Wiz

Wiz is a cloud security tool that scans your cloud environments to provide complete visibility into every technology running in your cloud. You can bring virtual network, virtual machine, vulnerability and more data from Wiz into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Wiz when the data integration runs, and how to obtain that information from Wiz. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Wiz from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Wiz with Brinqa:

• API URL: The Wiz API endpoint URL. The default URL is https://api.<region>.app.wiz.io.

• Token URL: The Wiz API authentication token URL. The URL is specific to the identity provider (IdP) for the Wiz service account. See Table 1 for more information.

• OAuth audience: The audience of your OAuth token. The audience is specific to your IdP. See Table 1 for more information.

• Client ID and Client secret: The credentials associated with the Wiz service account, which must have permissions to log in to the API server and return data.

The Token URL and OAuth audience values depend on the IdP you use for the Wiz service account. The following table summarizes the different values:

Table 1. Wiz token URL and audience values

IdP	Token URL	Audience
Amazon Cognito	https://auth.app.wiz.io/oauth/token	wiz-api
Auth0	https://auth.wiz.io/oauth/token	beyond-api

Obtain the client ID and client secret from Wiz

For the Wiz connector to use the Wiz API, you must provide the client ID and client secret from an active Wiz service account. To obtain the client ID and client secret, follow these steps:

1. Log in to your organization's Wiz Portal as a Global Admin.

2. Navigate to Settings > Service Accounts and click Add Service Account.

3. Enter a name for the service account and select the following permissions:

   • create:reports

   • read:cloud_accounts

   • read:cloud_configuration

   • read:issues

   • read:reports

   • read:resources

   • read:security_scans

   • read:vulnerabilities

   • update:reports

     create:reports permission

     The create:reports permission is required for the following reasons:

     1. The Wiz connector was developed in collaboration with Wiz and adheres to their recommended solutions. It has been certified by Wiz to ensure optimal functionality and security.
     2. Due to limitations with GraphQL in exporting large datasets, the connector generates reports in CSV format.
     3. The Wiz connector generates one report per asset type for Vulnerabilities, with each report prefixed by BRINQA-VULNERABILITIES-REPORT_.
     4. It also generates one report per inventory type for Inventory, with each report prefixed by BRINQA-INVENTORY-REPORT_. This lets you easily identify and monitor said reports.
     5. These reports are automatically deleted from Wiz based on your specified data cleanup frequency.

4. Click Add Service Account.

   The new client ID and client secret display. You cannot view the client secret again. Copy and save them to a secure location.

note

If you do not have the permissions to create a service account or assign permissions, contact your Wiz administrator. For additional information, see Wiz documentation.

Additional settings

The Wiz connector contains additional options for specific configuration:

• Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.

• Maximum retries: The maximum number of times that the integration attempts to connect to the Wiz API before giving up and reporting a failure. The default setting is 5.

Types of data to retrieve

The Wiz connector can retrieve the following types of data from the Wiz API:

Table 2: Data retrieved from Wiz

Connector Object	Required	Maps to Data Model
Backup Service	No	Not mapped
Bucket	No	Not mapped
CI/CD Service	No	Not mapped
Compute Instance Group	No	Not mapped
Configuration Finding	Yes	Violation
Container	Yes	Container
Container Image	Yes	Container Image
Container Registry	No	Not mapped
Container Service	No	Not mapped
Control	Yes	Violation Definition
Daemon Set	No	Not mapped
Database Server	Yes	Database Instance
Deployment	No	Not mapped
Encryption Key	No	Not mapped
File System Service	No	Not mapped
Firewall	No	Not mapped
Issue	Yes	Violation
Issue Definition	Yes	Violation Definition
Kubernetes Cluster	No	Not mapped
Raw Access Policy	No	Not mapped
Resource Group	No	Not mapped
Secret Container	No	Not mapped
Serverless	Yes	Serverless
Storage Account	No	Not mapped
Subnet	No	Not mapped
Subscription	No	Not mapped
Virtual Machine	Yes	Host
Virtual Machine Image	Yes	Host Image
Virtual Network	Yes	Network Segment
Volume	No	Not mapped
Vulnerability	Yes	Vulnerability
Vulnerability Definition	Yes	Vulnerability Definition
Web Service	No	Not mapped

info

For detailed steps on how to view the data retrieved from Wiz in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Configuration Finding

