Wiz
Wiz Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Agentless, context-aware and full-stack security and compliance for AWS, Azure and GCP. This integration was integrated and tested with Wiz
#
Configure Wiz in CortexParameter | Description | Required |
---|---|---|
name | Integration Name. Default: Wiz_instance_1 | True |
said | Service Account ID | True |
sasecret | Service Account Secret | True |
auth_endpoint | Wiz Authentication Endpoint, e.g., https://auth.app.wiz.io/oauth/token | True |
api_endpoint | Wiz API Endpoint. Default: https://api.us1.app.wiz.io/graphql To find your API endpoint URL: 1. Log in to Wiz, then open your user profile 2. Copy the API Endpoint URL to use here. | True |
first_fetch | First fetch timestamp (<number> <time unit> , e.g., 12 hours, 7 days) | False |
Fetch incidents | Issue Streaming type. Either Fetch incidents (to constantly pull Issues) or Do not fetch (to push live Issues) | False |
max_fetch | Max Issues to fetch | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook or War Room. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
wiz-get-issueGet the details for a Wiz Issue ID.
Base Command
wiz-get-issue
Input
Argument Name | Description | Required |
---|---|---|
issue_id | Issue id | Required |
#
Command Example#
wiz-get-issuesGet the issues on cloud resources.
Base Command
wiz-get-issues
Input
Argument Name | Description | Required |
---|---|---|
issue_type | The type of Issue to get Expected input: TOXIC_COMBINATION , THREAT_DETECTION , CLOUD_CONFIGURATION .The chosen type will be fetched . | Optional |
entity_type | The type of entity to get issues for. | Optional |
resource_id | Get Issues of a specific resource_id. Expected input: providerId | Optional |
severity | Get Issues of a specific severuty. Expected input: CRITICAL , HIGH , MEDIUM , LOW or INFORMATIONAL .The chosen severity and above will be fetched | Optional |
entity_type
and resource_id
are mutually exclusive.
Context Output
Path | Type | Description |
---|---|---|
Wiz.Manager.Issues | String | All Issues |
#
Command Example#
wiz-get-resourceGet Details of a resource. You should pass exactly one of resource_id
, resource_name
.
When searching by name, results are limited to 500 records.
Base Command
wiz-get-resource
Input
Argument Name | Description | Required |
---|---|---|
resource_id | Resource provider id | optional |
resource_name | search by name or external ID | optional |
Context Output
Path | Type | Description |
---|---|---|
Wiz.Manager.Resource | String | Resource details |
#
Command Example#
wiz-get-resourcesGet details of multiple resources based on various filters.
Base Command
wiz-get-resources
Input
Argument Name | Description | Required |
---|---|---|
search | Filter by free text search on cloud resource name. | Optional |
entity_type | Filter cloud resources by specific entity types. Possible values are: ACCESS_ROLE, ACCESS_ROLE_BINDING, ACCESS_ROLE_PERMISSION, API_GATEWAY, APPLICATION, AUTHENTICATION_CONFIGURATION, BACKUP_SERVICE, BUCKET, CDN, CERTIFICATE, CICD_SERVICE, CLOUD_LOG_CONFIGURATION, CLOUD_ORGANIZATION, COMPUTE_INSTANCE_GROUP, CONFIG_MAP, CONTAINER, CONTAINER_GROUP, CONTAINER_IMAGE, CONTAINER_REGISTRY, CONTAINER_SERVICE, DAEMON_SET, DATABASE, DATA_WORKLOAD, DB_SERVER, DEPLOYMENT, DNS_RECORD, DNS_ZONE, DOMAIN, EMAIL_SERVICE, ENCRYPTION_KEY, ENDPOINT, FILE_SYSTEM_SERVICE, FIREWALL, GATEWAY, GOVERNANCE_POLICY, GOVERNANCE_POLICY_GROUP, HOSTED_APPLICATION, IAM_BINDING, IP_RANGE, KUBERNETES_CLUSTER, KUBERNETES_CRON_JOB, KUBERNETES_INGRESS, KUBERNETES_INGRESS_CONTROLLER, KUBERNETES_JOB, KUBERNETES_NETWORK_POLICY, KUBERNETES_NODE, KUBERNETES_PERSISTENT_VOLUME, KUBERNETES_PERSISTENT_VOLUME_CLAIM, KUBERNETES_POD_SECURITY_POLICY, KUBERNETES_SERVICE, KUBERNETES_STORAGE_CLASS, KUBERNETES_VOLUME, LOAD_BALANCER, MANAGED_CERTIFICATE, MANAGEMENT_SERVICE, NETWORK_ADDRESS, NETWORK_INTERFACE, NETWORK_ROUTING_RULE, NETWORK_SECURITY_RULE, PEERING, POD, PORT_RANGE, PRIVATE_ENDPOINT, PROXY, PROXY_RULE, RAW_ACCESS_POLICY, REGISTERED_DOMAIN, REPLICA_SET, RESOURCE_GROUP, SEARCH_INDEX, SECRET, SECRET_CONTAINER, SERVERLESS, SERVERLESS_PACKAGE, SERVICE_ACCOUNT, STORAGE_ACCOUNT, SUBNET, SUBSCRIPTION, SWITCH, USER_ACCOUNT, VIRTUAL_DESKTOP, VIRTUAL_MACHINE, VIRTUAL_MACHINE_IMAGE, VIRTUAL_NETWORK, VOLUME, WEB_SERVICE, DATA_WORKFLOW. | Optional |
subscription_external_ids | Filter cloud resources according to these external subscription IDs (AWS Account, Azure Subscription, GCP Project, and OCI Compartment). You can provide multiple IDs separated by commas. | Optional |
provider_unique_ids | Filter cloud resources according to these cloud service provider unique IDs. You can provide multiple IDs separated by commas. | Optional |
At least one parameter must be provided.
