Wiz
Wiz is a cloud security tool that scans your cloud environments to provide complete visibility into every technology running in your cloud. You can bring virtual network, virtual machine, vulnerability and more data from Wiz into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Wiz when the data integration runs, and how to obtain that information from Wiz. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Wiz from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Wiz with Brinqa:
-
API URL: The Wiz API endpoint URL. The default URL is
https://api.<region>.app.wiz.io. -
Token URL: The Wiz API authentication token URL. The URL is specific to the identity provider (IdP) for the Wiz service account. See Table 1 for more information.
-
OAuth audience: The audience of your OAuth token. The audience is specific to your IdP. See Table 1 for more information.
-
Client ID and Client secret: The credentials associated with the Wiz service account, which must have permissions to log in to the API server and return data.
The Token URL and OAuth audience values depend on the IdP you use for the Wiz service account. The following table summarizes the different values:
Table 1. Wiz token URL and audience values
| IdP | Token URL | Audience |
|---|---|---|
| Amazon Cognito | https://auth.app.wiz.io/oauth/token | wiz-api |
| Auth0 | https://auth.wiz.io/oauth/token | beyond-api |
Obtain the client ID and client secret from Wiz
For the Wiz connector to use the Wiz API, you must provide the client ID and client secret from an active Wiz service account. To obtain the client ID and client secret, follow these steps:
-
Log in to your organization's Wiz Portal as a Global Admin.
-
Navigate to Settings > Service Accounts and click Add Service Account.
-
Enter a name for the service account and select the following permissions:
-
create:reports -
read:cloud_accounts -
read:cloud_configuration -
read:issues -
read:reports -
read:resources -
read:security_scans -
read:vulnerabilities -
update:reportscreate:reports permissionThe
create:reportspermission is required for the following reasons:- The Wiz connector was developed in collaboration with Wiz and adheres to their recommended solutions. It has been certified by Wiz to ensure optimal functionality and security.
- Due to limitations with GraphQL in exporting large datasets, the connector generates reports in CSV format.
- The Wiz connector generates one report per asset type for Vulnerabilities, with each report prefixed by
BRINQA-VULNERABILITIES-REPORT_. - It also generates one report per inventory type for Inventory, with each report prefixed by
BRINQA-INVENTORY-REPORT_. This lets you easily identify and monitor said reports. - These reports are automatically deleted from Wiz based on your specified data cleanup frequency.
-
-
Click Add Service Account.
The new client ID and client secret display. You cannot view the client secret again. Copy and save them to a secure location.
Consult Wiz documentation for accuracy. If you do not have the permissions to create a service account, contact your Wiz administrator.
Additional settings
The Wiz connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Wiz API before giving up and reporting a failure. The default setting is 5.
Types of data to retrieve
The Wiz connector can retrieve the following types of data from the Wiz API:
Table 2: Data retrieved from Wiz
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Backup Service | No | Not mapped |
| Bucket | No | Not mapped |
| CI/CD Service | No | Not mapped |
| Compute Instance Group | No | Not mapped |
| Container | Yes | Container |
| Container Image | Yes | Container Image |
| Container Registry | No | Not mapped |
| Container Service | No | Not mapped |
| Daemon Set | No | Not mapped |
| Database Server | Yes | Database Instance |
| Deployment | No | Not mapped |
| Encryption Key | No | Not mapped |
| File System Service | No | Not mapped |
| Firewall | No | Not mapped |
| Issue | Yes | Violation |
| Issue Definition | Yes | Violation Definition |
| Kubernetes Cluster | No | Not mapped |
| Raw Access Policy | No | Not mapped |
| Resource Group | No | Not mapped |
| Serverless | Yes | Serverless |
| Storage Account | No | Not mapped |
| Subscription | No | Not mapped |
| Virtual Machine | Yes | Host |
| Virtual Machine Image | Yes | Host Image |
| Virtual Network | Yes | Network Segment |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
| Web Service | No | Not mapped |
For detailed steps on how to view the data retrieved from Wiz in the Brinqa Platform, see How to view your data.
