Skip to main content

Quarterback AI

Wiz

Wiz provides direct visibility, risk prioritization, and remediation guidance for development teams to address risks in their infrastructure and applications so they can ship faster and more securely.

Supported Actions and Example Prompts

The following table lists the supported actions and prompt examples for an action:

Action Name

Description

Prompt Example

Update Issue

This action updates a specific issue in a tenant object. For more information, see Action: Update Issue.

Update the status of the issue ID 123e4567-e89b-12d3-a456-426614174000 to in progress in Wiz.

Get Audit Logs

This action retrieves the audit logs available on Wiz. For more information, see Action: Get Audit Logs.

Retrieve the audit logs from Wiz.

Get Configuration Findings

This action retrieves a list of cloud configuration findings. For more information, see Action: Get Configuration Findings.

Retrieve a list of cloud configuration findings from Wiz.

Get Vulnerability Findings

This action retrieves a list of vulnerability findings. For more information, see Action: Get Vulnerability Findings.

Retrieve a list of vulnerability findings from Wiz.

Get Issues

This action retrieves a set of issues found in a tenant object. For more information, see Action: Get Issues.

Retrieve a list of issues from Wiz.

Install and Configure the App

Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.

Before you Start

Ensure that you have the API token to authenticate with the Wiz app.

Steps

To install and configure an app, follow these steps:

  1. Go to the application, in the left pane, select Quarterback AI.

  2. In Apps, select Wiz and click Install.

  3. After the app is installed, click Configure and enter the following details to create an instance:

    • Instance Name: Enter a name for the instance.

    • Instance Description: Enter a description for the instance.

    • Expiry: Select an expiry date for the instance.

    • Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.

    • Client ID: Enter the client ID to authenticate the client.

    • Secret Key: Enter the secret key to authenticate the client.

    • Base URL: Enter the base URL to access the Wiz application. For example, https://api.region.app.wiz.io.

    • Auth URL: Enter the authentication URL.

    • Timeout: Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with AbuseIPDB. You can enter values between 15 - 120 seconds. By default, 15 seconds is set.

    • Verify: Select this option to verify SSL while making requests. It is recommended to select this option to ensure a secure connection. By default, this option is not selected.

  4. Click Done.

The instance is created, and you can view it in Instances. To create another instance, click Add Instance.

Action: Update Issue

This action updates an issue in a tenant object.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Issue ID 

Enter the issue ID to update.

Example:

123e4567-e89b-12d3-a456-426614174000

Text

Required

Status 

Enter the status to update.

Example:

open

Text

Optional

Allowed values:

  • open

  • in_progress

  • rejected

Note 

Enter the note to update the issue.

Example:

rejecting the issue as it is marked as a false positive

Text

Optional

Resolution Status 

Enter the resolution status.

Text

Optional

Due At 

Enter the due date of the issue.

Text

Optional

Allowed format:

yyyy-mm-ddthh:mm:ssz

Action Response Parameters

Parameter

Type

Description

Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.extensions

Object

The extensions object containing additional information about the error.

app_instance.code

String

The error code indicating the type of error occurred.

app_instance.effectiveScopes

Array

The scopes that are effectively granted to the user.

app_instance.requiredScopes

Array

The scopes that are required to perform the requested operation.

app_instance.message

String

The error message describing the access denial and the required permissions.

app_instance.path

Array

The path indicating the location of the error in the GraphQL request.

Action: Get Audit Logs

This action retrieves the audit logs available on Wiz.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Status 

Enter the audit log status to filter the result.

Example:

$LIST[success,failed]

List

Optional

Allowed values:

  • success

  • failed

  • invalid

  • access_denied

User 

Enter users to filter audit logs.

Example:

$LIST[aeef292e-13dd-4c50-992b-bb1dc0734123]

List

Optional

User Type 

Enter a user type to filter the audit logs.

Example:

$LIST[user_account]

List

Optional

Allowed values:

  • user_account

  • service_account

Before Time 

Enter the time to fetch logs before.

Text

Optional

Allowed format:

yyyy-mm-dd't'hh:mm:ss'z'

After Time 

Enter the time to fetch logs after.

Text

Optional

Allowed format:

yyyy-mm-dd't'hh:mm:ss'z'

Search 

Enter a search term to filter the logs.

Example:

ip-12.32.44.5

Text

Optional

Limit 

Enter the number of audit logs to retrieve.

Integer

Optional

Default value:

15

Action Response Parameters

Parameter

Type

Description

{app_instance}

Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.extensions

Object

The extensions object containing additional information about the error.

app_instance.code

String

The error code indicating the type of error occurred.

app_instance.effective_scopes

Array

The scopes that are effectively granted to the user.

app_instance.required_scopes

Array

The scopes that are required to perform the requested operation.

app_instance.message

String

The error message describing the access denial and the required permissions.

app_instance.path

Array

The path indicating the location of the error in the GraphQL request.

Action: Get Configuration Findings

This action retrieves a list of cloud configuration findings.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Finding IDs 

Enter a list of finding IDs to filter in the response.

Example:

$LIST[1239-sdc-123-1239-sdc-124, 1239-sdc-123-1239-sdc-124]

List

Optional

Default value:

All findings

Sources 

Enter a list of sources to filter in the response.

List

Optional

Default value:

All sources

Result 

Enter a list of scan results to filter in the response.

Example:

$LIST[fail, pass]

List

Optional

Default value:

All results

Allowed values:

  • fail

  • pass

  • error

  • not_assessed

Severity 

Enter a list of severity levels to filter in the response.

Example:

$LIST[none, low]

List

Optional

Default value:

All severities

Allowed values:

  • none

  • low

  • medium

  • high

  • critical

Benchmark 

Enter a list of benchmarks to filter in the response.

List

Optional

Default value:

All benchmarks

Has Remediation Instructions 

Enter true to return responses that have remediation instructions.

Boolean

Optional

Default value:

All responses

Order by Direction 

Enter the direction to order (sort) the results.

Example:

desc

Text

Optional

Default value:

asc

Allowed values:

  • asc

  • desc

Order by Field 

Enter the field to order the results.

Example:

id

Text

Optional

Default value:

id

Limit 

Enter the number of results to retrieve.

Example:

50

Integer

Optional

Default value:

5

Action Response Parameters

Parameter

Type

Description

{app_instance}

Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.data

Null

The data returned by the response. Example: null

app_instance.errors

Array

List of errors in the response. Example: [{...}]

app_instance.extensions_code

String

Error code indicating the type of error. Example: UNAUTHORIZED

app_instance.effective_scopes

Array

List of scopes the user has. Example: ["read:issues", "read:reports", "read:vulnerabilities", "update:reports", "create:reports"]

app_instance.required_scopes

Array

List of scopes required to access the resource. Example: ["read:all", "read:cloud_configuration"]

app_instance.message

String

Error message describing the access issue. Example: access denied, at least one of the following is required: [read:all read:cloud_configuration], your permissions: [read:issues read:reports read:vulnerabilities update:reports create:reports]

app_instance.path

Array

Path to the resource that caused the error. Example: ["configurationFindings"]

app_instance.status_code

Integer

HTTP status code of the response. Example: 200

Action: Get Vulnerability Findings

This action retrieves a list of vulnerability findings in Wiz.

A vulnerability finding is a specific instance of a vulnerability in a specific asset. This action can also be used to filter the results based on the parameters provided. You should use the vulnerability findings API for small data sets, such as pulling vulnerabilities from a certain date. Returning a large number of vulnerability findings may take up to a week due to the enormous volume of data required. If you want to pull all vulnerability findings, then create a vulnerability report.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Status

Enter a list of statuses to filter the vulnerabilities.

Note: You must pass the status or statuses as a list.

Example: $LIST[OPEN, RESOLVED]

List

Optional

Allowed values:

  • OPEN

  • RESOLVED

  • REJECTED

Vendor Severity 

Enter a list of vendor severities to filter the vulnerabilities.

Example: $LIST[HIGH]

List

Optional

Allowed values:

  • NONE

  • LOW 

  • MEDIUM

  • HIGH

  • CRITICAL

First Seen At

Enter a date to filter vulnerabilities by the first time they were detected.

Example: 2025-03-14T10:30:00Z

Text

Optional

Allowed format:

yyyy-mm-ddthh:mm:ssz

Last Updated Before

Enter a date to filter vulnerabilities by the time they were last updated.

Example: 2025-05-14T10:30:00Z

Text

Optional

Allowed format:

yyyy-mm-ddthh:mm:ssz

Detection Method

Enter a list of detection methods to filter the vulnerabilities.

Example:

$LIST[OS,LIBRARY]

List

Optional

Allowed values:

  • PACKAGE

  • DEFAULT_PACKAGE

  • LIBRARY

  • OS

  • INSTALLED_PROGRAM

  • INSTALLED_PROGRAM_BY_SERVICE

  • FILE_PATH

Asset Status

Enter a list of asset statuses to filter the vulnerabilities.

Example:

$LIST[Active,Inactive]

List

Optional

Allowed values:

  • Active

  • Inactive

  • Error

Has Fix

Choose to filter the vulnerabilities with a fix.

Boolean

Optional

Allowed Values:

  • True

  • False

Default Value: True

Has Exploit

Choose to filter the vulnerabilities with an exploit.

Boolean

Optional

Allowed Values:

  • True

  • False

Default Value: True

Has Admin Privileges

Choose to filter the vulnerabilities by the impacted assets with admin privileges.

Boolean

Optional

Allowed Values:

  • True

  • False

Default Value: False

Has High Privileges

Choose to filter the vulnerabilities by the impacted assets with high privileges.

Boolean

Optional

Allowed Values:

  • True

  • False

Default Value: False

Limit

Enter the maximum number of results to retrieve.

Example:

50

Integer

Optional

Default value:

15

Vulnerability ID

Enter the list of vulnerability IDs to fetch.

Example:

$LIST[fa2bda25-8116-5a55-bb46-9a3dc1053b62]

List

Optional

Vulnerability External ID

Enter the list of external IDs of vulnerabilities.

Example:

$LIST[EOL-CLOUD-SERVICE]

List

Optional

Allowed values:

EOL-CLOUD-SERVICE, EOL-OPERATING-SYSTEM, EOL-TECHNOLOGY, or CVE or CWE ID

Asset ID

Enter the list of asset IDs.

Example:

$LIST[e1ceded0-c62c-52f7-892f-f2d9462f846d]

List

Optional

Additional Parameters

Enter any additional parameters to pass to the API.

Example:

{cloudPlatforms : $LIST[Alibaba]}

Key value

Optional

Action Response Parameters

Parameter

Type

Description

{app_instance}

Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.CVEDescription

String

The description of the Common Vulnerabilities and Exposures (CVE) found.

app_instance.CVSSSeverity

String

The severity of the vulnerability according to the Common Vulnerability Scoring System (CVSS). Example: Medium

app_instance.description

String

The detailed description of the vulnerability, including the affected package, version, detection method, impact score, vendor severity, and remediation steps.

app_instance.detailedName

String

The detailed name of the vulnerability.

app_instance.detectionMethod

String

The method used for detecting the vulnerability.

app_instance.exploitabilityScore

Number

The exploitability score of the vulnerability.

app_instance.firstDetectedAt

String

The timestamp when the vulnerability was first detected.

app_instance.fixedVersion

String

The fixed version of the vulnerable package.

app_instance.hasCisaKevExploit

Boolean

Indicates if the vulnerability has an exploit associated with it.

app_instance.hasExploit

Boolean

Indicates if the vulnerability has any exploit.

app_instance.id

String

The unique identifier of the vulnerability.

app_instance.impactScore

Number

The impact score of the vulnerability.

app_instance.lastDetectedAt

String

The timestamp when the vulnerability was last detected.

app_instance.link

String

The link to the official security advisory where the vulnerability is documented.

app_instance.locationPath

Null

The path of the location where the vulnerability is detected.

app_instance.name

String

The name of the vulnerability.

app_instance.portalUrl

String

The URL to the vulnerability findings in the security tool portal.

app_instance.remediation

String

The remediation steps to fix the vulnerability.

app_instance.score

Number

The overall score of the vulnerability.

app_instance.status

String

The status of the vulnerability.

app_instance.vendorSeverity

String

The severity of the vulnerability, according to the vendor. Example: Medium

app_instance.version

String

The version of the vulnerable package.

app_instance.vulnerableAsset

Object

The details of the vulnerable asset.

Action: Get Issues

This action retrieves the issues found in a tenant object.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Issue ID 

Enter an issue ID to filter the response.

Text

Optional

Default value:

All Issues

Search 

Enter a search term to filter in the title of the issues. 

Text

Optional

Default value:

All Issues

Framework Category 

Enter a list of framework categories to filter in the response. 

List

Optional

Default value:

All Framework Categories

Stack Layer 

Enter a list of stack layers to filter in the response.

List

Optional

Default value:

All Stack Layers

Allowed values:

  • application_and_data

  • ci_cd

  • security_and_identity

  • compute_platforms

  • code

  • cloud_entitlements

Project 

Enter a list of project IDs to filter in the response.

Example:

$LIST[123e4567-e89b-12d3-a456-426614174000]

List

Optional

Default value:

All Projects

Severity 

Enter a list of severity levels to filter in the response.

List

Optional

Default value:

All Severities

Allowed values:

  • none

  • low

  • medium

  • high

  • critical

Status 

Enter a list of issue statuses to filter the response.

List

Optional

Default value:

All Statuses

Allowed values:

  • open

  • in-progress

  • resolved

  • rejected

Cloud Platform 

Enter a list of cloud platforms to filter in the response.

List

Optional

Default value:

All Platforms

Allowed values:

  • gcp

  • aws

  • azure

  • oci

  • alibaba

  • vsphere

  • aks

  • eks

  • gke

  • kubernetes

  • openshift

  • oke

Created Before 

Enter a date to filter issues created before this date.

Text

Optional

Default value:

All Issues

Allowed format:

yyyy-mm-ddthh:mm:ssz

Created After 

Enter a date to filter issues created after this date.

Text

Optional

Default value:

All Issues

Allowed format:

yyyy-mm-ddthh:mm:ssz

Resolved Before 

Enter a date to filter issues resolved before this date.

Text

Optional

Default value:

All Issues

Allowed format:

yyyy-mm-ddthh:mm:ssz

Resolved After 

Enter a date to filter issues resolved after this date.

Text

Optional

Default value:

All Issues

Allowed format:

yyyy-mm-ddthh:mm:ssz

Limit 

Enter the response limit.

Example:

50

Integer

Optional

Default value:

15

Order By Direction 

Enter the direction to order (sort) the results.

Example:

asc

Text

Optional

Default value:

asc

Allowed values:

  • asc

  • desc

Order By Field 

Enter the field to order the results.

Example:

id

Text

Optional

Default value:

id

Example Request 

[
  {
    "limit": "15"
  }
]

Action Response Parameters

Parameter

Type

Description

app_instance

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.control_id

String

Unique identifier for the control. Example: 4144c5de-c2aa-43e0-a0b7-fe7c43324d80

app_instance.control_name

String

Name of the control. Example: Findings with Critical Severity Vulnerabilities

app_instance.created_at

String

Timestamp when the issue was created. Example: 2024-04-16T16:40:20.698327Z

app_instance.due_at

Null

Due date for the issue, if applicable. 

app_instance.entity_snapshot_cloud_platform

Null

Cloud platform associated with the entity snapshot, if applicable. Example: null

app_instance.entity_snapshot_id

String

Unique identifier for the entity snapshot. Example: afbe8836-fe9d-54b1-a224-b7c2e6edc568

app_instance.entity_snapshot_name

String

Name of the entity snapshot. Example: CVE-2021-3129

app_instance.entity_snapshot_region

String

Region associated with the entity snapshot. 

app_instance.entity_snapshot_status

Null

Status of the entity snapshot, if applicable. 

app_instance.entity_snapshot_type

String

Type of the entity snapshot. Example: SECURITY_TOOL_FINDING

app_instance.id

String

Unique identifier for the issue. Example: fffffc5c-2a6d-41d8-865e-68d17270a74f

app_instance.note

String

Additional notes associated with the issue. 

app_instance.project

Null

Project associated with the issue, if applicable. 

app_instance.service_ticket

Null

Service ticket associated with the issue, if applicable. 

app_instance.severity

String

Severity level of the issue. Example: MEDIUM

app_instance.status

String

Current status of the issue. Example: RESOLVED

app_instance.updated_at

String

Timestamp when the issue was last updated. Example: 2024-04-24T19:29:04.460658Z