Overview
About Wiz
Wiz scans every layer of cloud environments without agents to provide complete visibility into every technology running in the client’s cloud without blind spots. Wiz connects via API to AWS, Azure, GCP, OCI, Alibaba Cloud, VMware vSphere, Openshift, and Kubernetes across virtual machines, containers, and serverless.
Why Integrating Wiz into the Vulcan platform?
The Wiz connector by Vulcan integrates with the Wiz platform to pull and ingest asset inventory and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform correlates consolidates and contextualizes the ingested data to impact risk and remediation priority. Read more here.
Connector details
Category: Vulnerability Assessment
Ingested asset types: Hosts, Images, and Cloud Resources
Prerequisites and User Permissions
Make sure you have the following:
Wiz Service Account with the following permissions:
create:reports,read:reports update:reports, andread:vulnerabilitesWiz API Endpoint URL, e.g.
https://api.eu1.app.wiz.io.Wiz Client ID and Client Secret
User with access to All of the Wiz Project if all projects are to be fetched. If not, a user with access to the relevant projects is required. You can insert the projects ID you wish to fetch in the Wiz Connector setup page on the Vulcan Platform.
Configuring the Wiz Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Wiz icon.
Set up the connector as follows:
Enter Wiz Servel URL, Auth URL, Client ID, and Client Secret. The instructions on retrieving this information exist in Wiz gated documentation portal.
To get your Server URL, In Wiz portal, click on the user icon > User settings, and copy the API Endpoint URL (https://api.<region>.app.wiz.io)
Auth URL:
For Wiz gov tenants - https://auth.gov.wiz.io
For regular tenants - https://auth.app.wiz.io
Insert the IDs or the projects you want to fetch (up to 5), separated by a comma. If you wish to fetch all projects, leave this field empty.
Select the Wiz authentication method.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Wiz instance, then click Create (or Save Changes).
The Advanced Configuration drop-down allows you to set the Connector's sync time. By default, all days are selected.
Allow some time for the sync to complete. You can review the sync status under Log.
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
To confirm the sync is complete, navigate to the Connectors tab to check the sync status. Once the Wiz icon shows Connected, the connection is complete.
From Wiz to the Vulcan Platform - Fields Mapping
Connector Fields Mapping - Hosts
Wiz field | Vulcan field / mapping info |
Asset name + Provider ID Asset Name + Unique ID | Asset uniqueness criteria |
Name | Asset name |
Cloud native JSON | Asset details |
Hosts | Asset type |
IP Addresses (Wiz JSON) | IP |
Operation System (Wiz JSON) | OS |
Creation date (WIZ JSON) | Created date |
Connector's last sync date | Last seen date |
Network interface - MAC address from cloud JSON | Multiple Mac Addresses |
Detailed Name (vuln report) | Packages |
Wiz tags | Asset Tags by vendor |
cloud platform | Asset Tags (additional) |
detailed name (package) and version | Vulnerability instance uniqueness criteria |
First Detected | Vulnerability instance first seen |
Last Detected | Vulnerability instance last seen |
CVE score | Vulnerability instance score |
Location path | Vulnerability instance location path |
Vulnerability name | Unique vulnerability uniqueness criteria |
Vulnerability name | Vulnerability title |
CVE score | Vulnerability score |
Description | Vulnerability description |
CVE Description | Vulnerability details |
'Vulnerable' when fetched | Vulnerability instance status* |
CVE | CVE/S |
Technical score | Risk Calculation |
Wiz recommended solution | Fix title |
Remediation FixedVersion | Fix Description |
Location path Wiz URL, , score, impact score, Location path, version, detectionMathod, providerUniqueID, CloudProviderURL, CloudPlatform, Vulnerability tags, HasExploit, HasCisaKevExploit, exploitability score, vendor severity, project | Asset - Vulnerability instance connection (info tool tip) |
Connector Fields Mapping - Images
Wiz field | Vulcan field/mapping info |
Asset name + Provider ID Asset Name + Unique ID | Asset uniqueness criteria |
Name | Asset name |
Cloud native JSON | Asset details |
Images - Wiz container images | Asset type |
RepoExternalID (WIZ JSON) | Repository |
Images | Repository type |
Operation System (Wiz JSON) | OS |
Operation System (Wiz JSON) | OS Version |
digest | Path location |
Creation date (WIZ JSON) | Created date |
Connector's last sync date | Last seen |
Wiz tags | Asset Tags by vendor |
cloud platform | Asset Tags (additional) |
detailed name | Component name |
detailed version | Component type |
Active | Asset status |
Vulnerability name | Unique vulnerability uniqueness criteria |
Vulnerability name | Vulnerability title |
