Wiz

Wiz is a cloud security tool that scans your cloud environments to provide complete visibility into every technology running in your cloud. You can bring virtual network, virtual machine, vulnerability and more data from Wiz into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Wiz when the data integration runs, and how to obtain that information from Wiz. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Wiz from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Wiz with Brinqa:

• API URL: The Wiz API endpoint URL. The default URL is https://api.<region>.app.wiz.io.

• Token URL: The Wiz API authentication token URL. The URL is specific to the identity provider (IdP) for the Wiz service account. See Table 1 for more information.

• OAuth audience: The audience of your OAuth token. The audience is specific to your IdP. See Table 1 for more information.

• Client ID and Client secret: The credentials associated with the Wiz service account, which must have permissions to log in to the API server and return data.

The Token URL and OAuth audience values depend on the IdP you use for the Wiz service account. The following table summarizes the different values:

Table 1. Wiz token URL and audience values

IdP	Token URL	Audience
Amazon Cognito	https://auth.app.wiz.io/oauth/token	wiz-api
Auth0	https://auth.wiz.io/oauth/token	beyond-api

Obtain the client ID and client secret from Wiz

For the Wiz connector to use the Wiz API, you must provide the client ID and client secret from an active Wiz service account.

To obtain these credentials, please follow the steps in the official Wiz documentation for Brinqa integration. This guide is maintained by Wiz and outlines the process for creating the required service account and assigning appropriate permissions.

note

If you do not have the permissions to create a service account or assign permissions, contact your Wiz administrator.

The Wiz connector was developed in collaboration with Wiz and adheres to their recommended solutions. It has been certified by Wiz to ensure optimal functionality and security.

• Due to limitations with GraphQL in exporting large datasets, the connector generates reports in CSV format.
• The Wiz connector generates one report per asset type for Vulnerabilities, with each report prefixed by BRINQA-VULNERABILITIES-REPORT_.
• It also generates one report per inventory type for Inventory, with each report prefixed by BRINQA-INVENTORY-REPORT_. This lets you easily identify and monitor said reports.
• These reports are automatically deleted from Wiz based on your specified data cleanup frequency.

Additional settings

The Wiz connector contains additional options for specific configuration:

• Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.

• Maximum retries: The maximum number of times that the integration attempts to connect to the Wiz API before giving up and reporting a failure. The default setting is 5.

Types of data to retrieve

The Wiz connector can retrieve the following types of data from the Wiz API:

Table 2: Data retrieved from Wiz

Connector Object	Required	Maps to Data Model
API Gateway	No	Not mapped
Backup Service	No	Not mapped
Bucket	No	Not mapped
CI/CD Service	No	Not mapped
Compute Instance Group	No	Not mapped
Configuration Finding	Yes	Violation
Container	Yes	Container
Container Image	Yes	Container Image
Container Registry	No	Not mapped
Container Service	No	Not mapped
Control	Yes	Violation Definition
Daemon Set	No	Not mapped
Database Server	Yes	Database Instance
Deployment	No	Not mapped
Encryption Key	No	Not mapped
File System Service	No	Not mapped
Firewall	No	Not mapped
Issue	Yes	Violation
Issue Definition	Yes	Violation Definition
Kubernetes Cluster	No	Not mapped
Raw Access Policy	No	Not mapped
Resource Group	No	Not mapped
Secret Container	No	Not mapped
Serverless	Yes	Serverless
Storage Account	No	Not mapped
Subnet	No	Not mapped
Subscription	No	Not mapped
Virtual Machine	Yes	Host
Virtual Machine Image	Yes	Host Image
Virtual Network	Yes	Network Segment
Volume	No	Not mapped
Vulnerability	Yes	Vulnerability
Vulnerability Definition	Yes	Vulnerability Definition
Web Service	No	Not mapped

info

For detailed steps on how to view the data retrieved from Wiz in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Configuration Finding

Table 3: Configuration Finding attribute mappings

Source Field Name	Maps to Attribute
firstSeenAt	firstSeen
id	uid
remediation	recommendation
resource.id	targets
resource.name	Local variable
resource.type	Local variable
result	results
rule	type
severity	severity
status	status

Container

Table 4: Container attribute mappings

Source Field Name	Maps to Attribute
Cloud Native JSON.tags	tags
Cloud Platform	Local variable
Description	description
External ID	Local variable
Last Seen	lastSeen
Name	Local variable
Native Type	Local variable
Projects	Local variable
Provider ID	Local variable
Provider ID/External ID	uid
name	name
categories	categories
Region	region
Resource Type	Local variable
Subscription	Local variable
Subscription ID	Local variable
Wiz JSON Object.Runtime	Local variable
Wiz JSON Object.applicationEndpoint.openToAllInternet	Local variable
Wiz JSON Object.applicationEndpoint.validatedOpenPorts	Local variable
Wiz JSON Object.common.creationDate	sourceCreatedDate
Wiz JSON Object.common.status	providerStatus
Wiz JSON Object.common.status	status
Wiz JSON Object.imageExternalId	image
Wiz JSON Object.kubernetes.baseExtraData.clusterExternalId	Local variable
Wiz JSON Object.kubernetes.baseExtraData.clusterName	Local variable
Wiz JSON Object.virtualMachineExternalId	host