Table 3: Configuration Finding attribute mappings

Source Field Name	Maps to Attribute
firstSeenAt	firstSeen
id	uid
remediation	recommendation
resource.id	targets
resource.name	Local variable
resource.type	Local variable
result	results
rule	type
severity	severity
status	status

Container

Table 4: Container attribute mappings

Source Field Name	Maps to Attribute
Cloud Native JSON.tags	tags
Cloud Platform	Local variable
Description	description
External ID	Local variable
Last Seen	lastSeen
Name	Local variable
Native Type	Local variable
Projects	Local variable
Provider ID	Local variable
Provider ID/External ID	uid
name	name
categories	categories
Region	region
Resource Type	Local variable
Subscription	Local variable
Subscription ID	Local variable
Wiz JSON Object.Runtime	Local variable
Wiz JSON Object.applicationEndpoint.openToAllInternet	Local variable
Wiz JSON Object.applicationEndpoint.validatedOpenPorts	Local variable
Wiz JSON Object.common.creationDate	sourceCreatedDate
Wiz JSON Object.common.status	providerStatus
Wiz JSON Object.common.status	status
Wiz JSON Object.imageExternalId	image
Wiz JSON Object.virtualMachineExternalId	host

Container Image

Table 5: Container Image attribute mappings

Source Field Name	Maps to Attribute
Categories	categories
Cloud Native JSON.tags	tags
Cloud Platform	Local variable
Description	description
External ID	Local variable
Last Seen	Local variable
Name	name
Native Type	Local variable
Projects	Local variable
Provider ID	Local variable
Provider ID/External ID	uid
Region	region
Resource Type	Local variable
Subscription	Local variable
Subscription ID	Local variable
Wiz JSON Object.applicationEndpoint.openToAllInternet	Local variable
Wiz JSON Object.applicationEndpoint.validatedOpenPorts	Local variable
Wiz JSON Object.common.creationDate	sourceCreatedDate
Wiz JSON Object.common.status	providerStatus
Wiz JSON Object.common.status (normalized)	status
Wiz JSON Object.digest	digest
Wiz JSON Object.encrypted	Local variable
Wiz JSON Object.repoExternalId	Local variable

Control

Table 6: Control attribute mappings

Source Field Name	Maps to Attribute
description	description
id	uid
name	name
remediationInstructions	recommendation

Virtual Machine

Table 7: Virtual Machine attribute mappings

Source Field Name	Maps to Attribute
Categories	categories
Cloud Native JSON.Architecture	Local variable
Cloud Native JSON.ImageId	image
Cloud Native JSON.InstanceId	instanceId
Cloud Native JSON.InstanceType	Local variable
Cloud Native JSON.Monitoring.State	Local variable
Cloud Native JSON.NetworkInterfaces.MacAddress	macAddresses
Cloud Native JSON.PrivateDnsName	dnsNames
Cloud Native JSON.PrivateDnsName	privateDnsNames
Cloud Native JSON.PrivateIpAddress	ipAddresses
Cloud Native JSON.PrivateIpAddress	privateIpAddresses
Cloud Native JSON.PublicDnsName	hostnames
Cloud Native JSON.PublicDnsName	publicDnsNames
Cloud Native JSON.PublicIpAddress	ipAddresses
Cloud Native JSON.PublicIpAddress	publicIpAddresses
Cloud Native JSON.StateReason	Local variable
Cloud Native JSON.Subscription	Local variable
Cloud Native JSON.Subscription ID	Local variable
Cloud Native JSON.lastStartTimestamp	lastStarted
Cloud Native JSON.lastStopTimestamp	lastStopped
Cloud Native JSON.name	Local variable
Cloud Native JSON.networkInterfaces.network	Local variable
Cloud Native JSON.networkInterfaces.subnetwork	Local variable
Cloud Native JSON.project	Local variable
Cloud Native JSON.providerId	Local variable
Cloud Native JSON.tags	tags
Cloud Platform	Local variable
Description	description
External ID	Local variable
Last Seen	Local variable
Name	name
Native Type	Local variable
Projects	Local variable
Provider ID	Local variable
Provider ID/External ID	uid
Region	region
Resource Type	Local variable
Subscription	Local variable
Subscription ID	Local variable
Wiz JSON Object.Runtime	Local variable
Wiz JSON Object.applicationEndpoint.openToAllInternet	Local variable
Wiz JSON Object.applicationEndpoint.validatedOpenPorts	Local variable
Wiz JSON Object.common.creationDate	firstSeen
Wiz JSON Object.common.creationDate	sourceCreatedDate
Wiz JSON Object.common.status	providerStatus
Wiz JSON Object.common.status	status
Wiz JSON Object.imageExternalId	image
Wiz JSON Object.isContainerHost	Local variable
Wiz JSON Object.operatingSystem	operatingSystem