CVE score | Vulnerability score |
CVE Description | Vulnerability description |
Wiz URL, CVSS Severity, score, impact score, Location path, version, detectionMathod, providerUniqueID, CloudProviderURL, CloudPlatform, Vulnerability tags, reference link | Vulnerability details |
'Vulnerable' when fetched | Vulnerability instance status* |
CVE | CVE/S |
Wiz recommended solution | Fix title |
Remediation | Fix Description |
Location path Wiz URL, score, impact score, Location path, version, detectionMathod, providerUniqueID, CloudProviderURL, CloudPlatform, Vulnerability tags, HasExploit, HasCisaKevExploit, exploitability score, vendor severity, project | Asset - Vulnerability instance connection (info tooltip) |
Connector Fields Mapping - Cloud Resources
Wiz Field | Vulcan Field |
Asset name + Provider ID Asset Name + Unique ID | Asset uniqueness criteria |
Serverless inventory name | Asset name |
Provider ID | Resource ID |
Cloud Platform | Cloud (provider) |
Cloud Native JSON | Asset details |
Cloud Resources | Asset type |
Wiz tags | Asset tags - vendor's tags |
cloud platform | Asset tags - additional |
Created date (WIZ JSON) | Created date |
Connector's last sync date | Last seen |
Detailed name (package) and version | Vulnerability instance uniqueness criteria |
FirstDetected | Vulnerability instance first seen |
LastDetected | Vulnerability instance last seen |
CVE score | Vulnerability instance score |
Location path | Vulnerability instance location path |
Vulnerability name | Unique vulnerability uniqueness criteria |
Vulnerability name | Vulnerability title |
Description | Vulnerability description |
CVEDescription, effected packages - Detailed name, CVSS Severity, fixed version, reference link | Vulnerability details |
'Vulnerable' when fetched | Vulnerability instance status* |
CVE | CVE/S |
Wiz recommended solution | Fix title |
Remediation | Fix description |
Location path Wiz URL, , score, impact score, Location path, version, detectionMathod, providerUniqueID, CloudProviderURL, CloudPlatform, Vulnerability tags, HasExploit, HasCisaKevExploit, exploitability score, vendor severity, project | Assets-Vulnerability instance connection (info tooltip) |
Vulnerability status mapping
Wiz Status | Vulcan Status |
*All imported data is vulnerable | Vulnerable |
*When a vulnerability instance is not imported, it is considered as fixed | Fixed |
Ignored | Ignored |
Vulnerability score mapping
Vulcan imports the CVSS of the vulnerabilities.
Notes:
Archived assets are assets that were'nt feched into the Vulcan Platform on the last sync with Wiz.
*Vulnerabilities status is updated to "Fixed" on the vulcan platform once they are marked as fixed on Wiz. Fetched vulnerabilities are 'vulnerable' vulnerabilities.
Support and Expected Behavior
Support and expected behavior remarks on some Wiz ingested vs. un-ingested fields:
Data Import using CSV Reports:
Inventory (assets): The connector imports data for VMs, container images, and serverless assets.
Vulnerabilities: Connected vulnerabilities are also imported.
Asset Mapping and Enrichment:
Mapping: Assets are mapped into Vulcan based on their presence in the Wiz vulnerability report.
Enrichment: Vulcan’s asset data is enriched using the Wiz inventory report. If an asset from the Wiz vulnerability report does not exist in the inventory report, it will appear with limited information derived from the vulnerability report.
Project Selection:
Selective Syncing: The connector allows syncing of up to 5 selected Wiz projects instead of all available Wiz projects.
Configuration: The IDs of the selected projects must be provided as user input on the connector’s configuration page.
5 Projects Selection:
The user can specify up to 5 Wiz project IDs for syncing.
Only data from these specified projects will be imported and processed.
Viewing Wiz vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector:
Go to the Vulnerabilities page.
Click on Filter and set the condition to Vulnerability > Connector is Wiz.
You can add more filters to narrow down your search further.
See the complete list of available vulnerability filters.Click on a vulnerability for more vulnerability details.
Viewing Wiz assets in the Vulcan Platform
Viewing assets by Connector for users with the new platform view (Asset Hub):
Go to the Assets page.
Click on "Filter " and specify the condition as "Assets > Connector is X".
Viewing assets by Connector for users with the older platform view:
Go to the Assets page.
Choose the relevant asset type tab.
Click on "Filter" and specify the condition as "Assets > Connector is X"
You can add more filters to narrow down your search further.
See the complete list of available asset filters.
Click on any asset for more asset details.
Automating remediation actions on vulnerabilities detected by Wiz
Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.