Operation options
The Wiz connector supports the following operation options. See connector operation options for information about how to apply them.
Click the tabs below to view the supported operation options per connector object.
- Backup Service
- Issue
- Vulnerability Definition
Table 3: Operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Backup Service, Bucket, CI/CD Service, Compute Instance Group, Container, Container Image, Container Registry, Container Service, Daemon Set, Database Server, Deployment, Encryption Key, File System Service, Firewall, Kubernetes Cluster, Raw Access Policy, Resource Group, Serverless, Storage Account, Subscription, Virtual Machine, Virtual Machine Image, Virtual Network, Web Service | projectId | Any number identifying a project. | Filter reports associated with the specified project ID. | Key: projectId,Value: 1234.This key and value combination only retrieves data from project ID 1234. |
| reportName | Any name identifying a report. | Filter reports matching the specified name. | Key: reportName,Value: Report A.This key and value combination only retrieves data from Report A. |
Table 4: Issue and Issue Definition operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Issue, Issue Definition | frameworkCategory | Any number identifying a security framework. | Filter issues by the specified framework ID. Leave the value blank to indicate all framework categories. | Key: frameworkCategory,Value: 1234.This key and value combination only retrieves issues for framework 1234. |
| hasAutoRemediation | true or false | Filter issues with or without auto remediation. | Key: hasAutoRemediation,Value: true.This key and value combination only retrieves issues with auto remediation. | |
| hasRemediation | true or false | Filter issues with or without remediation. | Key: hasRemediation,Value: false.This key and value combination only retrieves issues without a remediation. | |
| hasServiceTicket | true or false | Filter issues with or without related service ticket. | Key: hasServiceTicket,Value: true.This key and value combination only retrieves issues with related service tickets. | |
| projectId | Any number identifying a project. | Filter issues associated with the specified project ID. Leave the value blank to indicate all project IDs. | Key: projectId,Value: 1234.This key and value combination only retrieves issues for project ID 1234. | |
| resolutionReason | CONTROL_CHANGED, CONTROL_DISABLED, CONTROL_DELETED, EXCEPTION, FALSE_POSITIVE, ISSUE_FIXED, OBJECT_DELETED, WONT_FIX | A comma-separated list to filter issues by resolution reason. Leave the value blank to indicate all resolution reasons. | Key: resolutionReason,Value: FALSE_POSITIVE.This key and value combination only retrieves issues that are false positives. | |
| severity | CRITICAL, HIGH, INFORMATIONAL, LOW, MEDIUM | A comma-separated list to filter issues based on severity. Leave the value blank to indicate all severities. | Key: severity,Value: LOW, MEDIUM.This key and value combination only retrieves issues of low or medium severity. | |
| stackLayer | APPLICATION_AND_DATA, CI_CD, CLOUD_ENTITLEMENTS, CODE, COMPUTE_PLATFORMS, DATA_STORES, SECURITY_AND_IDENTITY | A comma-separated list to filter issues from a specified stack layer. Leave the value blank to indicate all stack layers. | Key: stackLayer,Value: ``. This key and value combination retrieves issues from all stack layers. | |
| status | IN_PROGRESS, OPEN, REJECTED, RESOLVED | A comma-separated list to filter issues by their status. Leave the value blank to indicate all statuses. | Key: status,Value: OPEN.This key and value combination only retrieves open issues. |
Table 5: Vulnerability Definition operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Vulnerability Definition | assetHasAdminPrivileges | true or false | Filter vulnerabilities for assets with or without admin privileges. | Key: assetHasAdminPrivileges,Value: true.This key and value combination only retrieves vulnerabilities for assets with admin privileges. |
| assetHasHighPrivileges | true or false | Filter vulnerabilities for assets with or without high privileges. | Key: assetHasHighPrivileges,Value: false.This key and value combination only retrieves vulnerabilities for assets without high privileges. | |
| assetId | Any number identifying an asset. | Filter vulnerabilities by the asset ID. Leave the value blank to indicate all asset IDs. | Key: assetId,Value: 1234.This key and value combination only retrieves vulnerabilities for asset ID 1234. | |
| assetStatus | Active, Error, Inactive | Filter vulnerabilities for assets with the specified status. Leave the value blank to indicate all asset statuses. | Key: assetStatus,Value: Active.This key and value combination only retrieves vulnerabilities from active assets. | |