Virtual Machine Image

Table 8: Virtual Machine Image attribute mappings

Source Field Name	Maps to Attribute
Categories	categories
Cloud Native JSON.tags	tags
Cloud Platform	Local variable
Description	description
External ID	Local variable
Last Seen	Local variable
Name	name
Native Type	Local variable
Projects	Local variable
Provider ID	Local variable
Provider ID/External ID	uid
Region	region
Resource Type	Local variable
Subscription	Local variable
Subscription ID	Local variable
Wiz JSON Object.ImageLocation	Local variable
Wiz JSON Object.ImageOwnerAlias	Local variable
Wiz JSON Object.PlatformDetails	Local variable
Wiz JSON Object.applicationEndpoint.openToAllInternet	Local variable
Wiz JSON Object.applicationEndpoint.validatedOpenPorts	Local variable
Wiz JSON Object.common.creationDate	sourceCreatedDate
Wiz JSON Object.common.status	providerStatus
Wiz JSON Object.common.status	status
Wiz JSON Object.family	Local variable
Wiz JSON Object.is_public	Local variable

Virtual Network

Table 9: Virtual Network attribute mappings

Source Field Name	Maps to Attribute
Categories	categories
Cloud Native JSON.addressSpace.addressPrefixes	Local variable
Cloud Native JSON.enableDdosProtection	Local variable
Cloud Native JSON.tags	tags
Cloud Platform	Local variable
Description	description
External ID	Local variable
Last Seen	Local variable
Name	name
Native Type	Local variable
Projects	Local variable
Provider ID	Local variable
Provider ID/External ID	uid
Region	region
Resource Type	Local variable
Subscription	Local variable
Subscription ID	Local variable
Wiz JSON Object.addressRangeEdges	Local variable
Wiz JSON Object.addressRanges	ipv4Ranges
Wiz JSON Object.applicationEndpoint.openToAllInternet	Local variable
Wiz JSON Object.applicationEndpoint.validatedOpenPorts	Local variable
Wiz JSON Object.common.creationDate	sourceCreatedDate
Wiz JSON Object.common.status	providerStatus
Wiz JSON Object.common.status	status
Wiz JSON Object.flowLogsEnabled	Local variable
Wiz JSON Object.hasDeployedInstances	Local variable
Wiz JSON Object.isDefault	Local variable

note

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Operation options

The Wiz connector supports the following operation options. See connector operation options for information about how to apply them.

Click the tabs below to view the supported operation options per connector object.

Backup Service

Table 10: Operation options

Connector Object	Option	All Possible Values	Description	Example
Backup Service, Bucket, CI/CD Service, Compute Instance Group, Container, Container Image, Container Registry, Container Service, Daemon Set, Database Server, Deployment, Encryption Key, File System Service, Firewall, Kubernetes Cluster, Raw Access Policy, Resource Group, Serverless, Storage Account, Subscription, Virtual Machine, Virtual Machine Image, Virtual Network, Web Service	projectId	Any number identifying a project.	Filter reports associated with the specified project ID.	Key: projectId, Value: 1234. This key and value combination only retrieves data from project ID 1234.
	reportName	Any name identifying a report.	Filter reports matching the specified name.	Key: reportName, Value: Report A. This key and value combination only retrieves data from Report A.

