WizDefend
Wiz Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
#
WizDefend IntegrationAgentless cloud security platform for detecting and addressing cloud issues, detections, and threats.
#
Configure WizDefend on Cortex XSOAR- Navigate to Settings > Integrations > Servers & Services.
- Search for WizDefend.
- Click Add instance to create and configure a new integration instance.
Parameter | Required |
---|---|
Service Account ID | True |
Authentication Endpoint | True |
API Endpoint | True |
First fetch timestamp (maximum 5 days) | False |
Max Detections to Fetch | False |
Minimum detection severity to fetch | False |
Type of detections to fetch | False |
Detection cloud account or cloud organization to fetch | False |
Detection platforms to fetch | False |
Cloud event origin to fetch | False |
Use system proxy settings | False |
Fetch incidents | False |
- Click Test to validate the URLs, connection, and configuration.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
wiz-defend-get-detectionsRetrieve Wiz security detections based on specified filters.
#
Base Commandwiz-defend-get-detections
#
InputArgument Name | Description | Required |
---|---|---|
creation_minutes_back | Time window in minutes to retrieve detections (range 10-600). Default is 10. | Optional |
type | Type of detections to fetch. Possible values are: GENERATED THREAT, DID NOT GENERATE THREAT. Default is GENERATED THREAT. | Optional |
issue_id | The internal Wiz Issue ID of the Detections. | Optional |
cloud_account_or_cloud_organization | Detection cloud account or cloud organization to fetch. | Optional |
origin | Cloud event origin. You can insert multiple cloud event origins in this format ORIGIN1,ORIGIN2 etc... | Optional |
platform | Get Detections for cloud platform. You can insert multiple platforms in this format PLATFORM1,PLATFORM2 etc... | Optional |
resource_id | Filter detections by specific resource ID. | Optional |
severity | Get Detections of a specific severity and above. Possible values are: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL. | Optional |
rule_match_id | Filter detections by rule match ID (requires valid UUID format). | Optional |
rule_match_name | Filter detections by matching rule name. | Optional |
project | Filter Detections by project. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Wiz.Manager.Detections.entitySnapshot | String | All resource details. |
Wiz.Manager.Detections.createdAt | String | Detection created at. |
Wiz.Manager.Detections.id | String | Wiz Detection ID. |
Wiz.Manager.Detections.url | String | Wiz Detection URL. |
Wiz.Manager.Detections.severity | String | Wiz Detection severity. |
Wiz.Manager.Detections.status | String | Wiz Detection status. |
#
wiz-defend-get-detectionRetrieve detailed information about a specific Wiz detection by ID.
#
Base Commandwiz-defend-get-detection
#
InputArgument Name | Description | Required |
---|---|---|
detection_id | Wiz internal detection ID to retrieve. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Wiz.Manager.Detection.id | String | Detection ID in Wiz. |
Wiz.Manager.Detection.severity | String | Detection severity. |
Wiz.Manager.Detection.description | String | Detection description. |
Wiz.Manager.Detection.createdAt | Date | Detection creation time. |
Wiz.Manager.Detection.resources | String | Related resources. |
Wiz.Manager.Detection.url | String | URL to the Wiz Detection in the Wiz console. |
#
wiz-defend-get-threatRetrieve detailed information about a specific Wiz threat by issue ID.
#
Base Commandwiz-defend-get-threat
#
InputArgument Name | Description | Required |
---|---|---|
issue_id | Wiz internal issue ID to retrieve. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Wiz.Manager.Threat.id | String | Threat ID in Wiz. |
Wiz.Manager.Threat.severity | String | Threat severity. |
Wiz.Manager.Threat.description | String | Threat description. |
Wiz.Manager.Threat.createdAt | Date | Threat creation time. |
Wiz.Manager.Threat.resources | String | Related resources. |
Wiz.Manager.Threat.url | String | URL to the Wiz Threat in the Wiz console. |
#
wiz-defend-get-threatsRetrieve Wiz threats based on specified filters.
#
Base Commandwiz-defend-get-threats
#
InputArgument Name | Description | Required |
---|---|---|
creation_days_back | Time window in days to retrieve threats (range 1-30). Default is 5. | Optional |
cloud_account_or_cloud_organization | Threat cloud account or cloud organization to fetch. | Optional |
platform | Get Threats for cloud platform. You can insert multiple platforms in this format PLATFORM1,PLATFORM2 etc... | Optional |
resource_id | Filter threats by specific resource ID. | Optional |
severity | Minimum threat severity to fetch. Possible values are: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL. | Optional |
status | Filter threats by status (e.g., OPEN, IN_PROGRESS). Possible values are: OPEN, IN_PROGRESS, RESOLVED, REJECTED. Default is OPEN, IN_PROGRESS. | Optional |
origin | Cloud event origin. You can insert multiple cloud event origins in this format ORIGIN1,ORIGIN2 etc... | Optional |
project | Filter Threats by project. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Wiz.Manager.Threats.entitySnapshot | String | All resource details. |
Wiz.Manager.Threats.createdAt | String | Threat created at. |
Wiz.Manager.Threats.id | String | Wiz Threat ID. |
Wiz.Manager.Threats.url | String | Wiz Threat URL. |
Wiz.Manager.Threats.severity | String | Wiz Threat severity. |
Wiz.Manager.Threats.status | String | Wiz Threat status. |
#
wiz-defend-reopen-threatReopen a Wiz Threat.
#
Base Commandwiz-defend-reopen-threat
#
InputArgument Name | Description | Required |
---|---|---|
issue_id | Threat issue id. | Required |
reopen_note | Reopen note. | Optional |
#
wiz-defend-resolve-threatResolve a Wiz Threat.
#
Base Commandwiz-defend-resolve-threat
#
InputArgument Name | Description | Required |
---|---|---|
issue_id | Threat issue id. | Required |
resolution_reason | Resolution reason. Possible values are: OBJECT_DELETED, ISSUE_FIXED, FALSE_POSITIVE, EXCEPTION, CONTROL_DISABLED, CONTROL_DELETED, WONT_FIX, DETECTION_EXPIRED. | Required |
resolution_note | Resolution note. | Required |
#
wiz-defend-set-threat-in-progressSet a Wiz Threat to in progress.
#
Base Commandwiz-defend-set-threat-in-progress
#
InputArgument Name | Description | Required |
---|---|---|
issue_id | Threat issue id. | Required |
#
wiz-defend-set-threat-commentSet a comment on a Wiz Threat.
#
Base Commandwiz-defend-set-threat-comment
#
InputArgument Name | Description | Required |
---|---|---|
issue_id | Threat issue id. | Required |
note | Note. | Required |
#
wiz-defend-clear-threat-commentsClear all the comments from a Wiz Threat.
#
Base Commandwiz-defend-clear-threat-comments
#
InputArgument Name | Description | Required |
---|---|---|
issue_id | Threat issue id. | Required |
#
Known Limitations- Maximum fetch limit is 1000 detections per run
- XSOAR fetch process has a 5-minute timeout
#
TroubleshootingIf you encounter issues:
- Verify you created a Wiz Service Account through a Wiz integration
- Ensure the Authentication and API endpoints are accessible
- Review the integration logs for detailed error messages