| assetType | CONTAINER, CONTAINER_IMAGE, SERVERLESS, VIRTUAL_MACHINE | A comma-separated list to filter vulnerabilities by the asset type. Leave the value blank to indicate all asset types. | Key: assetType,Value: CONTAINER, SERVERLESS.This key and value combination only retrieves vulnerabilities for the CONTAINER and SERVERLESS asset type. | |
| containerRegistry | Any name identifying a container registry. | Filter vulnerabilities associated with the specified container registry. | Key: containerRegistry,Value: ECR.This key and value combination only retrieves vulnerabilities related to the AWS Elastic Container Registry (ECR). | |
| containerRepository | Any name identifying a container repository. | Filter vulnerabilities associated with the specified container repository. | Key: containerRepository,Value: Azure Container Repository.This key and value combination only retrieves vulnerabilities in the Azure Container Repository. | |
| detectionMethod | DEFAULT_PACKAGE, FILE_PATH, INSTALLED_PROGRAM, INSTALLED_PROGRAM_BY_SERVICE, LIBRARY, OS, PACKAGE | A comma-separated list to filter vulnerabilities found by the specified detection method. Leave the value blank to indicate all detection methods. | Key: detectionMethod,Value: FILE_PATH.This key and value combination only retrieves vulnerabilities detected through file paths. | |
| hasCisaKevExploit | true or false | Filter vulnerabilities with or without an available Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) exploit. | Key: hasCisaKevExploit,Value: true.This key and value combination only retrieves vulnerabilities with a CISA KEV exploit. | |
| hasExploit | true or false | Filter vulnerabilities with or without an available exploit. | Key: hasExploit,Value: false.This key and value combination only retrieves vulnerabilities without an exploit. | |
| hasFix | true or false | Filter vulnerabilities with or without an available fix. | Key: hasFix,Value: true.This key and value combination only retrieves vulnerabilities with a fix. | |
| isAssetOpenToAllInternet | true or false | Filter vulnerabilities for assets by whether they are publicly accessible over the internet. | Key: isAssetOpenToAllInternet,Value: true.This key and value combination only retrieves vulnerabilities for assets that are accessible over the internet. | |
| isBaseLayer | true or false | Filter vulnerabilities for container images by whether they are attributed to a base image. | Key: isBaseLayer,Value: false.This key and value combination only retrieves vulnerabilities for container images that aren't attributed to a base image. | |
| isScannedFromRegistry | true or false | Filter vulnerabilities by whether they are scanned from a container registry. | Key: isScannedFromRegistry,Value: true.This key and value combination only retrieves vulnerabilities they are scanned from a container registry. | |
| projectId | Any number identifying a project. | Filter vulnerabilities associated with the specified project ID. Leave the value blank to indicate all project IDs. | Key: projectId,Value: 1234.This key and value combination only retrieves vulnerabilities for project ID 1234. | |
| reportName | Any name identifying a report. | Filter vulnerabilities matching the specified report name. | Key: reportName,Value: Report A.This key and value combination only retrieves vulnerabilities from Report A. | |
| status | OPEN, REJECTED, RESOLVED | A comma-separated list to filter vulnerabilities by their status. Leave the value blank to indicate all statuses. | Key: status,Value: RESOLVED.This key and value combination only retrieves resolved vulnerabilities. | |
| subscriptionExternalId | AWS Account, Azure Subscription, GCP Project, OCI Compartment | A comma-separated list to filter vulnerabilities by their associated external subscription ID. Leave the value blank to indicate all external subscription IDs. | Key: subscriptionExternalId,Value: AWS Account.This key and value combination only retrieves vulnerabilities associated with the AWS Account. | |
| validatedInRuntime | true or false | Filter vulnerabilities by whether they have been validated in runtime. | Key: validatedInRuntime,Value: true.This key and value combination only retrieves vulnerabilities that have been validated in runtime. | |
| vendorSeverity | CRITICAL, HIGH, LOW, MEDIUM, NONE | A comma-separated list to filter vulnerabilities by their vendor severity. Leave the value blank to indicate all vendor severities. | Key: vendorSeverity,Value: HIGH.This key and value combination only retrieves vulnerabilities deemed high severity by the vendor. |
The option keys and possible values are case-sensitive as they are shown in this documentation.