Configuration Finding

Table 11: Configuration Finding operation options

Connector Object	Option	All Possible Values	Description	Example
Configuration Finding	frameworkCategory	Any number identifying a security framework.	Filter issues by the specified framework ID. Leave the value blank to indicate all framework categories.	Key: frameworkCategory Value: 1234. This key and value combination only retrieves configuration findings for framework 1234.
	ruleName	Any string identifying a rule name.	A comma-separated list to filter configuration findings by the specified rule names.	Key: ruleName, Value: ruleName1,ruleName2. This key and value combination only retrieves findings related to the ruleName1 and ruleName2 rules.
	resourceType	Any string identifying a resource type.	A comma-separated list to filter configuration findings by the specified resource type.	Key: resourceType, Value: type1,type2. This key and value combination only retrieves configuration findings for resources of type Server.
	severity	NONE, LOW, MEDIUM, HIGH, CRITICAL	A comma-separated list to filter configuration findings based on severity.	Key: severity, Value: HIGH,CRITICAL. This key and value combination only retrieves findings with a severity of HIGH or CRITICAL.
	result	ERROR, FAIL, NOT_ASSESSED, PASSED	A comma-separated list to filter configuration findings based on their result status. Leave the value blank to indicate all result statuses.	Key: result, Value: ERROR,FAIL. This key and value combination only retrieves findings with an ERROR or FAIL result status.
	status	OPEN, RESOLVED, REJECTED	A comma-separated list to filter configuration findings by their status.	Key: status, Value: OPEN,REJECTED. This key and value combination only retrieves findings that are in the OPEN or REJECTED status.
	includeDeleted	true or false	Include or exclude deleted configuration findings in the results. Leave the value blank to indicate all findings.	Key: includeDeleted, Value: false. This key and value combination excludes deleted configuration findings from the results.

Issue & Issue Definition

Table 12: Issue and Issue Definition operation options

Connector Object	Option	All Possible Values	Description	Example
Issue, Issue Definition	frameworkCategory	Any number identifying a security framework.	Filter issues by the specified framework ID. Leave the value blank to indicate all framework categories.	Key: frameworkCategory, Value: 1234. This key and value combination only retrieves issues for framework 1234.
Issue, Issue Definition	hasAutoRemediation	true or false	Filter issues with or without auto remediation.	Key: hasAutoRemediation, Value: true. This key and value combination only retrieves issues with auto remediation.
Issue, Issue Definition	hasRemediation	true or false	Filter issues with or without remediation.	Key: hasRemediation, Value: false. This key and value combination only retrieves issues without a remediation.
Issue, Issue Definition	hasServiceTicket	true or false	Filter issues with or without related service ticket.	Key: hasServiceTicket, Value: true. This key and value combination only retrieves issues with related service tickets.
Issue, Issue Definition	projectId	Any number identifying a project.	Filter issues associated with the specified project ID. Leave the value blank to indicate all project IDs.	Key: projectId, Value: 1234. This key and value combination only retrieves issues for project ID 1234.
Issue, Issue Definition	resolutionReason	CONTROL_CHANGED, CONTROL_DISABLED, CONTROL_DELETED, EXCEPTION, FALSE_POSITIVE, ISSUE_FIXED, OBJECT_DELETED, WONT_FIX	A comma-separated list to filter issues by resolution reason. Leave the value blank to indicate all resolution reasons.	Key: resolutionReason, Value: FALSE_POSITIVE. This key and value combination only retrieves issues that are false positives.
Issue, Issue Definition	severity	CRITICAL, HIGH, INFORMATIONAL, LOW, MEDIUM	A comma-separated list to filter issues based on severity. Leave the value blank to indicate all severities.	Key: severity, Value: LOW, MEDIUM. This key and value combination only retrieves issues of low or medium severity.
Issue, Issue Definition	stackLayer	APPLICATION_AND_DATA, CI_CD, CLOUD_ENTITLEMENTS, CODE, COMPUTE_PLATFORMS, DATA_STORES, SECURITY_AND_IDENTITY	A comma-separated list to filter issues from a specified stack layer. Leave the value blank to indicate all stack layers.	Key: stackLayer, Value: ``. This key and value combination retrieves issues from all stack layers.
Issue, Issue Definition	status	IN_PROGRESS, OPEN, REJECTED, RESOLVED	A comma-separated list to filter issues by their status. Leave the value blank to indicate all statuses.	Key: status, Value: OPEN. This key and value combination only retrieves open issues.
Issue	type	CLOUD_CONFIGURATION, THREAT_DETECTION, TOXIC_COMBINATION	A comma-separated list of issue types. You can use this option to filter issues by their issue type, as determined by Wiz.	Key: type Value: THREAT_DETECTION,TOXIC_COMBINATION. This key and value combination only retrieves issues with the specified type.