Context Output
This command returns the raw response data from the Wiz API. The response includes resource details in JSON format.
#
Command Example#
wiz-issue-in-progressRe-open an Issue.
Base Command
wiz-issue-in-progress
Input
Argument Name | Description | Required |
---|---|---|
issue_id | Issue id | Required |
Context Output
Path | Type | Description |
---|---|---|
Wiz.Manager.Issue | String | Issue details |
#
Command Example#
wiz-reopen-issueRe-open an Issue.
Base Command
wiz-reopen-issue
Input
Argument Name | Description | Required |
---|---|---|
issue_id | Issue id | Required |
reopen_note | Note for re-opening Issue | Optional |
Context Output
Path | Type | Description |
---|---|---|
Wiz.Manager.Issue | String | Issue details |
#
Command Example#
wiz-reject-issueRe-open an Issue.
Base Command
wiz-reject-issue
Input
Argument Name | Description | Required |
---|---|---|
issue_id | Issue id | Required |
reject_reason | Note for re-opening Issue Accepted values: WONT_FIX , FALSE_POSITIVE and REJECTED . | Required |
reject_note | Note for re-opening Issue | Required |
Context Output
Path | Type | Description |
---|---|---|
Wiz.Manager.Issue | String | Issue details |
#
Command Example#
wiz-resolve-issueResolve a Threat Detection Issue.
Base Command
wiz-resolve-issue
Input
Argument Name | Description | Required |
---|---|---|
issue_id | Issue id | Required |
resolution_reason | Issue resolution reason | Required |
resolution_note | Note to explain why the Issue has been resolved | Required |
Context Output
Path | Type | Description |
---|---|---|
Wiz.Manager.Issue | String | Issue details |
#
Command Example#
wiz-set-issue-noteSet (append) a note to an Issue.
Base Command
wiz-set-issue-note
Input
Argument Name | Description | Required |
---|---|---|
issue_id | Issue id | Required |
reject_note | Note for the Issue. Will be appeneded to existing one. | Required |
#
Command Example#
wiz-clear-issue-noteClears a note from an Issue.
Base Command
wiz-clear-issue-note
Input
Argument Name | Description | Required |
---|---|---|
issue_id | Issue id | Required |
#
Command Example#
wiz-get-issue-evidenceGet the evidence from an Issue.
Base Command
wiz-get-issue-evidence
Input
Argument Name | Description | Required |
---|---|---|
issue_id | Issue id | Required |
#
Command Example#
wiz-rescan-machine-diskDeprecated
#
wiz-set-issue-due-dateSet a due date for an Issue.
Base Command
wiz-set-issue-due-date
Input
Argument Name | Description | Required |
---|---|---|
issue_id | Issue id | Required |
due_at | Due At Date | Required |
#
Command Example#
wiz-clear-issue-due-dateClear a due date for an Issue.
Base Command
wiz-clear-issue-due-date
Input
Argument Name | Description | Required |
---|---|---|
issue_id | Issue id | Required |
#
Command Example#
wiz-get-project-teamClear a due date for an Issue.
Base Command
wiz-get-project-team
Input
Argument Name | Description | Required |
---|---|---|
project_name | Project Name | Required |
#
Command Example#
wiz-copy-to-forensics-accountCopy VM's Volumes to a Forensics Account
Base Command
wiz-copy-to-forensics-account
Input
Argument Name | Description | Required |
---|---|---|
resource_id | Resource Id | Required |