Container Image

Table 5: Container Image attribute mappings

Source Field Name	Maps to Attribute
Categories	categories
Cloud Native JSON.tags	tags
Cloud Platform	Local variable
Description	description
External ID	Local variable
Last Seen	Local variable
Name	name
Native Type	Local variable
Projects	Local variable
Provider ID	Local variable
Provider ID/External ID	uid
Region	region
Resource Type	Local variable
Subscription	Local variable
Subscription ID	Local variable
Wiz JSON Object.applicationEndpoint.openToAllInternet	Local variable
Wiz JSON Object.applicationEndpoint.validatedOpenPorts	Local variable
Wiz JSON Object.common.creationDate	sourceCreatedDate
Wiz JSON Object.common.status	providerStatus
Wiz JSON Object.common.status (normalized)	status
Wiz JSON Object.digest	digest
Wiz JSON Object.encrypted	Local variable
Wiz JSON Object.repoExternalId	Local variable

Control

Table 6: Control attribute mappings

Source Field Name	Maps to Attribute
description	description
id	uid
name	name
remediationInstructions	recommendation

Issue

Table 7: Issue attribute mappings

Source Field Name	Maps to Attribute
CREATED_AT	firstFound
CREATED_AT	sourceCreatedDate
DUE_AT	Local variable
ENTITY.UID	targets
ID	uid
NOTES.TEXT	Local variable
RESOLVED_AT	lastFixed
RESOLUTION_REASON	Local variable
SEVERITY	severity, severityScore, sourceSeverity
SEVERITY	severityScore
SEVERITY	sourceSeverity
SERVICE_TICKETS.EXTERNAL_ID	Local variable
SERVICE_TICKETS.ID	Local variable
SERVICE_TICKETS.NAME	Local variable
SERVICE_TICKETS.URL	Local variable
SOURCE_RULES.ID	type
STATUS	providerStatus, sourceStatus, status, statusCategory
TYPE	categories
UPDATED_AT	sourceLastModified

Issue Definition

Table 8: Issue Definition attribute mappings

Source Field Name	Maps to Attribute
ISSUE.SOURCERULE.DESCRIPTION	description
ISSUE.SOURCERULE.ID	uid
ISSUE.SOURCERULE.NAME	name
ISSUE.SOURCERULE.NAME	summary
ISSUE.SOURCERULE.REMEDIATIONINSTRUCTIONS	recommendation
ISSUE.SOURCERULE.RESOLUTIONRECOMMENDATION	recommendation
ISSUE.SOURCERULE.RESOLUTIONRECOMMENDATIONPLAINTEXT	recommendation
ISSUE.SOURCERULE.RISKS	Local variable
ISSUE.SOURCERULE.SECURITYSUBCATEGORIES.DISPLAYNAME	categories
ISSUE.SOURCERULE.SEVERITY	severity, severityScore, sourceSeverity
ISSUE.SOURCERULE.THREATS	Local variable
ISSUE.SOURCERULE.TYPE	Local variable

Virtual Machine

Table 9: Virtual Machine attribute mappings

Source Field Name	Maps to Attribute
Categories	categories
Cloud Native JSON.Architecture	Local variable
Cloud Native JSON.ImageId	image
Cloud Native JSON.InstanceId	instanceId
Cloud Native JSON.InstanceType	Local variable
Cloud Native JSON.Monitoring.State	Local variable
Cloud Native JSON.NetworkInterfaces.MacAddress	macAddresses
Cloud Native JSON.PrivateDnsName	dnsNames
Cloud Native JSON.PrivateDnsName	privateDnsNames
Cloud Native JSON.PrivateIpAddress	ipAddresses
Cloud Native JSON.PrivateIpAddress	privateIpAddresses
Cloud Native JSON.PublicDnsName	hostnames
Cloud Native JSON.PublicDnsName	publicDnsNames
Cloud Native JSON.PublicIpAddress	ipAddresses
Cloud Native JSON.PublicIpAddress	publicIpAddresses
Cloud Native JSON.StateReason	Local variable
Cloud Native JSON.Subscription	Local variable
Cloud Native JSON.Subscription ID	Local variable
Cloud Native JSON.lastStartTimestamp	lastStarted
Cloud Native JSON.lastStopTimestamp	lastStopped
Cloud Native JSON.name	Local variable
Cloud Native JSON.networkInterfaces.network	Local variable
Cloud Native JSON.networkInterfaces.subnetwork	Local variable
Cloud Native JSON.project	Local variable
Cloud Native JSON.providerId	Local variable
Cloud Native JSON.tags	tags
Cloud Platform	Local variable
Description	description
External ID	Local variable
Last Seen	Local variable
Name	name
Native Type	Local variable
Projects	Local variable
Provider ID	Local variable
Provider ID/External ID	uid
Region	region
Resource Type	Local variable
Subscription	Local variable
Subscription ID	Local variable
Wiz JSON Object.Runtime	Local variable
Wiz JSON Object.applicationEndpoint.openToAllInternet	Local variable
Wiz JSON Object.applicationEndpoint.validatedOpenPorts	Local variable
Wiz JSON Object.common.creationDate	firstSeen
Wiz JSON Object.common.creationDate	sourceCreatedDate
Wiz JSON Object.common.status	providerStatus
Wiz JSON Object.common.status	status
Wiz JSON Object.imageExternalId	image
Wiz JSON Object.isContainerHost	Local variable
Wiz JSON Object.operatingSystem	operatingSystem