Vulnerability Definition

Table 13: Vulnerability Definition operation options

Connector Object	Option	All Possible Values	Description	Example
Vulnerability Definition	assetHasAdminPrivileges	true or false	Filter vulnerabilities for assets with or without admin privileges.	Key: assetHasAdminPrivileges, Value: true. This key and value combination only retrieves vulnerabilities for assets with admin privileges.
	assetHasHighPrivileges	true or false	Filter vulnerabilities for assets with or without high privileges.	Key: assetHasHighPrivileges, Value: false. This key and value combination only retrieves vulnerabilities for assets without high privileges.
	assetId	Any number identifying an asset.	Filter vulnerabilities by the asset ID. Leave the value blank to indicate all asset IDs.	Key: assetId, Value: 1234. This key and value combination only retrieves vulnerabilities for asset ID 1234.
	assetStatus	Active, Error, Inactive	Filter vulnerabilities for assets with the specified status. Leave the value blank to indicate all asset statuses.	Key: assetStatus, Value: Active. This key and value combination only retrieves vulnerabilities from active assets.
	assetType	CONTAINER, CONTAINER_IMAGE, SERVERLESS, VIRTUAL_MACHINE	A comma-separated list to filter vulnerabilities by the asset type. Leave the value blank to indicate all asset types.	Key: assetType, Value: CONTAINER, SERVERLESS. This key and value combination only retrieves vulnerabilities for the CONTAINER and SERVERLESS asset type.
	containerRegistry	Any name identifying a container registry.	Filter vulnerabilities associated with the specified container registry.	Key: containerRegistry, Value: ECR. This key and value combination only retrieves vulnerabilities related to the AWS Elastic Container Registry (ECR).
	containerRepository	Any name identifying a container repository.	Filter vulnerabilities associated with the specified container repository.	Key: containerRepository, Value: Azure Container Repository. This key and value combination only retrieves vulnerabilities in the Azure Container Repository.
	detectionMethod	DEFAULT_PACKAGE, FILE_PATH, INSTALLED_PROGRAM, INSTALLED_PROGRAM_BY_SERVICE, LIBRARY, OS, PACKAGE	A comma-separated list to filter vulnerabilities found by the specified detection method. Leave the value blank to indicate all detection methods.	Key: detectionMethod, Value: FILE_PATH. This key and value combination only retrieves vulnerabilities detected through file paths.
	hasCisaKevExploit	true or false	Filter vulnerabilities with or without an available Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) exploit.	Key: hasCisaKevExploit, Value: true. This key and value combination only retrieves vulnerabilities with a CISA KEV exploit.
	hasExploit	true or false	Filter vulnerabilities with or without an available exploit.	Key: hasExploit, Value: false. This key and value combination only retrieves vulnerabilities without an exploit.
	hasFix	true or false	Filter vulnerabilities with or without an available fix.	Key: hasFix, Value: true. This key and value combination only retrieves vulnerabilities with a fix.
	isAssetOpenToAllInternet	true or false	Filter vulnerabilities for assets by whether they are publicly accessible over the internet.	Key: isAssetOpenToAllInternet, Value: true. This key and value combination only retrieves vulnerabilities for assets that are accessible over the internet.
	isBaseLayer	true or false	Filter vulnerabilities for container images by whether they are attributed to a base image.	Key: isBaseLayer, Value: false. This key and value combination only retrieves vulnerabilities for container images that aren't attributed to a base image.
	isScannedFromRegistry	true or false	Filter vulnerabilities by whether they are scanned from a container registry.	Key: isScannedFromRegistry, Value: true. This key and value combination only retrieves vulnerabilities they are scanned from a container registry.
	projectId	Any number identifying a project.	Filter vulnerabilities associated with the specified project ID. Leave the value blank to indicate all project IDs.	Key: projectId, Value: 1234. This key and value combination only retrieves vulnerabilities for project ID 1234.
	reportName	Any name identifying a report.	Filter vulnerabilities matching the specified report name.	Key: reportName, Value: Report A. This key and value combination only retrieves vulnerabilities from Report A.
	status	OPEN, REJECTED, RESOLVED	A comma-separated list to filter vulnerabilities by their status. Leave the value blank to indicate all statuses.	Key: status, Value: RESOLVED. This key and value combination only retrieves resolved vulnerabilities.
	subscriptionExternalId	AWS Account, Azure Subscription, GCP Project, OCI Compartment	A comma-separated list to filter vulnerabilities by their associated external subscription ID. Leave the value blank to indicate all external subscription IDs.	Key: subscriptionExternalId, Value: AWS Account. This key and value combination only retrieves vulnerabilities associated with the AWS Account.
	validatedInRuntime	true or false	Filter vulnerabilities by whether they have been validated in runtime.	Key: validatedInRuntime, Value: true. This key and value combination only retrieves vulnerabilities that have been validated in runtime.
	vendorSeverity	CRITICAL, HIGH, LOW, MEDIUM, NONE	A comma-separated list to filter vulnerabilities by their vendor severity. Leave the value blank to indicate all vendor severities.	Key: vendorSeverity, Value: HIGH. This key and value combination only retrieves vulnerabilities deemed high severity by the vendor.

note

The option keys and possible values are case-sensitive as they are shown in this documentation.

