Wiz
App Vendor: Wiz
App Category: Cloud Security
Connector Version: 1.2.1
API Version: 1.0.0
About App
Wiz provides direct visibility, risk prioritization, and remediation guidance for development teams to address risks in their own infrastructure and applications so they can ship faster and more securely.
The Wiz app is configured with the Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Create Inventory Report | This action creates an inventory report on Wiz. |
Get Audit Logs | This action retrieves the audit logs available on Wiz. |
Get Configuration Findings | This action retrieves a list of cloud configuration findings. |
Get Issues | This action retrieves a set of issues found in a tenant object. |
Get Report Status | This action retrieves the status and URL of a report. |
Get Users | This action retrieves the list of users available on Wiz. |
Get Vulnerability Findings | This action retrieves a list of vulnerability findings. |
Rerun Report | This action reruns a report. |
Update Issue | This action updates a specific issue in a tenant object. |
Generic Action | This is a generic action used to make requests to any Wiz endpoint. |
Configuration Parameters
The following configuration parameters are required for the Wiz app to communicate with the Wiz enterprise application. The parameters can be configured by creating instances in the app.
Important
You can perform the supported actions that match your permissions. For more information on the required permissions to perform an action, see the official Wiz API documentation.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID to authenticate the client. | Text | Required | |
Secret Key | Enter the secret key to authenticate the client. | Password | Required | |
Base URL | Enter the base URL to access the Wiz application. Example: https://api.region.app.wiz.io | Text | Optional | Default value: https://api.us17.app.wiz.io |
Auth URL | Enter the authentication URL. | Text | Optional | Default value: https://auth.app.wiz.io/oauth/token |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Wiz. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | Default value: false |
Action: Create Inventory Report
This action creates an inventory report on Wiz.
It is recommended that a report is created infrequently, and the created report can be rerun to get the latest data.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the name of the report to create. Example: sample report | Text | Required | |
Report Type | Enter the report type to create an inventory report. Example: cloud_resource | Text | Optional | Default value: cloud_resource |
Project ID | Enter project ID to filter assets. Example: aeef292e-13dd-4c50-992b-bb1dc0734123 | Text | Optional | Default value: * |
Entity Type | Enter a list of entity types. Example: $LIST[VIRTUAL_MACHINE, APPLICATION] | List | Optional | Default value: VIRTUAL_MACHINE Allowed values: "ACCESS_ROLE”, “ACCESS_ROLE_BINDING”, ACCESS_ROLE_PERMISSION”, “API_GATEWAY”, “APPLICATION”, “AUTHENTICATION_CONFIGURATION”, “BACKUP_SERVICE”, “BUCKET”, “CDN”, “CERTIFICATE”, “CICD_SERVICE”, “CLOUD_LOG_CONFIGURATION”, “CLOUD_ORGANIZATION”, “COMPUTE_INSTANCE_GROUP”, “CONFIG_MAP”, “CONTAINER”, “CONTAINER_GROUP”, “CONTAINER_IMAGE”, “CONTAINER_REGISTRY”, “CONTAINER_SERVICE”, “DAEMON_SET”, “DATABASE”, “DATA_WORKLOAD”, “DB_SERVER”, “DEPLOYMENT”, “DNS_RECORD”, “DNS_ZONE”, “DOMAIN”, “EMAIL_SERVICE”, “ENCRYPTION_KEY”, “ENDPOINT”, “FILE_SYSTEM_SERVICE”, “FIREWALL”, “GATEWAY”, “GOVERNANCE_POLICY”, “GOVERNANCE_POLICY_GROUP”, “HOSTED_APPLICATION”, “IAM_BINDING”, “IP_RANGE”, “KUBERNETES_CLUSTER”, “KUBERNETES_CRON_JOB”,“KUBERNETES_INGRESS”, “KUBERNETES_INGRESS_CONTROLLER”, “KUBERNETES_JOB”, “KUBERNETES_NETWORK_POLICY”, “KUBERNETES_NODE”, “KUBERNETES_PERSISTENT_VOLUME, “KUBERNETES_PERSISTENT_VOLUME_CLAIM”, "KUBERNETES_POD_SECURITY_POLICY", "KUBERNETES_SERVICE”, ”KUBERNETES_STORAGE_CLASS", "KUBERNETES_VOLUME", "LOAD_BALANCER", "MANAGED_CERTIFICATE", "MANAGEMENT_SERVICE", "NETWORK_ADDRESS", "NETWORK_INTERFACE", "NETWORK_ROUTING_RULE", "NETWORK_SECURITY_RULE", "PEERING", "POD", "PORT_RANGE", "PRIVATE_ENDPOINT", "PROXY", "PROXY_RULE", "RAW_ACCESS_POLICY", "REGISTERED_DOMAIN", "REPLICA_SET", "RESOURCE_GROUP", "SEARCH_INDEX", "SECRET", "SECRET_CONTAINER", "SERVERLESS", "SERVERLESS_PACKAGE", "SERVICE_ACCOUNT", "STORAGE_ACCOUNT", "SUBNET", "SUBSCRIPTION", "SWITCH", "USER_ACCOUNT", "VIRTUAL_DESKTOP", "VIRTUAL_MACHINE", "VIRTUAL_MACHINE_IMAGE", "VIRTUAL_NETWORK", "VOLUME", "WEB_SERVICE", "DATA_WORKFLOW" |
Cloud Platform | Enter the cloud platforms to create an inventory report. Example: $LIST[gcp,aws] | List | Optional | Default value: aws Allowed values:
|
Include Cloud JSON | Choose to include cloud JSON in the inventory report. Example: false | Boolean | Optional | Default value: false Allowed values:
|
Include Wiz JSON | Choose to include the Wiz JSON in the inventory report. | Boolean | Optional | Default value: false |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Object | Contains the response data. |
app_instance.create_report | Object | Contains the details of the created report. |
app_instance.report | Object | Details of the created report. Example: "id": "4380bda6-36f1-4da8-ac0f-2f8f74a0a662" |
app_instance.id | String | Unique identifier of the created report. Example: "4380bda6-36f1-4da8-ac0f-2f8f74a0a662" |
app_instance.status_code | Integer | HTTP status code of the response. |
Action: Get Audit Logs
This action retrieves the audit logs available on Wiz.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Status | Enter the audit log status to filter the result. Example: $LIST[success,failed] | List | Optional | Allowed values:
|
User | Enter users to filter audit logs. Example: $LIST[aeef292e-13dd-4c50-992b-bb1dc0734123] | List | Optional | |
User Type | Enter a user type to filter the audit logs. Example: $LIST[user_account] | List | Optional | Allowed values:
|
Before Time | Enter the time to fetch logs before. | Text | Optional | Allowed format: yyyy-mm-dd't'hh:mm:ss'z' |
After Time | Enter the time to fetch logs after. | Text | Optional | Allowed format: yyyy-mm-dd't'hh:mm:ss'z' |
Search | Enter a search term to filter the logs. Example: ip-12.32.44.5 | Text | Optional | |
Limit | Enter the number of audit logs to retrieve. | Integer | Optional | Default value: 15 |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.extensions | Object | The extensions object containing additional information about the error. |
app_instance.code | String | The error code indicating the type of error occurred. |
app_instance.effective_scopes | Array | The scopes that are effectively granted to the user. |
app_instance.required_scopes | Array | The scopes that are required to perform the requested operation. |
app_instance.message | String | The error message describing the access denial and the required permissions. |
app_instance.path | Array | The path indicating the location of the error in the GraphQL request. |
Action: Get Configuration Findings
This action retrieves a list of cloud configuration findings.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Finding IDs | Enter a list of finding IDs to filter in the response. Example: $LIST[1239-sdc-123-1239-sdc-124, 1239-sdc-123-1239-sdc-124] | List | Optional | Default value: All findings |
Sources | Enter a list of sources to filter in the response. | List | Optional | Default value: All sources |