Virtual Machine Image

Table 10: Virtual Machine Image attribute mappings

Source Field Name	Maps to Attribute
Categories	categories
Cloud Native JSON.tags	tags
Cloud Platform	Local variable
Description	description
External ID	Local variable
Last Seen	Local variable
Name	name
Native Type	Local variable
Projects	Local variable
Provider ID	Local variable
Provider ID/External ID	uid
Region	region
Resource Type	Local variable
Subscription	Local variable
Subscription ID	Local variable
Wiz JSON Object.ImageLocation	Local variable
Wiz JSON Object.ImageOwnerAlias	Local variable
Wiz JSON Object.PlatformDetails	Local variable
Wiz JSON Object.applicationEndpoint.openToAllInternet	Local variable
Wiz JSON Object.applicationEndpoint.validatedOpenPorts	Local variable
Wiz JSON Object.common.creationDate	sourceCreatedDate
Wiz JSON Object.common.status	providerStatus
Wiz JSON Object.common.status	status
Wiz JSON Object.family	Local variable
Wiz JSON Object.is_public	Local variable

Virtual Network

Table 11: Virtual Network attribute mappings

Source Field Name	Maps to Attribute
Categories	categories
Cloud Native JSON.addressSpace.addressPrefixes	Local variable
Cloud Native JSON.enableDdosProtection	Local variable
Cloud Native JSON.tags	tags
Cloud Platform	Local variable
Description	description
External ID	Local variable
Last Seen	Local variable
Name	name
Native Type	Local variable
Projects	Local variable
Provider ID	Local variable
Provider ID/External ID	uid
Region	region
Resource Type	Local variable
Subscription	Local variable
Subscription ID	Local variable
Wiz JSON Object.addressRangeEdges	Local variable
Wiz JSON Object.addressRanges	ipv4Ranges
Wiz JSON Object.applicationEndpoint.openToAllInternet	Local variable
Wiz JSON Object.applicationEndpoint.validatedOpenPorts	Local variable
Wiz JSON Object.common.creationDate	sourceCreatedDate
Wiz JSON Object.common.status	providerStatus
Wiz JSON Object.common.status	status
Wiz JSON Object.flowLogsEnabled	Local variable
Wiz JSON Object.hasDeployedInstances	Local variable
Wiz JSON Object.isDefault	Local variable

Vulnerability

Table 12: Vulnerability attribute mappings

Source Field Name	Maps to Attribute
ASSETID	targets
ASSETNAME	Local variable
CRITICALRELATEDISSUESCOUNT	Local variable
CVSSSEVERITY	Local variable
DETAILEDNAME	results
DETECTIONMETHOD	Local variable
DESCRIPTION	description
EXPLOITABILITYSCORE	Local variable
FINDINGSTATUS	providerStatus, sourceStatus, status, statusCategory
FIRSTDETECTED	firstFound
FIXEDVERSION	Local variable
HIGHRELATEDISSUESCOUNT	Local variable
ID	uid
IMPACTSCORE	Local variable
INFORELATEDISSUESCOUNT	Local variable
LASTDETECTED	lastFound
LOCATIONPATH	locationPath
LOWRELATEDISSUESCOUNT	Local variable
MEDIUMRELATEDISSUESCOUNT	Local variable
NAME	name
NAME	type
NVDSEVERITY	Local variable
PROVIDERUNIQUEID	Local variable
REMEDIATION	recommendation
RESOLUTIONREASON	Local variable
RESOLVEDAT	lastFixed
SCORE	sourceSeverityScore
SEVERITY	severity, severityScore, sourceSeverity
TYPE	categories
VERSION	Local variable
VENDORSEVERITY	Local variable
WIZURL	Local variable