APIs

The Wiz connector uses the Wiz API. Specifically, it executes the following GraphQL queries to retrieve data:

Table 14: Wiz API GraphQL queries

Connector Object	GraphQL Query
Backup Service	Reports GraphQL queries
Bucket	Reports GraphQL queries
CI/CD Service	Reports GraphQL queries
Compute Instance Group	Reports GraphQL queries
Configuration Finding	Cloud Configuration Findings GraphQL queries
Container	Reports GraphQL queries
Container Image	Reports GraphQL queries
Container Registry	Reports GraphQL queries
Container Service	Reports GraphQL queries
Control	Cloud Configuration Findings GraphQL queries
Daemon Set	Reports GraphQL queries
Database Server	Reports GraphQL queries
Deployment	Reports GraphQL queries
Encryption Key	Reports GraphQL queries
File System Service	Reports GraphQL queries
Firewall	Reports GraphQL queries
Issue	Issue GraphQL queries
Issue Definition	Issue GraphQL queries
Kubernetes Cluster	Reports GraphQL queries
Raw Access Policy	Reports GraphQL queries
Resource Group	Reports GraphQL queries
Serverless	Reports GraphQL queries
Storage Account	Reports GraphQL queries
Subscription	Reports GraphQL queries
Virtual Machine	Reports GraphQL queries
Virtual Machine Image	Reports GraphQL queries
Virtual Network	Reports GraphQL queries
Vulnerability	Reports GraphQL queries Vulnerability GraphQL query
Vulnerability Definition	Reports GraphQL queries Vulnerability GraphQL query Vulnerability Definition GraphQL query
Web Service	Reports GraphQL queries

Cloud Configuration Finding queries

Click to expand

The following query retrieves information about cloud configuration findings:

query CloudConfigurationFindingsPage($filterBy: ConfigurationFindingFilters, $first: Int, $after: String, $orderBy: ConfigurationFindingOrder) {  
  page: configurationFindings(filterBy: $filterBy, first: $first, after: $after, orderBy: $orderBy) {  
    nodes {  
      id  
      targetExternalId  
      deleted  
      targetObjectProviderUniqueId  
      firstSeenAt  
      severity  
      result  
      status  
      remediation  
      resource {  
        id  
        providerId  
        name  
        nativeType  
        type  
        region  
        subscription {  
          id  
          name  
          externalId  
          cloudProvider  
        }  
        projects {  
          id  
          name  
          riskProfile {  
            businessImpact  
          }  
        }  
        tags {  
          key  
          value  
        }  
      }  
      rule {  
        id  
        graphId  
        name  
        description  
        remediationInstructions  
        functionAsControl  
      }  
      securitySubCategories {  
        id  
        title  
        category {  
          id  
          name  
          framework {  
            id  
            name  
          }  
        }  
      }  
      ignoreRules {  
        id  
        name  
        enabled  
        expiredAt  
      }  
    }  
    pageInfo {  
      hasNextPage  
      endCursor  
    }  
  }  
}

Issue GraphQL queries

Click to expand

The following query retrieves information about issue and issue definition:

query issueFindings($filterBy: IssueFilters, $first: Int, $after: String $orderBy: IssueOrder) {  
  page: issuesV2(filterBy: $filterBy, first: $first, after: $after, orderBy: $orderBy) {  
    nodes {  
      id  
      status  
      severity  
      type  
      openReason  
      resolutionReason  
      suggestions  
      resolvedAt  
      createdAt  
      updatedAt  
      dueAt  
      statusChangedAt  
      rejectionExpiredAt  
      sourceRule {  
        __typename  
        ... on Control {  
          id  
          name  
          description  
          severity  
          resolutionRecommendation  
          securitySubCategories {  
            id  
            title  
            category {  
              id  
              name  
              framework {  
                id  
                name  
              }  
            }  
          }  
        }  
        ... on CloudEventRule {  
          id  
          name  
          description  
          sourceType  
          type  
          cloudEventRuleSeverity: severity  
          securitySubCategories {  
            id  
            title  
            category {  
              id  
              name  
              framework {  
                id  
                name  
              }  
            }  
          }  
        }  
        ... on CloudConfigurationRule {  
          id  
          name  
          description  
          remediationInstructions  
          serviceType  
          severity  
          securitySubCategories {  
            id  
            title  
            category {  
              id  
              name  
              framework {  
                id  
                name  
              }  
            }  
          }  
        }  
      }  
      entity: entitySnapshot {  
        id  
        type  
        nativeType  
        name  
        status  
        cloudPlatform  
        cloudProviderURL  
        providerId  
        region  
        resourceGroupExternalId  
        subscriptionExternalId  
        subscriptionName  
        subscriptionTags  
        tags  
        externalId  
      }  
      projects {  
        id  
        name  
        description  
        slug  
        businessUnit  
        riskProfile {  
          businessImpact  
        }  
      }  
      serviceTickets {  
        id  
        externalId  
        name  
        url  
      }  
      notes {  
        id  
        createdAt  
        updatedAt  
        text  
        user {  
          id  
          name  
          email  
        }  
        serviceAccount {  
          id  
          name  
          type  
        }  
      }  
    }  
    pageInfo {  
      hasNextPage  
      endCursor  
    }  
  }  
}

Reports GraphQL queries

Click to expand

The first query retrieves data for the Backup Service, Bucket, CI/CD Service, Compute Instance Group, Container, ContainerImage, Container Registry, Container Service, Daemon Set, Database Server, Deployment, Encryption Key, File System Service, Firewall, Kubernetes Cluster, Raw Access Policy, Resource Group, Serverless, Storage Account, Subscription, Virtual Machine Image, Virtual Network, Vulnerability, Vulnerability Definition, or Web Service connector objects from the reports endpoint. The rest of the queries create a report and generates the URL to download the report:

query ReportsSearch($filterBy: ReportFilters, $first: Int, $after: String) {
  page: reports(first: $first, after: $after, filterBy: $filterBy) {
    nodes {
      id
      name
      createdBy {
        id
        email
      }
      lastRun {
        id
        runAt
      }
      lastSuccessfulRun {
        id
        runAt
      }
      type {
        id
        name
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}

mutation CreateReport($input: CreateReportInput!) { 
  operation: createReport(input: $input) { 
    node: report { 
      id 
    } 
  } 
} 

mutation RerunReport($reportId: ID!) { 
  operation: rerunReport(input: {id: $reportId}) { 
    node: report { 
      id 
    } 
  } 
}

query ReportDownloadUrl($reportId: ID!) { 
  node: report(id: $reportId) { 
    id
    name 
    lastRun { 
      id 
      url 
      status 
    } 
  } 
}

Vulnerability GraphQL query

Click to expand

The following query retrieves information about vulnerabilities:

query vulnerabilityFindings($filterBy: VulnerabilityFindingFilters, $first: Int, $after: String) {  
  page: vulnerabilityFindings(filterBy: $filterBy, first: $first, after: $after) {  
    nodes {  
      id  
      name  
      detailedName  
      CVEDescription  
      CVSSSeverity  
      vendorSeverity  
      score  
      exploitabilityScore  
      impactScore  
      description  
      remediation  
      link  
      locationPath  
      detectionMethod  
      version  
      fixedVersion  
      portalUrl  
      firstDetectedAt  
      lastDetectedAt    
      vulnerableAsset {  
        ... on VulnerableAssetBase {  
          id
          providerUniqueId
          type
          name  
        }
      }  
    }  
    pageInfo {  
      hasNextPage  
      endCursor  
    }  
    totalCount  
  }  
}

Vulnerability Definition GraphQL query

Click to expand

The following query retrieves information about vulnerability definition:

query VulnerabilityDefinitions($filterBy: VulnerabilityFilters, $first: Int, $after: String) { 
  page: vulnerabilities(filterBy: $filterBy, first: $first, after: $after) { 
    nodes { 
      affectedTechnologies { 
        id 
        name 
      } 
      baseScore 
      cisaKevDueDate 
      cisaKevReleaseDate 
      cvssv2 { 
        attackComplexity 
        attackVector 
        confidentialityImpact 
        integrityImpact 
        privilegesRequired 
        userInteractionRequired 
      } 
      cvssv3 { 
        attackComplexity 
        attackVector 
        confidentialityImpact 
        integrityImpact 
        privilegesRequired 
        userInteractionRequired 
      } 
      description 
      exploitabilityScore 
      exploitable 
      externalId 
      hasCisaKevExploit 
      id 
      name 
      publishedAt 
      severity 
      sourceFeeds { 
        id 
        name 
        url 
      } 
      sourceUrl    
    }
    pageInfo { 
      endCursor 
      hasNextPage 
    } 
    totalCount 
  } 
} 

Changelog

The Wiz connector has undergone the following changes:

Table 15: Wiz connector changelog

Version	Description
3.3.6	- Added a new operation option for the Issue object to filter by issue type: type. - Added the CATEGORIES attribute to the Issue object. - Added support for ticketing information from Wiz to help prevent duplicate ticket creation and improve issue tracking. As a result, the following attributes were added to the Issue object: TICKET_EXTERNAL_ID TICKET_ID TICKET_NAME TICKET_URL
3.3.5	Fixed an issue where the TARGETS attribute on the Vulnerability object included empty string values. The connector now prevents empty values from being added to the targets list.
3.3.4	Fixed an issue where configuration findings were not correctly associating with assets. The connector now imports RESOURCE_EXTERNAL_ID and RESOURCE_PROVIDER_ID on the Configuration Finding object to establish proper relationships between findings and their associated assets.
3.3.3	Fixed an issue where the connector was incorrectly mapping IP addresses and private DNS names to both the IP_ADDRESSES and PRIVATE_IP_ADDRESSES attributes on the Virtual Machine object. The connector now properly distinguishes between these attributes.
3.3.2	- The Configuration Finding object is no longer required and now maps to Violation. - Added the RECOMMENDATION, TARGETS, and TYPE attributes to the Configuration Finding object.
3.3.1	The connector now retrieves the Configuration Finding object from Wiz.
3.3.0	- The connector now retrieves the Control object from Wiz. - Replaced the deprecated vulnerabilityParams.type attribute on the Vulnerability object with columnSelection for Vulnerability reports.
3.2.6	The connector now retrieves the Secret Container object from Wiz.
3.2.5	Fixed an issue where attributes from Wiz were not being mapped correctly to the Host data model.
3.2.4	Added the NAME attribute to the Vulnerability Definition object.
3.2.3	Code clean up and general maintenance to help improve error handling.
3.2.2	Fixed an issue where the Issue and Issue Definition object syncs were failing.
3.2.1	Fixed an issue where the Resource Group and Storage Account object syncs were failing due to an "Empty header line: cannot bind data" error.
3.2.0	Enhanced the Vulnerability object sync process to improve efficiency by using regular reports with the updateAt date filter, as recommended by Wiz. The Wiz connector now retrieves all vulnerabilities with detection support via the GraphQL API, rather than creating vulnerability definitions from vulnerability data.
3.1.18	Code clean up and maintenance.
3.1.17	- Fixed an issue where the Issue and Issue Definition object syncs were failing. - Added the SOURCE_SEVERITY_SCORE attribute to the Vulnerability object. - Code clean up and maintenance.
3.1.16	- Added remediation instructions to the Issue Definition object. - Addressed a potential NullPointerException (NPE) on the Issue object.
3.1.15	Enhanced the method for retrieving vulnerability status by splitting "New" from "Active" status. The Wiz connector now uses the FIRST_SEEN_AT filter for "New" vulnerabilities and the UPDATED_AT filter for "Active" vulnerabilities to ensure more accurate reporting.
3.1.14	Added the IS_CONTAINER_HOST attribute to the Virtual Machine object.
3.1.13	No change.
3.1.12	Fixed an issue where the CVSS_V2_BASE_SCORE and CVSS_V3_BASE_SCORE attributes on the Vulnerability Definition object were not populating.
3.1.11	Revised the logic of getting asset type information from the source data.
3.1.10	- Updated to fetch vmId as the Instance ID for Azure assets. - Switched the order of adding attributes to allow native or specific attributes to take higher precedence. - Updated dependencies.
3.1.9	- Fixed an issue where an Empty header line error occurred when reports returned by Wiz were empty. - Fixed an issue related to the Missing 1 header column: ["uid"] error.
3.1.8	Added a new setting to configure maximum retries.
3.1.7	- Updated to the new Wiz logo. - Enhanced handling for missing UID in objects retrieved from Wiz.
3.1.4	- Started retrieving the image name for Container Image objects. - Started mapping provider ID to the TARGETS attribute on the Issue object.
3.1.1	Added more connector objects, such as Database Server, Issue, and Issue Definition.
3.1.0	Initial Integration+ release.