Am I reading the correct user guide?

Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.

Click on 'How to connect' on the Connector's setup page to open the right guide for your setup and version, ensuring accuracy and relevance.

Overview

About Wiz Issues

Wiz scans every layer of cloud environments without agents to provide complete visibility into every technology running in the client’s cloud without blind spots. Wiz connects via API to AWS, Azure, GCP, OCI, Alibaba Cloud, VMware vSphere, Openshift, and Kubernetes across virtual machines, containers, and serverless.

Why integrate Wiz Issues into the Vulcan platform?

The Wiz Issues by Vulcan integrates with the Wiz platform to pull and ingest Host, Image, and Cloud assets and their associated vulnerability-type issues into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Wiz Issue Conenctor Details

Supported products	Wiz Issues
Category	Cloud
Ingested asset type(s)	Hosts Images Cloud Resources
Integration type	UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)
Supported version and type	SaaS (latest)
Inventory supported assets	`VIRTUAL_MACHINE, CONTAINER_IMAGE, SERVERLESS` Issues - all issues with the supported asset types.

Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

A Wiz service account with the following access permissions:
- create:reports
- delete:reports
- update:reports
- read:reports
- read:issues
- write:reports
The authentication credentials for that service account.
Your Wiz issues URL: https://api.usXX.app.wiz.io (or https://api.usXX.app.wiz.io/graphql).
Read more about Wiz Endpoint URLs

Configuring the Wiz Issues Connector

Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Wiz Issues icon.
Set up the Connector as follows:
- Enter your Wiz account's Server URL, Auth URL, Client ID, and Client secret.
Select the relevant authentication method (Amazon Cognito or. Legacy Auth0).
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Wiz instance, then click Create (or Save Changes).
The Advanced Configuration drop-down allows you to set the Connector's sync time. By default, all days are selected.
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Wiz Issues icon shows Connected, the sync is complete.

Wiz Issues in the Vulcan Platform

Viewing Wiz Issues vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector:

Go to the Vulnerabilities page.
Click on Filter and set the condition to Vulnerability > Connector is Wiz Issues.
- You can add more filters to narrow down your search further.
  See the complete list of available vulnerability filters.
- Click on a vulnerability for more vulnerability details.

Viewing Wiz Issues assets in the Vulcan Platform

Viewing assets by Connector for users with the new platform view (Asset Hub):

Go to the Assets page.
Click on "Filter " and specify the condition as "Assets > Connector is Wiz Issues".

Viewing assets by Connector for users with the older platform view:

Go to the Assets page.
Choose the relevant asset type tab.
Click on "Filter" and specify the condition as "Assets > Connector is Wiz Issues"

You can add more filters to narrow down your search further.
See the complete list of available asset filters.

Click on any asset for more asset details.

Taking Action on vulnerabilities/issues and assets detected by Wiz Issues

To take remediation action on vulnerabilities and assets detected by Wiz Issues:

Go to the Vulnerabilities or Assets Page.
Use the Filter to filter vulnerabilities by the Wiz Issues connector and display all synced vulnerabilities/assets and their associated assets/vulnerabilities.
Select the relevant vulnerabilities/assets from the results list.
Click on Take Action to proceed with remediation or further actions.

Automating remediation actions on vulnerabilities detected by Wiz Issues

Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.

From Wiz Issues to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Wiz through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Inventories ingested: VIRTUAL_MACHINE, CONTAINER_IMAGE, SERVERLESS
All issue types are ingested into the Vulcan Platform

Host fields mapping

Wiz issues field	Vulcan field
Name Provider ID Wiz JSON Object.common.cloudProviderURL Wiz JSON Object.common.subscriptionExternalId or entitySnapshot.name entitySnapshot.providerId entitySnapshot.cloudProviderURL entitySnapshot.subscriptionExternalId	Uniqueness criteria
Name	Asset Name
Projects Provider ID Wiz External ID Cloud Platform Subscription Subscription ID Region Resource Type Native Type Public DNS name (Cloud json)	Asset details
Hosts	Asset type
asset['Wiz JSON Object'].ipAddresses or IpAddresses	IP
asset['Wiz JSON Object'].operatingSystem or OperatingSystem	OS
common.creationDate or image.common.creationDate or image.common.originalObject.CreationDate	Created date(first_seen)
Last connector’s sync date.	Last seen date
asset['Cloud Native JSON'].NetworkInterfaces.MacAddress	Multiple mac addresses
Tags	Asset Tags - Vendor’s tags
Projects cloud_platform Region Subscription Subscription ID Image Source Image Name isPublic isEphemeral	Asset Tags - Additional
id	Vulnerability instance uniqueness criteria
First connector sync date.	Vulnerability instance first seen
Last connector sync date.	Vulnerability instance Last seen
By status: RESOLVED. in cases the connector has a relevant vulnerability status which indicate that the Vulnerability is fixed. Non delta - if the vulnerability wasn’t fetched again on the connector’s sync it will be moved to fixed delta - move to fix according to status change to fix on the vendor First fetch Kernel running	Vulnerability instance Fixed mechanism
sourceRule.name	Unique vulnerability uniqueness criteria
sourceRule.name	Vulnerability title
severity	Vulnerability score
sourceRule.controlDescription or sourceRule.cloudEventRuleDescription or sourceRule.cloudConfigurationRuleDescription	Vulnerability description
Source Rule ID Source Rule Control	Vulnerability details
severity	CVSS
Fix for sourceRule.name	Fix title
sourceRule.resolutionRecommendation or sourceRule.remediationInstructions	Fix description
Severity Status Created At Updated At Issue ID Service Tickets Notes Due At WizURL	Asset - Vulnerability instance connection (info tool tip)