Result | Enter a list of scan results to filter in the response. Example: $LIST[fail, pass] | List | Optional | Default value: All results Allowed values:
|
Severity | Enter a list of severity levels to filter in the response. Example: $LIST[none, low] | List | Optional | Default value: All severities Allowed values:
|
Benchmark | Enter a list of benchmarks to filter in the response. | List | Optional | Default value: All benchmarks |
Has Remediation Instructions | Enter true to return responses that have remediation instructions. | Boolean | Optional | Default value: All responses |
Order by Direction | Enter the direction to order (sort) the results. Example: desc | Text | Optional | Default value: asc Allowed values:
|
Order by Field | Enter the field to order the results. Example: id | Text | Optional | Default value: id |
Limit | Enter the number of results to retrieve. Example: 50 | Integer | Optional | Default value: 5 |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Null | The data returned by the response. Example: null |
app_instance.errors | Array | List of errors in the response. Example: [{...}] |
app_instance.extensions_code | String | Error code indicating the type of error. Example: UNAUTHORIZED |
app_instance.effective_scopes | Array | List of scopes the user has. Example: ["read:issues", "read:reports", "read:vulnerabilities", "update:reports", "create:reports"] |
app_instance.required_scopes | Array | List of scopes required to access the resource. Example: ["read:all", "read:cloud_configuration"] |
app_instance.message | String | Error message describing the access issue. Example: access denied, at least one of the following is required: [read:all read:cloud_configuration], your permissions: [read:issues read:reports read:vulnerabilities update:reports create:reports] |
app_instance.path | Array | Path to the resource that caused the error. Example: ["configurationFindings"] |
app_instance.status_code | Integer | HTTP status code of the response. Example: 200 |
Action: Get Issues
This action retrieves the issues found in a tenant object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Issue ID | Enter an issue ID to filter the response. | Text | Optional | Default value: All Issues |
Search | Enter a search term to filter in the title of the issues. | Text | Optional | Default value: All Issues |
Framework Category | Enter a list of framework categories to filter in the response. | List | Optional | Default value: All Framework Categories |
Stack Layer | Enter a list of stack layers to filter in the response. | List | Optional | Default value: All Stack Layers Allowed values:
|
Project | Enter a list of project IDs to filter in the response. Example: $LIST[123e4567-e89b-12d3-a456-426614174000] | List | Optional | Default value: All Projects |
Severity | Enter a list of severity levels to filter in the response. | List | Optional | Default value: All Severities Allowed values:
|
Status | Enter a list of issue statuses to filter the response. | List | Optional | Default value: All Statuses Allowed values:
|
Cloud Platform | Enter a list of cloud platforms to filter in the response. | List | Optional | Default value: All Platforms Allowed values:
|
Created Before | Enter a date to filter issues created before this date. | Text | Optional | Default value: All Issues Allowed format: yyyy-mm-ddthh:mm:ssz |
Created After | Enter a date to filter issues created after this date. | Text | Optional | Default value: All Issues Allowed format: yyyy-mm-ddthh:mm:ssz |
Resolved Before | Enter a date to filter issues resolved before this date. | Text | Optional | Default value: All Issues Allowed format: yyyy-mm-ddthh:mm:ssz |