Vulnerability Definition

Table 13: Vulnerability Definition attribute mappings

Source Field Name	Maps to Attribute
AFFECTEDSOFTWARE	affected
CATEGORIES	categories
CISAKEVDUEDATE	cisaDueDate
CISAKEVRELEASEDATE	cisaAddedDate
CVSSV2.ATTACKCOMPLEXITY	cvssV2AccessComplexity
CVSSV2.ATTACKVECTOR	cvssV2AttackVector
CVSSV2.BASESCORE	cvssV2BaseScore
CVSSV2.CONFIDENTIALITYIMPACT	cvssV2ConfidentialityImpact
CVSSV2.INTEGRITYIMPACT	cvssV2IntegrityImpact
CVSSV2.PRIVILEGESREQUIRED	cvssV2Authentication
CVSSV3.ATTACKCOMPLEXITY	cvssV3AttackComplexity
CVSSV3.ATTACKVECTOR	cvssV3AttackVector
CVSSV3.CONFIDENTIALITYIMPACT	cvssV3ConfidentialityImpact
CVSSV3.INTEGRITYIMPACT	cvssV3IntegrityImpact
CVSSV3.PRIVILEGESREQUIRED	cvssV3PrivilegesRequired
CVSSV3.USERINTERACTIONREQUIRED	cvssV3UserInteraction
DESCRIPTION	description
EPSSPERCENTILE	epssPercentile
EPSSSEVERITY	Local variable
EPSSSCORE	epssScore
EXPLOITABILITY/HASCISAKEVEXPLOIT	exploitability
EXPLOITABILITYSCORE	Local variable
EXTERNALID	externalUids
HASHCISAKEVEXPLOIT	cisaExploited
HIGHPROFILETHREAT	Local variable
ISHIGHPROFILETHREAT	Local variable
NAME	cveIds, cveRecords, name, uid
NVDSEVERITY	Local variable
PUBLISHEDAT	publishedDate
RECOMMENDATION	recommendation
REFERENCES	references
SEVERITY	severity, severityScore, sourceSeverity
SOURCEURL	references
VENDORSEVERITY	Local variable

note

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Operation options

The Wiz connector supports the following operation options. See connector operation options for information about how to apply them.

Click the tabs below to view the supported operation options per connector object.

Backup Service

Table 14: Operation options

Connector Object	Option	All Possible Values	Description	Example
Backup Service, Bucket, CI/CD Service, Compute Instance Group, Container, Container Image, Container Registry, Container Service, Daemon Set, Database Server, Deployment, Encryption Key, File System Service, Firewall, Kubernetes Cluster, Raw Access Policy, Resource Group, Serverless, Storage Account, Subscription, Virtual Machine, Virtual Machine Image, Virtual Network, Web Service	projectId	Any number identifying a project.	Filter reports associated with the specified project ID.	Key: projectId, Value: 1234. This key and value combination only retrieves data from project ID 1234.
	reportName	Any name identifying a report.	Filter reports matching the specified name.	Key: reportName, Value: Report A. This key and value combination only retrieves data from Report A.

Configuration Finding

Table 15: Configuration Finding operation options

Connector Object	Option	All Possible Values	Description	Example
Configuration Finding	frameworkCategory	Any number identifying a security framework.	Filter issues by the specified framework ID. Leave the value blank to indicate all framework categories.	Key: frameworkCategory Value: 1234. This key and value combination only retrieves configuration findings for framework 1234.
	ruleName	Any string identifying a rule name.	A comma-separated list to filter configuration findings by the specified rule names.	Key: ruleName, Value: ruleName1,ruleName2. This key and value combination only retrieves findings related to the ruleName1 and ruleName2 rules.
	resourceType	Any string identifying a resource type.	A comma-separated list to filter configuration findings by the specified resource type.	Key: resourceType, Value: type1,type2. This key and value combination only retrieves configuration findings for resources of type Server.
	severity	NONE, LOW, MEDIUM, HIGH, CRITICAL	A comma-separated list to filter configuration findings based on severity.	Key: severity, Value: HIGH,CRITICAL. This key and value combination only retrieves findings with a severity of HIGH or CRITICAL.
	result	ERROR, FAIL, NOT_ASSESSED, PASSED	A comma-separated list to filter configuration findings based on their result status. Leave the value blank to indicate all result statuses.	Key: result, Value: ERROR,FAIL. This key and value combination only retrieves findings with an ERROR or FAIL result status.
	status	OPEN, RESOLVED, REJECTED	A comma-separated list to filter configuration findings by their status.	Key: status, Value: OPEN,REJECTED. This key and value combination only retrieves findings that are in the OPEN or REJECTED status.
	includeDeleted	true or false	Include or exclude deleted configuration findings in the results. Leave the value blank to indicate all findings.	Key: includeDeleted, Value: false. This key and value combination excludes deleted configuration findings from the results.

Issue & Issue Definition

Table 16: Issue and Issue Definition operation options

Connector Object	Option	All Possible Values	Description	Example
Issue, Issue Definition	frameworkCategory	Any number identifying a security framework.	Filter issues by the specified framework ID. Leave the value blank to indicate all framework categories.	Key: frameworkCategory, Value: 1234. This key and value combination only retrieves issues for framework 1234.
Issue, Issue Definition	hasAutoRemediation	true or false	Filter issues with or without auto remediation.	Key: hasAutoRemediation, Value: true. This key and value combination only retrieves issues with auto remediation.
Issue, Issue Definition	hasRemediation	true or false	Filter issues with or without remediation.	Key: hasRemediation, Value: false. This key and value combination only retrieves issues without a remediation.
Issue, Issue Definition	hasServiceTicket	true or false	Filter issues with or without related service ticket.	Key: hasServiceTicket, Value: true. This key and value combination only retrieves issues with related service tickets.
Issue, Issue Definition	projectId	Any number identifying a project.	Filter issues associated with the specified project ID. Leave the value blank to indicate all project IDs.	Key: projectId, Value: 1234. This key and value combination only retrieves issues for project ID 1234.
Issue, Issue Definition	resolutionReason	CONTROL_CHANGED, CONTROL_DISABLED, CONTROL_DELETED, EXCEPTION, FALSE_POSITIVE, ISSUE_FIXED, OBJECT_DELETED, WONT_FIX	A comma-separated list to filter issues by resolution reason. Leave the value blank to indicate all resolution reasons.	Key: resolutionReason, Value: FALSE_POSITIVE. This key and value combination only retrieves issues that are false positives.
Issue, Issue Definition	severity	CRITICAL, HIGH, INFORMATIONAL, LOW, MEDIUM	A comma-separated list to filter issues based on severity. Leave the value blank to indicate all severities.	Key: severity, Value: LOW, MEDIUM. This key and value combination only retrieves issues of low or medium severity.
Issue, Issue Definition	stackLayer	APPLICATION_AND_DATA, CI_CD, CLOUD_ENTITLEMENTS, CODE, COMPUTE_PLATFORMS, DATA_STORES, SECURITY_AND_IDENTITY	A comma-separated list to filter issues from a specified stack layer. Leave the value blank to indicate all stack layers.	Key: stackLayer, Value: ``. This key and value combination retrieves issues from all stack layers.
Issue, Issue Definition	status	IN_PROGRESS, OPEN, REJECTED, RESOLVED	A comma-separated list to filter issues by their status. Leave the value blank to indicate all statuses.	Key: status, Value: OPEN. This key and value combination only retrieves open issues.
Issue	type	CLOUD_CONFIGURATION, THREAT_DETECTION, TOXIC_COMBINATION	A comma-separated list of issue types. You can use this option to filter issues by their issue type, as determined by Wiz.	Key: type Value: THREAT_DETECTION,TOXIC_COMBINATION. This key and value combination only retrieves issues with the specified type.

Vulnerability Definition

Table 17: Vulnerability Definition operation options

Connector Object	Option	All Possible Values	Description	Example
Vulnerability Definition	assetHasAdminPrivileges	true or false	Filter vulnerabilities for assets with or without admin privileges.	Key: assetHasAdminPrivileges, Value: true. This key and value combination only retrieves vulnerabilities for assets with admin privileges.
	assetHasHighPrivileges	true or false	Filter vulnerabilities for assets with or without high privileges.	Key: assetHasHighPrivileges, Value: false. This key and value combination only retrieves vulnerabilities for assets without high privileges.
	assetId	Any number identifying an asset.	Filter vulnerabilities by the asset ID. Leave the value blank to indicate all asset IDs.	Key: assetId, Value: 1234. This key and value combination only retrieves vulnerabilities for asset ID 1234.
	assetStatus	Active, Error, Inactive	Filter vulnerabilities for assets with the specified status. Leave the value blank to indicate all asset statuses.	Key: assetStatus, Value: Active. This key and value combination only retrieves vulnerabilities from active assets.
	assetType	CONTAINER, CONTAINER_IMAGE, SERVERLESS, VIRTUAL_MACHINE	A comma-separated list to filter vulnerabilities by the asset type. Leave the value blank to indicate all asset types.	Key: assetType, Value: CONTAINER, SERVERLESS. This key and value combination only retrieves vulnerabilities for the CONTAINER and SERVERLESS asset type.
	containerRegistry	Any name identifying a container registry.	Filter vulnerabilities associated with the specified container registry.	Key: containerRegistry, Value: ECR. This key and value combination only retrieves vulnerabilities related to the AWS Elastic Container Registry (ECR).
	containerRepository	Any name identifying a container repository.	Filter vulnerabilities associated with the specified container repository.	Key: containerRepository, Value: Azure Container Repository. This key and value combination only retrieves vulnerabilities in the Azure Container Repository.
	detectionMethod	DEFAULT_PACKAGE, FILE_PATH, INSTALLED_PROGRAM, INSTALLED_PROGRAM_BY_SERVICE, LIBRARY, OS, PACKAGE	A comma-separated list to filter vulnerabilities found by the specified detection method. Leave the value blank to indicate all detection methods.	Key: detectionMethod, Value: FILE_PATH. This key and value combination only retrieves vulnerabilities detected through file paths.
	hasCisaKevExploit	true or false	Filter vulnerabilities with or without an available Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) exploit.	Key: hasCisaKevExploit, Value: true. This key and value combination only retrieves vulnerabilities with a CISA KEV exploit.
	hasExploit	true or false	Filter vulnerabilities with or without an available exploit.	Key: hasExploit, Value: false. This key and value combination only retrieves vulnerabilities without an exploit.
	hasFix	true or false	Filter vulnerabilities with or without an available fix.	Key: hasFix, Value: true. This key and value combination only retrieves vulnerabilities with a fix.
	isAssetOpenToAllInternet	true or false	Filter vulnerabilities for assets by whether they are publicly accessible over the internet.	Key: isAssetOpenToAllInternet, Value: true. This key and value combination only retrieves vulnerabilities for assets that are accessible over the internet.
	isBaseLayer	true or false	Filter vulnerabilities for container images by whether they are attributed to a base image.	Key: isBaseLayer, Value: false. This key and value combination only retrieves vulnerabilities for container images that aren't attributed to a base image.
	isScannedFromRegistry	true or false	Filter vulnerabilities by whether they are scanned from a container registry.	Key: isScannedFromRegistry, Value: true. This key and value combination only retrieves vulnerabilities they are scanned from a container registry.
	projectId	Any number identifying a project.	Filter vulnerabilities associated with the specified project ID. Leave the value blank to indicate all project IDs.	Key: projectId, Value: 1234. This key and value combination only retrieves vulnerabilities for project ID 1234.
	reportName	Any name identifying a report.	Filter vulnerabilities matching the specified report name.	Key: reportName, Value: Report A. This key and value combination only retrieves vulnerabilities from Report A.
	status	OPEN, REJECTED, RESOLVED	A comma-separated list to filter vulnerabilities by their status. Leave the value blank to indicate all statuses.	Key: status, Value: RESOLVED. This key and value combination only retrieves resolved vulnerabilities.
	subscriptionExternalId	AWS Account, Azure Subscription, GCP Project, OCI Compartment	A comma-separated list to filter vulnerabilities by their associated external subscription ID. Leave the value blank to indicate all external subscription IDs.	Key: subscriptionExternalId, Value: AWS Account. This key and value combination only retrieves vulnerabilities associated with the AWS Account.
	validatedInRuntime	true or false	Filter vulnerabilities by whether they have been validated in runtime.	Key: validatedInRuntime, Value: true. This key and value combination only retrieves vulnerabilities that have been validated in runtime.
	vendorSeverity	CRITICAL, HIGH, LOW, MEDIUM, NONE	A comma-separated list to filter vulnerabilities by their vendor severity. Leave the value blank to indicate all vendor severities.	Key: vendorSeverity, Value: HIGH. This key and value combination only retrieves vulnerabilities deemed high severity by the vendor.

note

The option keys and possible values are case-sensitive as they are shown in this documentation.

APIs

The Wiz connector uses the Wiz API. Specifically, it executes the following GraphQL queries to retrieve data:

Table 18: Wiz API GraphQL queries

Connector Object	GraphQL Query
Backup Service	Reports GraphQL queries
Bucket	Reports GraphQL queries
CI/CD Service	Reports GraphQL queries
Compute Instance Group	Reports GraphQL queries
Configuration Finding	Cloud Configuration Findings GraphQL queries
Container	Reports GraphQL queries
Container Image	Reports GraphQL queries
Container Registry	Reports GraphQL queries
Container Service	Reports GraphQL queries
Control	Cloud Configuration Findings GraphQL queries
Daemon Set	Reports GraphQL queries
Database Server	Reports GraphQL queries
Deployment	Reports GraphQL queries
Encryption Key	Reports GraphQL queries
File System Service	Reports GraphQL queries
Firewall	Reports GraphQL queries
Issue	Issue GraphQL queries
Issue Definition	Issue GraphQL queries
Kubernetes Cluster	Reports GraphQL queries
Raw Access Policy	Reports GraphQL queries
Resource Group	Reports GraphQL queries
Serverless	Reports GraphQL queries
Storage Account	Reports GraphQL queries
Subscription	Reports GraphQL queries
Virtual Machine	Reports GraphQL queries
Virtual Machine Image	Reports GraphQL queries
Virtual Network	Reports GraphQL queries
Vulnerability	Reports GraphQL queries Vulnerability GraphQL query
Vulnerability Definition	Reports GraphQL queries Vulnerability GraphQL query Vulnerability Definition GraphQL query
Web Service	Reports GraphQL queries

Cloud Configuration Finding queries

Click to expand

The following query retrieves information about cloud configuration findings:

query CloudConfigurationFindingsPage($filterBy: ConfigurationFindingFilters, $first: Int, $after: String, $orderBy: ConfigurationFindingOrder) {  
  page: configurationFindings(filterBy: $filterBy, first: $first, after: $after, orderBy: $orderBy) {  
    nodes {  
      id  
      targetExternalId  
      deleted  
      targetObjectProviderUniqueId  
      firstSeenAt  
      severity  
      result  
      status  
      remediation  
      resource {  
        id  
        providerId  
        name  
        nativeType  
        type  
        region  
        subscription {  
          id  
          name  
          externalId  
          cloudProvider  
        }  
        projects {  
          id  
          name  
          riskProfile {  
            businessImpact  
          }  
        }  
        tags {  
          key  
          value  
        }  
      }  
      rule {  
        id  
        graphId  
        name  
        description  
        remediationInstructions  
        functionAsControl  
      }  
      securitySubCategories {  
        id  
        title  
        category {  
          id  
          name  
          framework {  
            id  
            name  
          }  
        }  
      }  
      ignoreRules {  
        id  
        name  
        enabled  
        expiredAt  
      }  
    }  
    pageInfo {  
      hasNextPage  
      endCursor  
    }  
  }  
}