Image fields mapping

Wiz issues field	Vulcan field
Name Provider ID Wiz JSON Object.common.cloudProviderURL Wiz JSON Object.common.subscriptionExternalId or entitySnapshot.name entitySnapshot.providerId entitySnapshot.cloudProviderURL entitySnapshot.subscriptionExternalId	Uniqueness criteria
AssetName or Name	Asset Name
Projects Provider ID Wiz External ID Cloud Platform Subscription Subscription ID Region Resource Type Native Type Public DNS name (Cloud json)	Asset details
Images - Wiz Container Images	Asset type
Images	Repo type
asset['Wiz JSON Object'].operatingSystem	OS
asset['Wiz JSON Object'].operatingSystem	OS version
asset['Wiz JSON Object'].repoExternalId	Path location
Tags	Asset Tags - Vendor’s tags
Projects cloud_platform Region Subscription Subscription ID Image Source	Asset Tags - Additional
Last connector’s sync date.	Last seen
common.creationDate or image.common.creationDate or image.common.originalObject.CreationDate	Creation date(first_seen)
id	Vulnerability instance uniqueness criteria
By status: RESOLVED. in cases the connector has a relevant vulnerability status which indicate that the Vulnerability is fixed. Non delta - if the vulnerability wasn’t fetched again on the connector’s sync it will be moved to fixed delta - move to fix according to status change to fix on the vendor First fetch Kernel running	Vulnerability instance Fixed mechanism
sourceRule.name	Unique vulnerability uniqueness criteria
sourceRule.name	Vulnerability title
severity	Vulnerability score
sourceRule.controlDescription orsourceRule.cloudEventRuleDescription orsourceRule.cloudConfigurationRuleDescription	Vulnerability description
Source Rule ID Source Rule Control	Vulnerability details
severity	CVSS
sourceRule.name	Fix title
sourceRule.resolutionRecommendation or sourceRule.remediationInstructions	Fix descriptions
Severity Status Created At Updated At Issue ID Service Tickets Notes Due At WizURL	Asset - Vulnerability instance connection (info tooltip)

Cloud Resource fields mapping

Wiz issues field	Vulcan field
Name Provider ID Wiz JSON Object.common.cloudProviderURL Wiz JSON Object.common.subscriptionExternalId or entitySnapshot.name entitySnapshot.providerId entitySnapshot.cloudProviderURL entitySnapshot.subscriptionExternalId	Uniqueness criteria
Name or entitySnapshot.name	Asset Name
Projects Cloud Platform Region Subscription Subscription ID Resource Type Native Type Provider ID Wiz External ID Role FunctionArn Kind Cloud Provider Url Runtime Status	Asset details
Cloud Resources	Asset type
Tags	Asset Tags - Vendor’s tags
Projects cloud_platform Region Subscription Subscription ID Image Source	Asset Tags - Additional
asset['Wiz JSON Object'].common.creationDate asset['Wiz JSON Object'].image.common.creationDate or asset['Wiz JSON Object'].image.common.originalObject.CreationDate	Created date
Last connector’s sync date.	Last seen
id	Vulnerability instance uniqueness criteria
By status: RESOLVED. in cases the connector has a relevant vulnerability status which indicate that the Vulnerability is fixed. Non delta - if the vulnerability wasn’t fetched again on the connector’s sync it will be moved to fixed delta - move to fix according to status change to fix on the vendor First fetch Kernel running	Vulnerability instance Fixed mechanism
sourceRule.name	Unique vulnerability uniqueness criteria
sourceRule.name	Vulnerability title
sourceRule.controlDescription or sourceRule.cloudEventRuleDescription or sourceRule.cloudConfigurationRuleDescription	Vulnerability description
Source Rule Control Source Rule ID	Vulnerability details
severity	CVSS
sourceRule.name	Fix title
sourceRule.resolutionRecommendation or sourceRule.remediationInstructions	Fix description
Severity Status Created At Updated At Issue ID Service Tickets Notes Due At WizURL	Assets-Vulnerability instance connection (info tooltip)

Vulnerability status mapping

Wiz Status	Vulcan Status
Vulnerable	if the status isn’t 'RESOLVED', it is considered 'vulnerable'.
Fixed	When vuln-instance is not imported, or the status is 'RESOLVED,' it is considered 'fixed.'
Ignored - false positive	-
Ignored risk acknowledged	-

Vulnerability score mapping

Wiz score	Vulcan score
CRITICAL	10
HIGH	8
MEDIUM	6
LOW	4
INFORMATIONAL	2

Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any are added).

The table below lists how the status update mechanism works in the Wiz Issues connector for the vulnerabilities and assets in the Vulcan Platform.

Update type in Vulcan	Mechanism (When?)
The asset is archived	- Asset not found on the Connector's last sync - Asset not seen for X days according to "Last Seen"
The vulnerability instance status changes to "Fixed"	- If the vulnerability no longer appears in the scan findings. - Vulnerability status on the Connector's side changes to 'RESOLVED'

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

Support and expected behavior

The unique ID of Wiz assets is not available in the findings workflow, where assets are fetched, issues are retrieved, and each issue is linked to a unique asset. Since the unique ID is absent from Wiz's Inventory reports, alternative asset fields are used as identifiers.

While this approach works in most cases, it may occasionally result in asset deduplication issues in rare edge cases.

API Endpoints in Use

API version: November 2022

API	Mutation/Query	Use in Vulcan	Permissions required
POST: {{ auth_url }}/oauth/token	-	Auth
POST: {{ server_url }}/graphql	CreateReport	Generate an asset report in the client environment.	create:reports
POST: {{ server_url }}/graphql	ReportDownloadUrl	Getting the url to download the report.	read:reports
GET: report_url	-	Getting the data in the report.
POST: {{ server_url }}/graphql	IssuesTable	Getting data about finding (assets, vulnerabilities and solutions).	read:issues

Data Validation

Matching assets count

Objective: Ensure that the number of assets in Wiz aligns with the assets displayed in Vulcan.

In Wiz:

Go to the Reports tab and select Create a Report.
Under the Inventory section, choose Cloud Resources.
Create an Inventory Report for each relevant resource type:
SERVERLESS
CONTAINER_IMAGE
VIRTUAL_MACHINE
- Scope: All resources
- Report type: Standard
- Format: Choose any format that allows you to count the records.
  No additional filters are required.

In Vulcan:

Go to the Assets tab.
Click on Filter, set Assets > Connector to Wiz Issues, and click Apply.
The filtered results will display the total number of merged assets from Wiz.

After applying the filter, you’ll see the exact number of Wiz assets reflected in Vulcan:

Validation If Asset Is Not Present:

If an asset does not appear in Vulcan, it may have been archived or is of an unsupported asset type.

Matching unique vulnerability count

Objective: Ensure that the number of unique vulnerabilities in Wiz matches the unique vulnerabilities displayed in Vulcan.

In Vulcan:

Navigate to the Vulnerabilities tab.
Click Filter and set Vulnerability > Source to Wiz Issues.
Select the All tab to view all unique vulnerabilities synced from Wiz.
Note the total number of unique vulnerabilities displayed.

Validation If vulnerability is not present:

No associated asset exists in Vulcan.
The vulnerability is tied to an unsupported asset type.
If severity-based filtering is used in the connector and the vulnerability’s severity was filtered out, it won’t appear in Vulcan.

Matching vulnerability instance count (findings)

Objective: Ensure that the number of vulnerability instances (findings) in Wiz matches what is shown in Vulcan.

In Wiz:

Go to the Findings tab.
Filter by resource type to include all supported asset types.
Set the status to Open or Unresolved to see active findings.

In Vulcan:

Go to the Vulnerabilities tab.
Click Filter and set Vulnerability > Source to Wiz Issues.
Select the All tab to view all synced findings.
Compare the number of findings in Vulcan to the count obtained from Wiz.

Validation If Connection Is Not Present:

The finding may relate to an unsupported asset type.
If severity-based filtering is applied and the finding’s severity is not included, it will not appear in Vulcan.

Wiz Connector

WhiteHat Connector (new revision)

Snyk Connector (new revision)

Acunetix 360 Connector (new revision)

Wiz Issues Connector (previous revision)