Resolved After | Enter a date to filter issues resolved after this date. | Text | Optional | Default value: All Issues Allowed format: yyyy-mm-ddthh:mm:ssz |
Limit | Enter the response limit. Example: 50 | Integer | Optional | Default value: 15 |
Order By Direction | Enter the direction to order (sort) the results. Example: asc | Text | Optional | Default value: asc Allowed values:
|
Order By Field | Enter the field to order the results. Example: id | Text | Optional | Default value: id |
Example Request
[
{
"limit": "15"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
app_instance | JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.control_id | String | Unique identifier for the control. Example: 4144c5de-c2aa-43e0-a0b7-fe7c43324d80 |
app_instance.control_name | String | Name of the control. Example: Findings with Critical Severity Vulnerabilities |
app_instance.created_at | String | Timestamp when the issue was created. Example: 2024-04-16T16:40:20.698327Z |
app_instance.due_at | Null | Due date for the issue, if applicable. |
app_instance.entity_snapshot_cloud_platform | Null | Cloud platform associated with the entity snapshot, if applicable. Example: null |
app_instance.entity_snapshot_id | String | Unique identifier for the entity snapshot. Example: afbe8836-fe9d-54b1-a224-b7c2e6edc568 |
app_instance.entity_snapshot_name | String | Name of the entity snapshot. Example: CVE-2021-3129 |
app_instance.entity_snapshot_region | String | Region associated with the entity snapshot. |
app_instance.entity_snapshot_status | Null | Status of the entity snapshot, if applicable. |
app_instance.entity_snapshot_type | String | Type of the entity snapshot. Example: SECURITY_TOOL_FINDING |
app_instance.id | String | Unique identifier for the issue. Example: fffffc5c-2a6d-41d8-865e-68d17270a74f |
app_instance.note | String | Additional notes associated with the issue. |
app_instance.project | Null | Project associated with the issue, if applicable. |
app_instance.service_ticket | Null | Service ticket associated with the issue, if applicable. |
app_instance.severity | String | Severity level of the issue. Example: MEDIUM |
app_instance.status | String | Current status of the issue. Example: RESOLVED |
app_instance.updated_at | String | Timestamp when the issue was last updated. Example: 2024-04-24T19:29:04.460658Z |
Action: Get Report Status
This action retrieves the status and URL of a report
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID to retrieve the status and URL of a report. | Text | Required |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Object | Contains the report data. |
app_instance.report | Object | Contains the details of the report. |
app_instance.last_run | Object | Details of the last run of the report. Example: { "status": "COMPLETED", "url": "https://..." } |
app_instance.status | String | Status of the last run of the report. Example: COMPLETED |
app_instance.url | String | URL to access the report. |
app_instance.status_code | Integer | HTTP status code of the response. |
Action: Get Users
This action retrieves a list of users available on Wiz.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search | Enter a search term to filter the users. | Text | Optional | |
Assigned Projects | Enter a list of project IDs to filter the users. Example: $JSON[aeef292e-13dd-4c50-992b-bb1dc0734123] | List | Optional | |
Limit | Enter the maximum number of users to retrieve. | Integer | Optional | Default value: 15 |
Offset | Enter the offset for pagination. | Integer | Optional | Default value: 0 |
Action: Get Vulnerability Findings
This action retrieves a list of vulnerability findings.
