired 
        userInteractionRequired 
      } 
      cvssv3 { 
        attackComplexity 
        attackVector 
        confidentialityImpact 
        integrityImpact 
        privilegesRequired 
        userInteractionRequired 
      } 
      description 
      exploitabilityScore 
      exploitable 
      externalId 
      hasCisaKevExploit 
      id 
      name 
      publishedAt 
      severity 
      sourceFeeds { 
        id 
        name 
        url 
      } 
      sourceUrl    
    }
    pageInfo { 
      endCursor 
      hasNextPage 
    } 
    totalCount 
  } 
} 

Changelog

The Wiz connector has undergone the following changes:

Table 21: Wiz connector changelog

Version	Description	Date Published
3.4.11	Added SECURITY_CATEGORIES and SECURITY_SUBCATEGORIES attributes to the Issue Definition object to allow for advanced filtering and reporting on specific Wiz policies. No migration required.	May 27th, 2026
3.4.10	Fixed Instance ID mapping for Azure Virtual Machines. Azure VMs now correctly use `graphEntity.providerUniqueId` as the preferred Instance ID, improving record matching accuracy for Azure environments. No migration required.	May 15th, 2026
3.4.9	Added a new unified Vulnerability model that brings in all vulnerabilities across all severity levels in a single synchronization. Users can optionally filter by specific severities using the `severity` operation option. The existing severity-specific models remain available for backward compatibility. No migration required.	May 12th, 2026
3.4.8	- Added a new Secret Finding model for ingesting leaked credentials, API keys, certificates, and other sensitive values detected across cloud resources, code repositories, container registries, and attack-surface endpoints. A deduplicated Secret Finding Definition model provides shared severity, description, and remediation guidance. - Added three new internet-exposure attributes to all cloud inventory objects: ACCESSIBLE_FROM_VPN, ACCESSIBLE_FROM_OTHER_SUBSCRIPTIONS, and ACCESSIBLE_FROM_OTHER_VNETS. No migration required.	May 12th, 2026
3.4.7	Upgraded internal framework and storage libraries to the latest stable versions for improved reliability and security. No migration required.	May 12th, 2026
3.4.6	- Added a new Data Workload inventory model for discovering and tracking data workload resources such as AWS SageMaker instances. - Added the HIGH_PROFILE_THREAT and INITIAL_ACCESS_POTENTIAL attributes to the Vulnerability object for enhanced risk assessment. - Added the CVSS_V3_PRIVILEGES_REQUIRED and CVSS_V3_USER_INTERACTION attributes to the Vulnerability object. - Added technology-based inventory filtering operation options: `technologyName`, `technologyCategory`, and `technologyStackLayer`. - Configuration Finding Definitions now properly parse and expose tags as structured key:value pairs. - Added IMAGE_ID and IMAGE_NAME attributes to the Container inventory model. No migration required.	May 12th, 2026
3.4.2	- Split vulnerability sync into five severity-specific models (Critical, High, Medium, Low, None) to improve report generation reliability. The previous single Vulnerability model has been removed. - Added a new operation option, `fetchInterval`, for the Issue and Issue Definition objects to control the time window of data queried (default: 30 days). - Added the TECHNOLOGY_NAME, TECHNOLOGY_STACK_LAYER, CLOUD_PROVIDER, REGION_LOCATION, INSTANCE_TYPE, RESOURCE_GROUP_ID, RESOURCE_GROUP_EXTERNAL_ID, SUBSCRIPTION_ID, SUBSCRIPTION_NAME, PROJECTS, SOURCE_LAST_MODIFIED, and FIRST_SEEN attributes to all inventory objects. Migration required: This release replaces the single Vulnerability model with severity-specific models. Existing vulnerability mappings must be reconfigured to use the new models, and a full vulnerability resync is required after reconfiguration. Existing tickets linked to the previous Vulnerability model findings may be impacted.	March 5th, 2026
3.4.1	- Added a new additional setting to make the request timeout configurable: Request timeout (secs). - Added a new operation option for the Issue and Issue Definition objects to configure the number of threads for concurrent fetching: `issueFetchThreads`.	February 2nd, 2026
3.4.0	- Switched Issue and Issue Definition object synchronization from GraphQL to reports for improved reliability and performance. - Integrated with the Wiz Cloud Resource V2 API endpoint for retrieving inventory data. - Added the HAS_ACCESS_TO_SENSITIVE_DATA, HAS_ADMIN_PRIVILEGES, HAS_HIGH_PRIVILEGES, and HAS_SENSITIVE_DATA attributes to all inventory objects (e.g., Virtual Machine, Container, Container Image). - Updated vulnerability report naming to ensure uniqueness when multiple integrations use different operation options.	January 5th, 2026
3.3.16	The connector now retrieves the Application Endpoint object from Wiz.	December 3rd, 2025
3.3.15	Added the SOURCE_STATUS attribute in all asset type objects.	October 9th, 2025
3.3.14	Added a new additional setting to make the report timeout configurable: Report timeout	July 31st, 2025
3.3.13	Added the ENTITY_EXTERNAL_ID, ENTITY_ID, ENTITY_NAME, ENTITY_STATUS, ENTITY_TYPE, SUBSCRIPTION_EXTERNAL_ID, and SUBSCRIPTION_ID attributes to the Issue object.	July 30th, 2025
3.3.12	Added the ASSET_HAS_LIMITED_INTERNET_EXPOSURE and ASSET_HAS_WIDE_INTERNET_EXPOSURE attributes to the Vulnerability object.	June 11th, 2025
3.3.11	- Fixed an issue where dates were appearing in the future due to the date parser not handling nanoseconds correctly. As a result, the date parser has been updated to accurately reflect the source data from Wiz. - Added the NAMESPACE_EXTERNAL_ID attribute to the Container object. - Code cleanup and general maintenance.	May 20th, 2025
3.3.8	Updated the schema to include the CLUSTER_EXTERNAL_ID and CLUSTER_NAME attributes on the Container object. This change ensures that the attributes are recognized by the Brinqa Platform and properly ingested.	April 29th, 2025
3.3.7	- Added the ADDITIONAL_IDS attribute to the API Gateway object. - Added the CLUSTER_EXTERNAL_ID and CLUSTER_NAME attributes to the Container object to support Kubernetes context.	April 16th, 2025
3.3.6	- Added a new operation option for the Issue object to filter by issue type: `type`. - Added the CATEGORIES attribute to the Issue object. - Added support for ticketing information from Wiz to help prevent duplicate ticket creation and improve issue tracking. As a result, the following attributes were added to the Issue object: TICKET_EXTERNAL_ID TICKET_ID TICKET_NAME TICKET_URL	March 11th, 2025
3.3.5	Fixed an issue where the TARGETS attribute on the Vulnerability object included empty string values. The connector now prevents empty values from being added to the targets list.	February 19th, 2025
3.3.4	Fixed an issue where configuration findings were not correctly associating with assets. The connector now imports RESOURCE_EXTERNAL_ID and RESOURCE_PROVIDER_ID on the Configuration Finding object to establish proper relationships between findings and their associated assets.	February 12th, 2025
3.3.3	Fixed an issue where the connector was incorrectly mapping IP addresses and private DNS names to both the IP_ADDRESSES and PRIVATE_IP_ADDRESSES attributes on the Virtual Machine object. The connector now properly distinguishes between these attributes.	February 6th, 2025
3.3.2	- The Configuration Finding object is no longer required and now maps to Violation. - Added the RECOMMENDATION, TARGETS, and TYPE attributes to the Configuration Finding object.	January 15th, 2025
3.3.1	The connector now retrieves the Configuration Finding object from Wiz.	January 7th, 2025
3.3.0	Replaced the deprecated `vulnerabilityParams.type` attribute on the Vulnerability object with `columnSelection` to support Wiz's updated export behavior. This improves CSV parsing by no longer relying on the `Content-Length` header, which may be `0` even when data is present.	December 24th, 2024
3.2.6	The connector now retrieves the Secret Container object from Wiz.	December 6th, 2024
3.2.5	Fixed an issue where attributes from Wiz were not being mapped correctly to the Host data model. To support out-of-the-box relationships between Hosts and Container Images, the connector now maps the EXTERNAL_ID attribute to the SOURCE_UIDS attribute.	December 3rd, 2024
3.2.4	Added the NAME attribute to the Vulnerability Definition object.	November 14th, 2024
3.2.3	Code cleanup and general maintenance to help improve error handling.	November 13th, 2024
3.2.2	Fixed an issue where the Issue and Issue Definition object syncs were failing.	November 13th, 2024
3.2.1	Fixed an issue where the Resource Group and Storage Account object syncs were failing due to an "Empty header line: cannot bind data" error.	November 11th, 2024
3.2.0	Enhanced the Vulnerability object sync process to improve efficiency by using regular reports with the `updateAt` date filter, as recommended by Wiz. The Wiz connector now retrieves all vulnerabilities with detection support via the GraphQL API, rather than creating vulnerability definitions from vulnerability data.	November 1st, 2024
3.1.18	Code cleanup and maintenance.	October 2nd, 2024
3.1.17	- Fixed an issue where the Issue and Issue Definition object syncs were failing. - Added the SOURCE_SEVERITY_SCORE attribute to the Vulnerability object. - Code cleanup and maintenance.	October 2nd, 2024
3.1.16	- Added remediation instructions to the Issue Definition object. - Addressed a potential NullPointerException (NPE) on the Issue object.	September 25th, 2024
3.1.15	Enhanced the method for retrieving vulnerability status by splitting "New" from "Active" status. The Wiz connector now uses the FIRST_SEEN_AT filter for "New" vulnerabilities and the UPDATED_AT filter for "Active" vulnerabilities to ensure more accurate reporting.	July 22nd, 2024
3.1.14	Added the IS_CONTAINER_HOST attribute to the Virtual Machine object.	June 14th, 2024
3.1.13	Code cleanup and general maintenance.	May 21st, 2024
3.1.12	Fixed an issue where the CVSS_V2_BASE_SCORE and CVSS_V3_BASE_SCORE attributes on the Vulnerability Definition object were not populating.	April 11th, 2024
3.1.11	Revised the logic of getting asset type information from the source data.	February 22nd, 2024
3.1.10	- Updated to fetch `vmId` as the Instance ID for Azure assets. - Switched the order of adding attributes to allow native or specific attributes to take higher precedence. - Updated dependencies.	February 5th, 2024
3.1.9	- Fixed an issue where an `Empty header line` error occurred when reports returned by Wiz were empty. - Fixed an issue related to the `Missing 1 header column: ["uid"]` error.	January 30th, 2024
3.1.8	Added a new additional setting to help manage API throttling: Maximum retries	October 28th, 2023
3.1.7	- Updated to the new Wiz logo. - Enhanced handling for missing UID in objects retrieved from Wiz.	September 19th, 2023
3.1.6	Code cleanup and general maintenance.	September 14th, 2023
3.1.5	Code cleanup and general maintenance.	September 7th, 2023
3.1.4	- The connector now retrieves the image name for Container Image objects. - The connector now maps the provider ID to the TARGETS attribute on the Issue object.	July 26th, 2023
3.1.3	Code cleanup and general maintenance.	July 21st, 2023
3.1.2	Fixed an issue where Targets were not being received for Vulnerabilities with Container Image assets.	July 10th, 2023
3.1.1	The connector now retrieves the Database Server, Issue, and Issue Definition objects from Wiz.	June 15th, 2023
3.1.0	Initial Integration+ release.	June 14th, 2023

Required connection settings​

Obtain the client ID and client secret from Wiz​

Additional settings​

Types of data to retrieve​

Attribute mappings​

Cloud Inventory​

Configuration​

Issue​

Vulnerability​

Secret​

Operation options​

Cloud Inventory​

Configuration​

Issue​

Vulnerability​

Secret​

APIs​

Cloud Configuration Finding queries​

Issue GraphQL queries​

Reports GraphQL queries​

Vulnerability Definition GraphQL query​

Changelog​

Required connection settings

Obtain the client ID and client secret from Wiz

Additional settings

Types of data to retrieve

Attribute mappings

Cloud Inventory

Configuration

Issue

Vulnerability

Secret

Operation options

Cloud Inventory

Configuration

Issue

Vulnerability

Secret

APIs

Cloud Configuration Finding queries

Issue GraphQL queries

Reports GraphQL queries

Vulnerability Definition GraphQL query

Changelog