APIs
The Wiz connector uses the Wiz API. Specifically, it executes the following GraphQL queries to retrieve data:
Table 6: Wiz API GraphQL queries
Issue GraphQL queries
Click to expand
The following query retrieves information about issue and issue definition:
query issueFindings($filterBy: IssueFilters, $first: Int, $after: String $orderBy: IssueOrder) {
page: issuesV2(filterBy: $filterBy, first: $first, after: $after, orderBy: $orderBy) {
nodes {
id
status
severity
type
openReason
resolutionReason
suggestions
resolvedAt
createdAt
updatedAt
dueAt
statusChangedAt
rejectionExpiredAt
sourceRule {
__typename
... on Control {
id
name
description
severity
resolutionRecommendation
securitySubCategories {
id
title
category {
id
name
framework {
id
name
}
}
}
}
... on CloudEventRule {
id
name
description
sourceType
type
cloudEventRuleSeverity: severity
securitySubCategories {
id
title
category {
id
name
framework {
id
name
}
}
}
}
... on CloudConfigurationRule {
id
name
description
remediationInstructions
serviceType
severity
securitySubCategories {
id
title
category {
id
name
framework {
id
name
}
}
}
}
}
entity: entitySnapshot {
id
type
nativeType
name
status
cloudPlatform
cloudProviderURL
providerId
region
resourceGroupExternalId
subscriptionExternalId
subscriptionName
subscriptionTags
tags
externalId
}
projects {
id
name
description
slug
businessUnit
riskProfile {
businessImpact
}
}
serviceTickets {
id
externalId
name
url
}
notes {
id
createdAt
updatedAt
text
user {
id
name
email
}
serviceAccount {
id
name
type
}
}
}
pageInfo {
hasNextPage
endCursor
}
}
}
Reports GraphQL queries
Click to expand
The first query retrieves data for the Backup Service, Bucket, CI/CD Service, Compute Instance Group, Container, ContainerImage, Container Registry, Container Service, Daemon Set, Database Server, Deployment, Encryption Key, File System Service, Firewall, Kubernetes Cluster, Raw Access Policy, Resource Group, Serverless, Storage Account, Subscription, Virtual Machine Image, Virtual Network, Vulnerability, Vulnerability Definition, or Web Service connector objects from the reports endpoint. The rest of the queries create a report and generates the URL to download the report:
query ReportsSearch($filterBy: ReportFilters, $first: Int, $after: String) {
page: reports(first: $first, after: $after, filterBy: $filterBy) {
nodes {
id
name
createdBy {
id
email
}
lastRun {
id
runAt
}
lastSuccessfulRun {
id
runAt
}
type {
id
name
}
}
pageInfo {
hasNextPage
endCursor
}
}
}
mutation CreateReport($input: CreateReportInput!) {
operation: createReport(input: $input) {
node: report {
id
}
}
}
mutation RerunReport($reportId: ID!) {
operation: rerunReport(input: {id: $reportId}) {
node: report {
id
}
}
}
query ReportDownloadUrl($reportId: ID!) {
node: report(id: $reportId) {
id
name
lastRun {
id
url
status
}
}
}
Vulnerability GraphQL query
Click to expand
The following query retrieves information about vulnerabilities:
query vulnerabilityFindings($filterBy: VulnerabilityFindingFilters, $first: Int, $after: String) {
page: vulnerabilityFindings(filterBy: $filterBy, first: $first, after: $after) {
nodes {
id
name
detailedName
CVEDescription
CVSSSeverity
vendorSeverity
score
exploitabilityScore
impactScore
description
remediation
link
locationPath
detectionMethod
version
fixedVersion
portalUrl
firstDetectedAt
lastDetectedAt
vulnerableAsset {
... on VulnerableAssetBase {
id
providerUniqueId
type
name
}