A vulnerability finding is a specific instance of a vulnerability in a specific asset. This action can also be used to filter the results based on the parameters provided. You should use the vulnerability findings API for small data sets, such as pulling vulnerabilities from a certain date. Returning a large number of vulnerability findings may take up to a week due to the enormous volume of data required. If you want to pull all vulnerability findings, then create a vulnerability report.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Status | Enter a list of statuses to filter the vulnerabilities. | List | Optional | Allowed values:
|
Vendor Severity | Enter a list of vendor severities to filter the vulnerabilities. | List | Optional | Allowed values:
|
First Seen Before | Enter a date to filter vulnerabilities by the first time they were detected. | Text | Optional | Allowed format: yyyy-mm-ddthh:mm:ssz |
Last Updated Before | Enter a date to filter vulnerabilities by the time they were last updated. | Text | Optional | Allowed format: yyyy-mm-ddthh:mm:ssz |
Detection Method | Enter a list of detection methods to filter the vulnerabilities. Example: $LIST[os,library] | List | Optional | Allowed values:
|
Asset Status | Enter a list of asset statuses to filter the vulnerabilities. Example: $LIST[active,inactive] | List | Optional | Allowed values:
|
Has Fix | Choose to filter the vulnerabilities with a fix. | Boolean | Optional | |
Has Exploit | Choose to filter the vulnerabilities with an exploit. | Boolean | Optional | |
Has Admin Privileges | Choose to filter the vulnerabilities by the impacted assets with admin privileges. | Boolean | Optional | |
Has High Privileges | Choose to filter the vulnerabilities by the impacted assets with high privileges. | Boolean | Optional | |
Limit | Enter the maximum number of results to retrieve. Example: 50 | Integer | Optional | Default value: 15 |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.CVEDescription | String | The description of the Common Vulnerabilities and Exposures (CVE) found. |
app_instance.CVSSSeverity | String | The severity of the vulnerability according to the Common Vulnerability Scoring System (CVSS). Example: Medium |
app_instance.description | String | The detailed description of the vulnerability, including the affected package, version, detection method, impact score, vendor severity, and remediation steps. |
app_instance.detailedName | String | The detailed name of the vulnerability. |
app_instance.detectionMethod | String | The method used for detecting the vulnerability. |
app_instance.exploitabilityScore | Number | The exploitability score of the vulnerability. |
app_instance.firstDetectedAt | String | The timestamp when the vulnerability was first detected. |
app_instance.fixedVersion | String | The fixed version of the vulnerable package. |
app_instance.hasCisaKevExploit | Boolean | Indicates if the vulnerability has an exploit associated with it. |
app_instance.hasExploit | Boolean | Indicates if the vulnerability has any exploit. |
app_instance.id | String | The unique identifier of the vulnerability. |
app_instance.impactScore | Number | The impact score of the vulnerability. |
app_instance.lastDetectedAt | String | The timestamp when the vulnerability was last detected. |
app_instance.link | String | The link to the official security advisory where the vulnerability is documented. |
app_instance.locationPath | Null | The path of the location where the vulnerability is detected. |
app_instance.name | String | The name of the vulnerability. |
app_instance.portalUrl | String | The URL to the vulnerability findings in the security tool portal. |
app_instance.remediation | String | The remediation steps to fix the vulnerability. |
app_instance.score | Number | The overall score of the vulnerability. |
app_instance.status | String | The status of the vulnerability. |
app_instance.vendorSeverity | String | The severity of the vulnerability according to the vendor. Example: Medium |
app_instance.version | String | The version of the vulnerable package. |
app_instance.vulnerableAsset | Object | The details of the vulnerable asset. |
Action: Rerun Report
This action reruns a report.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report ID | Enter the report ID to rerun a report. | Text | Required |
Action: Update Issue
This action updates an issue in a tenant object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Issue ID | Enter the issue ID to update. Example: 123e4567-e89b-12d3-a456-426614174000 | Text | Required | |
Status | Enter the status to update. Example: open | Text | Optional | Allowed values:
|
Note | Enter the note to update the issue. Example: rejecting the issue as it is marked as a false positive | Text | Optional | |
Resolution Status | Enter the resolution status. | Text | Optional | |
Due At | Enter the due date of the issue. | Text | Optional | Allowed format: yyyy-mm-ddthh:mm:ssz |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. | |
app_instance.extensions | Object | The extensions object containing additional information about the error. |
app_instance.code | String | The error code indicating the type of error occurred. |
app_instance.effectiveScopes | Array | The scopes that are effectively granted to the user. |
app_instance.requiredScopes | Array | The scopes that are required to perform the requested operation. |
app_instance.message | String | The error message describing the access denial and the required permissions. |
app_instance.path | Array | The path indicating the location of the error in the GraphQL request. |
Action: Generic Action
This is a generic action used to make requests to any Wiz endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values:
|
Endpoint | Enter the endpoint to make the request. | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |