Overview
About Wiz Issues
Wiz scans every layer of cloud environments without agents to provide complete visibility into every technology running in the client’s cloud without blind spots. Wiz connects via API to AWS, Azure, GCP, OCI, Alibaba Cloud, VMware vSphere, Openshift, and Kubernetes across virtual machines, containers, and serverless.
Why integrate Wiz Issues into the Vulcan platform?
The Wiz Issues by Vulcan integrates with the Wiz platform to pull and ingest Host, Image, and Cloud assets and their associated vulnerability-type issues into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Wiz Issue Conenctor Details
Supported products | Wiz Issues |
Category | Cloud |
Ingested asset type(s) | Hosts Images Cloud Resources |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
A Wiz service account with the following access permissions:
create:reports
delete:reports
update:reports
read:reports
read:issues
write:reports
The authentication credentials for that service account.
Your Wiz issues URL:
https://api.usXX.app.wiz.io
(orhttps://api.usXX.app.wiz.io/graphql
).Read more about Wiz Endpoint URLs
Configuring the Wiz Issues Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Wiz Issues icon.
Set up the Connector as follows:
Select the relevant authentication method.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Wiz instance, then click Create (or Save Changes).
The Advanced Configuration drop-down allows you to set the Connector's sync time. By default, all days are selected.
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Wiz Issues icon shows Connected, the sync is complete.
Wiz Issues in the Vulcan Platform
Viewing Wiz Issues vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector:
Go to the Vulnerabilities page.
Click on Filter and set the condition to Vulnerability > Connector is Wiz Issues.
You can add more filters to narrow down your search further.
See the complete list of available vulnerability filters.Click on a vulnerability for more vulnerability details.
Viewing Wiz Issues assets in the Vulcan Platform
Viewing assets by Connector for users with the new platform view (Asset Hub):
Go to the Assets page.
Click on "Filter " and specify the condition as "Assets > Connector is Wiz Issues".
Viewing assets by Connector for users with the older platform view:
Go to the Assets page.
Choose the relevant asset type tab.
Click on "Filter" and specify the condition as "Assets > Connector is Wiz Issues"
You can add more filters to narrow down your search further.
See the complete list of available asset filters.
Click on any asset for more asset details.
Taking Action on vulnerabilities/issues and assets detected by Wiz Issues
To take remediation action on vulnerabilities and assets detected by Wiz Issues:
Go to the Vulnerabilities or Assets Page.
Use the Filter to filter vulnerabilities by the Wiz Issues connector and display all synced vulnerabilities/assets and their associated assets/vulnerabilities.
Select the relevant vulnerabilities/assets from the results list.
Click on Take Action to proceed with remediation or further actions.
Automating remediation actions on vulnerabilities detected by Wiz Issues
Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.
From Wiz Issues to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Wiz through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Inventories ingested: VIRTUAL_MACHINE, CONTAINER_IMAGE, SERVERLESS
All issue types are ingested into the Vulcan Platform
Host fields mapping
Wiz field | Vulcan field |
Name External ID or entitySnapshot.name entitySnapshot.externalId
| Uniqueness criteria |
Name | Asset Name |
Cloud native JSON | Asset details |
Hosts | Asset type |
asset['Wiz JSON Object'].ipAddresses or IpAddresses | IP |
asset['Wiz JSON Object'].operatingSystem or OperatingSystem | OS |
common.creationDate or image.common.creationDate or image.common.originalObject.CreationDate | Created date |
Last connector’s sync date. | Last seen date |
asset['Cloud Native JSON'].NetworkInterfaces.MacAddress | Multiple mac addresses |
id | Vulnerability instance uniqueness criteria |
First connector sync date. | Vulnerability instance first seen |
Last connector sync date. | Vulnerability instance Last seen |
sourceRule.name | Unique vulnerability uniqueness criteria |
sourceRule.name | Vulnerability title |
severity | Vulnerability score |
sourceRule.controlDescription or sourceRule.cloudEventRuleDescription or sourceRule.cloudConfigurationRuleDescription | Vulnerability description |
Source Rule ID Source Rule Control | Vulnerability details |
severity | CVSS |
sourceRule.name | Fix title |
sourceRule.resolutionRecommendation or sourceRule.remediationInstructions | Fix description |
Image fields mapping
Wiz field | Vulcan field |
Name External ID or entitySnapshot.name entitySnapshot.externalId | Uniqueness criteria |
AssetName or Name | Asset Name |
Projects Cloud Platform Region Subscription Subscription ID Resource Type Native Type Provider ID Wiz External ID Image Source | Asset details |
Images - Wiz Container Images | Asset type |
asset['Wiz JSON Object'].repoExternalId | Repository |
Images | Repo type |
asset['Wiz JSON Object'].operatingSystem | OS |
asset['Wiz JSON Object'].operatingSystem | OS version |
asset['Wiz JSON Object'].repoExternalId | Path location |
Tags.items() | Asset Tags - Vendor’s tags |
Project Cloud Platform Region Subscription Subscription ID Image Source | Asset Tags - Additional |
Last connector’s sync date. | Last seen |
common.creationDate or image.common.creationDate or image.common.originalObject.CreationDate | Creation date |
id | Vulnerability instance uniqueness criteria |
sourceRule.name | Unique vulnerability uniqueness criteria |
sourceRule.name | Vulnerability title |
severity | Vulnerability score |
description | Vulnerability description |
Source Rule ID Source Rule Control | Vulnerability details |
severity | CVSS |
sourceRule.name | Fix title |
sourceRule.resolutionRecommendation or sourceRule.remediationInstructions | Fix descriptions |
Severity Status Created At Updated At Issue ID Service Tickets Notes Due At WizURL | Asset - Vulnerability instance connection (info tooltip) |
Cloud Resource fields mapping
Wiz field | Vulcan field |
Name External ID or entitySnapshot.name entitySnapshot.externalId | Uniqueness criteria |
Name or entitySnapshot.name | Asset Name |
Projects Cloud Platform Region Subscription Subscription ID Resource Type Native Type Provider ID Wiz External ID Role FunctionArn Kind Cloud Provider Url Runtime | Asset details |
Cloud Resources | Asset type |
Tags.items() | Asset Tags - Vendor’s tags |
Project Cloud Platform Region Subscription Subscription ID | Asset Tags - Additional |
asset['Wiz JSON Object'].common.creationDate asset['Wiz JSON Object'].image.common.creationDate or asset['Wiz JSON Object'].image.common.originalObject.CreationDate | Created date |
Last connector’s sync date. | Last seen |
id | Vulnerability instance uniqueness criteria |
sourceRule.name | Unique vulnerability uniqueness criteria |
sourceRule.name | Vulnerability title |
sourceRule.controlDescription or sourceRule.cloudEventRuleDescription or sourceRule.cloudConfigurationRuleDescription | Vulnerability description |
Source Rule Control Source Rule ID | Vulnerability details |
severity | CVSS |
sourceRule.name | Fix title |
sourceRule.resolutionRecommendation or sourceRule.remediationInstructions | Fix description |
Severity Status Created At Updated At Issue ID Service Tickets Notes Due At WizURL | Assets-Vulnerability instance connection (info tooltip) |
Vulnerability status mapping
Wiz Status | Vulcan Status |
Vulnerable | if the status isn’t 'RESOLVED', it is considered 'vulnerable'. |
Fixed | When vuln-instance is not imported, or the status is 'RESOLVED,' it is considered 'fixed.' |
Ignored - false positive | - |
Ignored risk acknowledged | - |
Vulnerability score mapping
Wiz score | Vulcan score |
CRITICAL | 10 |
HIGH | 8 |
MEDIUM | 6 |
LOW | 4 |
INFORMATIONAL | 2 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any are added).
The table below lists how the status update mechanism works in the Wiz Issues connector for the vulnerabilities and assets in the Vulcan Platform.
Update type in Vulcan | Mechanism (When?) |
The asset is archived | - Asset not found on the Connector's last sync - Asset not seen for X days according to "Last Seen" |
The vulnerability instance status changes to "Fixed" | - If the vulnerability no longer appears in the scan findings. - Vulnerability status on the Connector's side changes to 'RESOLVED' |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
API version: November 2022
API | Mutation/Query | Use in Vulcan | Permissions required |
POST: {{ auth_url }}/oauth/token | - | Auth |
|
POST: {{ server_url }}/graphql | CreateReport | Generate an asset report in the client environment. | create:reports |
POST: {{ server_url }}/graphql | ReportDownloadUrl | Getting the url to download the report. | read:reports |
GET: report_url | - | Getting the data in the report. |
|
POST: {{ server_url }}/graphql | IssuesTable | Getting data about finding (assets, vulnerabilities and solutions). | read:issues |