}
}
pageInfo {
hasNextPage
endCursor
}
totalCount
}
}
Vulnerability Definition GraphQL query
Click to expand
The following query retrieves information about vulnerability definition:
query VulnerabilityDefinitions($filterBy: VulnerabilityFilters, $first: Int, $after: String) {
page: vulnerabilities(filterBy: $filterBy, first: $first, after: $after) {
nodes {
affectedTechnologies {
id
name
}
baseScore
cisaKevDueDate
cisaKevReleaseDate
cvssv2 {
attackComplexity
attackVector
confidentialityImpact
integrityImpact
privilegesRequired
userInteractionRequired
}
cvssv3 {
attackComplexity
attackVector
confidentialityImpact
integrityImpact
privilegesRequired
userInteractionRequired
}
description
exploitabilityScore
exploitable
externalId
hasCisaKevExploit
id
name
publishedAt
severity
sourceFeeds {
id
name
url
}
sourceUrl
}
pageInfo {
endCursor
hasNextPage
}
totalCount
}
}
Changelog
The Wiz connector has undergone the following changes:
3.2.4
- Added the NAME attribute to the Vulnerability Definition object.
3.2.3
- Code clean up and general maintenance to help improve error handling.
3.2.2
- Fixed an issue where the Issue and Issue Definition object syncs were failing
3.2.1
- Fixed an issue where the Resource Group and Storage Account object syncs were failing due to an "Empty header line: cannot bind data" error.
3.2.0
- Enhanced the Vulnerability object sync process to improve efficiency by using regular reports with the
updateAtdate filter, as recommended by Wiz. The Wiz connector now retrieves all vulnerabilities with detection support via the GraphQL API, rather than creating vulnerability definitions from vulnerability data.
3.1.18
- Code clean up and maintenance.
3.1.17
-
Fixed an issue where the Issue and Issue Definition object syncs were failing.
-
Added the SOURCE_SEVERITY_SCORE attribute to the Vulnerability object.
-
Code clean up and maintenance.
3.1.16
-
Added remediation instructions to the Issue Definition object.
-
Addressed a potential NullPointerException (NPE) on the Issue object.
3.1.15:
- Enhanced the method for retrieving vulnerability status by splitting "New" from "Active" status. The Wiz connector now uses the FIRST_SEEN_AT filter for "New" vulnerabilities and the UPDATED_AT filter for "Active" vulnerabilities to ensure more accurate reporting.
3.1.14
- Added the IS_CONTAINER_HOST attribute to the Virtual Machine object.
3.1.13
- No change.
3.1.12
- Fixed an issue where CVSS_V2_BASE_SCORE and CVSS_V3_BASE_SCORE on the Vulnerability Definition object were not populating.
3.1.11
- Revised the logic of getting asset type information from the source data.
3.1.10
-
Updated to fetch 'vmId' as the Instance ID for Azure assets.
-
Switched the order of adding attributes to allow native or specific attributes to take higher precedence.
-
Updated dependencies.
3.1.9
-
Fixed an issue where an
Empty header lineerror occurred when reports returned by Wiz were empty. -
Fixed an issue related to the
Missing 1 header column: ["uid"]error.
3.1.8
- Added a new setting to configure maximum retries.
3.1.7
-
Updated to the new Wiz logo.
-
Enhanced handling for missing UID in objects retrieved from Wiz.
3.1.4
-
Started retrieving the image name for Container Image objects.
-
Started mapping provider ID to the TARGETS attribute in the Issue object.
3.1.1
- Added more connector objects, such as Database Server, Issue, and Issue Definition.
3.1.0
- Initial Integration+ release.