Issue GraphQL queries

Click to expand

The following query retrieves information about issue and issue definition:

query issueFindings($filterBy: IssueFilters, $first: Int, $after: String $orderBy: IssueOrder) {  
  page: issuesV2(filterBy: $filterBy, first: $first, after: $after, orderBy: $orderBy) {  
    nodes {  
      id  
      status  
      severity  
      type  
      openReason  
      resolutionReason  
      suggestions  
      resolvedAt  
      createdAt  
      updatedAt  
      dueAt  
      statusChangedAt  
      rejectionExpiredAt  
      sourceRule {  
        __typename  
        ... on Control {  
          id  
          name  
          description  
          severity  
          resolutionRecommendation  
          securitySubCategories {  
            id  
            title  
            category {  
              id  
              name  
              framework {  
                id  
                name  
              }  
            }  
          }  
        }  
        ... on CloudEventRule {  
          id  
          name  
          description  
          sourceType  
          type  
          cloudEventRuleSeverity: severity  
          securitySubCategories {  
            id  
            title  
            category {  
              id  
              name  
              framework {  
                id  
                name  
              }  
            }  
          }  
        }  
        ... on CloudConfigurationRule {  
          id  
          name  
          description  
          remediationInstructions  
          serviceType  
          severity  
          securitySubCategories {  
            id  
            title  
            category {  
              id  
              name  
              framework {  
                id  
                name  
              }  
            }  
          }  
        }  
      }  
      entity: entitySnapshot {  
        id  
        type  
        nativeType  
        name  
        status  
        cloudPlatform  
        cloudProviderURL  
        providerId  
        region  
        resourceGroupExternalId  
        subscriptionExternalId  
        subscriptionName  
        subscriptionTags  
        tags  
        externalId  
      }  
      projects {  
        id  
        name  
        description  
        slug  
        businessUnit  
        riskProfile {  
          businessImpact  
        }  
      }  
      serviceTickets {  
        id  
        externalId  
        name  
        url  
      }  
      notes {  
        id  
        createdAt  
        updatedAt  
        text  
        user {  
          id  
          name  
          email  
        }  
        serviceAccount {  
          id  
          name  
          type  
        }  
      }  
    }  
    pageInfo {  
      hasNextPage  
      endCursor  
    }  
  }  
}

Reports GraphQL queries

Click to expand

The first query retrieves data for the Backup Service, Bucket, CI/CD Service, Compute Instance Group, Container, ContainerImage, Container Registry, Container Service, Daemon Set, Database Server, Deployment, Encryption Key, File System Service, Firewall, Kubernetes Cluster, Raw Access Policy, Resource Group, Serverless, Storage Account, Subscription, Virtual Machine Image, Virtual Network, Vulnerability, Vulnerability Definition, or Web Service connector objects from the reports endpoint. The rest of the queries create a report and generates the URL to download the report:

query ReportsSearch($filterBy: ReportFilters, $first: Int, $after: String) {
  page: reports(first: $first, after: $after, filterBy: $filterBy) {
    nodes {
      id
      name
      createdBy {
        id
        email
      }
      lastRun {
        id
        runAt
      }
      lastSuccessfulRun {
        id
        runAt
      }
      type {
        id
        name
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}

mutation CreateReport($input: CreateReportInput!) { 
  operation: createReport(input: $input) { 
    node: report { 
      id 
    } 
  } 
} 

mutation RerunReport($reportId: ID!) { 
  operation: rerunReport(input: {id: $reportId}) { 
    node: report { 
      id 
    } 
  } 
}

query ReportDownloadUrl($reportId: ID!) { 
  node: report(id: $reportId) { 
    id
    name 
    lastRun { 
      id 
      url 
      status 
    } 
  } 
}

Vulnerability GraphQL query

Click to expand

The following query retrieves information about vulnerabilities:

query vulnerabilityFindings($filterBy: VulnerabilityFindingFilters, $first: Int, $after: String) {  
  page: vulnerabilityFindings(filterBy: $filterBy, first: $first, after: $after) {  
    nodes {  
      id  
      name  
      detailedName  
      CVEDescription  
      CVSSSeverity  
      vendorSeverity  
      score  
      exploitabilityScore  
      impactScore  
      description  
      remediation  
      link  
      locationPath  
      detectionMethod  
      version  
      fixedVersion  
      portalUrl  
      firstDetectedAt  
      lastDetectedAt    
      vulnerableAsset {  
        ... on VulnerableAssetBase {  
          id
          providerUniqueId
          type
          name  
        }
      }  
    }  
    pageInfo {  
      hasNextPage  
      endCursor  
    }  
    totalCount  
  }  
}

Vulnerability Definition GraphQL query

Click to expand

The following query retrieves information about vulnerability definition:

query VulnerabilityDefinitions($filterBy: VulnerabilityFilters, $first: Int, $after: String) { 
  page: vulnerabilities(filterBy: $filterBy, first: $first, after: $after) { 
    nodes { 
      affectedTechnologies { 
        id 
        name 
      } 
      baseScore 
      cisaKevDueDate 
      cisaKevReleaseDate 
      cvssv2 { 
        attackComplexity 
        attackVector 
        confidentialityImpact 
        integrityImpact 
        privilegesRequired 
        userInteractionRequired 
      } 
      cvssv3 { 
        attackComplexity 
        attackVector 
        confidentialityImpact 
        integrityImpact 
        privilegesRequired 
        userInteractionRequired 
      } 
      description 
      exploitabilityScore 
      exploitable 
      externalId 
      hasCisaKevExploit 
      id 
      name 
      publishedAt 
      severity 
      sourceFeeds { 
        id 
        name 
        url 
      } 
      sourceUrl    
    }
    pageInfo { 
      endCursor 
      hasNextPage 
    } 
    totalCount 
  } 
} 

Changelog

The Wiz connector has undergone the following changes:

Table 19: Wiz connector changelog

Version	Description
3.3.7	- Added the ADDITIONAL_IDS attribute to the API Gateway object. - Added the CLUSTER_EXTERNAL_ID and CLUSTER_NAME attributes to the Container object to support Kubernetes context.
3.3.6	- Added a new operation option for the Issue object to filter by issue type: type. - Added the CATEGORIES attribute to the Issue object. - Added support for ticketing information from Wiz to help prevent duplicate ticket creation and improve issue tracking. As a result, the following attributes were added to the Issue object: TICKET_EXTERNAL_ID TICKET_ID TICKET_NAME TICKET_URL
3.3.5	Fixed an issue where the TARGETS attribute on the Vulnerability object included empty string values. The connector now prevents empty values from being added to the targets list.
3.3.4	Fixed an issue where configuration findings were not correctly associating with assets. The connector now imports RESOURCE_EXTERNAL_ID and RESOURCE_PROVIDER_ID on the Configuration Finding object to establish proper relationships between findings and their associated assets.
3.3.3	Fixed an issue where the connector was incorrectly mapping IP addresses and private DNS names to both the IP_ADDRESSES and PRIVATE_IP_ADDRESSES attributes on the Virtual Machine object. The connector now properly distinguishes between these attributes.
3.3.2	- The Configuration Finding object is no longer required and now maps to Violation. - Added the RECOMMENDATION, TARGETS, and TYPE attributes to the Configuration Finding object.
3.3.1	The connector now retrieves the Configuration Finding object from Wiz.
3.3.0	- The connector now retrieves the Control object from Wiz. - Replaced the deprecated vulnerabilityParams.type attribute on the Vulnerability object with columnSelection for Vulnerability reports.
3.2.6	The connector now retrieves the Secret Container object from Wiz.
3.2.5	Fixed an issue where attributes from Wiz were not being mapped correctly to the Host data model.
3.2.4	Added the NAME attribute to the Vulnerability Definition object.
3.2.3	Code clean up and general maintenance to help improve error handling.
3.2.2	Fixed an issue where the Issue and Issue Definition object syncs were failing.
3.2.1	Fixed an issue where the Resource Group and Storage Account object syncs were failing due to an "Empty header line: cannot bind data" error.
3.2.0	Enhanced the Vulnerability object sync process to improve efficiency by using regular reports with the updateAt date filter, as recommended by Wiz. The Wiz connector now retrieves all vulnerabilities with detection support via the GraphQL API, rather than creating vulnerability definitions from vulnerability data.
3.1.18	Code clean up and maintenance.
3.1.17	- Fixed an issue where the Issue and Issue Definition object syncs were failing. - Added the SOURCE_SEVERITY_SCORE attribute to the Vulnerability object. - Code clean up and maintenance.
3.1.16	- Added remediation instructions to the Issue Definition object. - Addressed a potential NullPointerException (NPE) on the Issue object.
3.1.15	Enhanced the method for retrieving vulnerability status by splitting "New" from "Active" status. The Wiz connector now uses the FIRST_SEEN_AT filter for "New" vulnerabilities and the UPDATED_AT filter for "Active" vulnerabilities to ensure more accurate reporting.
3.1.14	Added the IS_CONTAINER_HOST attribute to the Virtual Machine object.
3.1.13	No change.
3.1.12	Fixed an issue where the CVSS_V2_BASE_SCORE and CVSS_V3_BASE_SCORE attributes on the Vulnerability Definition object were not populating.
3.1.11	Revised the logic of getting asset type information from the source data.
3.1.10	- Updated to fetch vmId as the Instance ID for Azure assets. - Switched the order of adding attributes to allow native or specific attributes to take higher precedence. - Updated dependencies.
3.1.9	- Fixed an issue where an Empty header line error occurred when reports returned by Wiz were empty. - Fixed an issue related to the Missing 1 header column: ["uid"] error.
3.1.8	Added a new setting to configure maximum retries.
3.1.7	- Updated to the new Wiz logo. - Enhanced handling for missing UID in objects retrieved from Wiz.
3.1.4	- Started retrieving the image name for Container Image objects. - Started mapping provider ID to the TARGETS attribute on the Issue object.
3.1.1	Added more connector objects, such as Database Server, Issue, and Issue Definition.
3.1.0	Initial Integration+ release.