Skip to main content

WizDefend

This Integration is part of the Wiz Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

WizDefend Integration#

Agentless cloud security platform for detecting and addressing cloud issues, detections, and threats.

Configure WizDefend on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for WizDefend.
  3. Click Add instance to create and configure a new integration instance.
ParameterRequired
Service Account IDTrue
Authentication EndpointTrue
API EndpointTrue
First fetch timestamp (maximum 5 days)False
Max Detections to FetchFalse
Minimum detection severity to fetchFalse
Type of detections to fetchFalse
Detection cloud account or cloud organization to fetchFalse
Detection platforms to fetchFalse
Cloud event origin to fetchFalse
Use system proxy settingsFalse
Fetch incidentsFalse
  1. Click Test to validate the URLs, connection, and configuration.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

wiz-defend-get-detections#


Retrieve Wiz security detections based on specified filters.

Base Command#

wiz-defend-get-detections

Input#

Argument NameDescriptionRequired
creation_minutes_backTime window in minutes to retrieve detections (range 10-600). Default is 10.Optional
typeType of detections to fetch. Possible values are: GENERATED THREAT, DID NOT GENERATE THREAT. Default is GENERATED THREAT.Optional
issue_idThe internal Wiz Issue ID of the Detections.Optional
cloud_account_or_cloud_organizationDetection cloud account or cloud organization to fetch.Optional
originCloud event origin. You can insert multiple cloud event origins in this format ORIGIN1,ORIGIN2 etc...Optional
platformGet Detections for cloud platform. You can insert multiple platforms in this format PLATFORM1,PLATFORM2 etc...Optional
resource_idFilter detections by specific resource ID.Optional
severityGet Detections of a specific severity and above. Possible values are: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL.Optional
rule_match_idFilter detections by rule match ID (requires valid UUID format).Optional
rule_match_nameFilter detections by matching rule name.Optional
projectFilter Detections by project.Optional

Context Output#

PathTypeDescription
Wiz.Manager.Detections.entitySnapshotStringAll resource details.
Wiz.Manager.Detections.createdAtStringDetection created at.
Wiz.Manager.Detections.idStringWiz Detection ID.
Wiz.Manager.Detections.urlStringWiz Detection URL.
Wiz.Manager.Detections.severityStringWiz Detection severity.
Wiz.Manager.Detections.statusStringWiz Detection status.

wiz-defend-get-detection#


Retrieve detailed information about a specific Wiz detection by ID.

Base Command#

wiz-defend-get-detection

Input#

Argument NameDescriptionRequired
detection_idWiz internal detection ID to retrieve.Optional

Context Output#

PathTypeDescription
Wiz.Manager.Detection.idStringDetection ID in Wiz.
Wiz.Manager.Detection.severityStringDetection severity.
Wiz.Manager.Detection.descriptionStringDetection description.
Wiz.Manager.Detection.createdAtDateDetection creation time.
Wiz.Manager.Detection.resourcesStringRelated resources.
Wiz.Manager.Detection.urlStringURL to the Wiz Detection in the Wiz console.

wiz-defend-get-threat#


Retrieve detailed information about a specific Wiz threat by issue ID.

Base Command#

wiz-defend-get-threat

Input#

Argument NameDescriptionRequired
issue_idWiz internal issue ID to retrieve.Optional

Context Output#

PathTypeDescription
Wiz.Manager.Threat.idStringThreat ID in Wiz.
Wiz.Manager.Threat.severityStringThreat severity.
Wiz.Manager.Threat.descriptionStringThreat description.
Wiz.Manager.Threat.createdAtDateThreat creation time.
Wiz.Manager.Threat.resourcesStringRelated resources.
Wiz.Manager.Threat.urlStringURL to the Wiz Threat in the Wiz console.

wiz-defend-get-threats#


Retrieve Wiz threats based on specified filters.

Base Command#

wiz-defend-get-threats

Input#

Argument NameDescriptionRequired
creation_days_backTime window in days to retrieve threats (range 1-30). Default is 5.Optional
cloud_account_or_cloud_organizationThreat cloud account or cloud organization to fetch.Optional
platformGet Threats for cloud platform. You can insert multiple platforms in this format PLATFORM1,PLATFORM2 etc...Optional
resource_idFilter threats by specific resource ID.Optional
severityMinimum threat severity to fetch. Possible values are: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL.Optional
statusFilter threats by status (e.g., OPEN, IN_PROGRESS). Possible values are: OPEN, IN_PROGRESS, RESOLVED, REJECTED. Default is OPEN, IN_PROGRESS.Optional
originCloud event origin. You can insert multiple cloud event origins in this format ORIGIN1,ORIGIN2 etc...Optional
projectFilter Threats by project.Optional

Context Output#

PathTypeDescription
Wiz.Manager.Threats.entitySnapshotStringAll resource details.
Wiz.Manager.Threats.createdAtStringThreat created at.
Wiz.Manager.Threats.idStringWiz Threat ID.
Wiz.Manager.Threats.urlStringWiz Threat URL.
Wiz.Manager.Threats.severityStringWiz Threat severity.
Wiz.Manager.Threats.statusStringWiz Threat status.

wiz-defend-reopen-threat#


Reopen a Wiz Threat.

Base Command#

wiz-defend-reopen-threat

Input#

Argument NameDescriptionRequired
issue_idThreat issue id.Required
reopen_noteReopen note.Optional

wiz-defend-resolve-threat#


Resolve a Wiz Threat.

Base Command#

wiz-defend-resolve-threat

Input#

Argument NameDescriptionRequired
issue_idThreat issue id.Required
resolution_reasonResolution reason. Possible values are: OBJECT_DELETED, ISSUE_FIXED, FALSE_POSITIVE, EXCEPTION, CONTROL_DISABLED, CONTROL_DELETED, WONT_FIX, DETECTION_EXPIRED.Required
resolution_noteResolution note.Required

wiz-defend-set-threat-in-progress#


Set a Wiz Threat to in progress.

Base Command#

wiz-defend-set-threat-in-progress

Input#

Argument NameDescriptionRequired
issue_idThreat issue id.Required

wiz-defend-set-threat-comment#


Set a comment on a Wiz Threat.

Base Command#

wiz-defend-set-threat-comment

Input#

Argument NameDescriptionRequired
issue_idThreat issue id.Required
noteNote.Required

wiz-defend-clear-threat-comments#


Clear all the comments from a Wiz Threat.

Base Command#

wiz-defend-clear-threat-comments

Input#

Argument NameDescriptionRequired
issue_idThreat issue id.Required

Known Limitations#

  • Maximum fetch limit is 1000 detections per run
  • XSOAR fetch process has a 5-minute timeout

Troubleshooting#

If you encounter issues:

  1. Verify you created a Wiz Service Account through a Wiz integration
  2. Ensure the Authentication and API endpoints are accessible
  3. Review the integration logs for detailed error messages