Wiz
Wiz provides direct visibility, risk prioritization, and remediation guidance for development teams to address risks in their infrastructure and applications so they can ship faster and more securely.
Supported Actions and Example Prompts
The following table lists the supported actions and prompt examples for an action:
Action Name | Description | Prompt Example |
---|---|---|
Update Issue | This action updates a specific issue in a tenant object. For more information, see Action: Update Issue. | Update the status of the issue ID 123e4567-e89b-12d3-a456-426614174000 to in progress in Wiz. |
Get Audit Logs | This action retrieves the audit logs available on Wiz. For more information, see Action: Get Audit Logs. | Retrieve the audit logs from Wiz. |
Get Configuration Findings | This action retrieves a list of cloud configuration findings. For more information, see Action: Get Configuration Findings. | Retrieve a list of cloud configuration findings from Wiz. |
Get Vulnerability Findings | This action retrieves a list of vulnerability findings. For more information, see Action: Get Vulnerability Findings. | Retrieve a list of vulnerability findings from Wiz. |
Get Issues | This action retrieves a set of issues found in a tenant object. For more information, see Action: Get Issues. | Retrieve a list of issues from Wiz. |
Install and Configure the App
Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.
Before you Start
Ensure that you have the API token to authenticate with the Wiz app.
Steps
To install and configure an app, follow these steps:
Go to the application, in the left pane, select Quarterback AI.
In Apps, select Wiz and click Install.
After the app is installed, click Configure and enter the following details to create an instance:
Instance Name: Enter a name for the instance.
Instance Description: Enter a description for the instance.
Expiry: Select an expiry date for the instance.
Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.
Client ID: Enter the client ID to authenticate the client.
Secret Key: Enter the secret key to authenticate the client.
Base URL: Enter the base URL to access the Wiz application. For example, https://api.region.app.wiz.io.
Auth URL: Enter the authentication URL.
Timeout: Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with AbuseIPDB. You can enter values between 15 - 120 seconds. By default, 15 seconds is set.
Verify: Select this option to verify SSL while making requests. It is recommended to select this option to ensure a secure connection. By default, this option is not selected.
Click Done.
The instance is created, and you can view it in Instances. To create another instance, click Add Instance.
Action: Update Issue
This action updates an issue in a tenant object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Issue ID | Enter the issue ID to update. Example: 123e4567-e89b-12d3-a456-426614174000 | Text | Required | |
Status | Enter the status to update. Example: open | Text | Optional | Allowed values:
|
Note | Enter the note to update the issue. Example: rejecting the issue as it is marked as a false positive | Text | Optional | |
Resolution Status | Enter the resolution status. | Text | Optional | |
Due At | Enter the due date of the issue. | Text | Optional | Allowed format: yyyy-mm-ddthh:mm:ssz |
Action Response Parameters
Parameter | Type | Description |
---|---|---|
Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. | |
app_instance.extensions | Object | The extensions object containing additional information about the error. |
app_instance.code | String | The error code indicating the type of error occurred. |
app_instance.effectiveScopes | Array | The scopes that are effectively granted to the user. |
app_instance.requiredScopes | Array | The scopes that are required to perform the requested operation. |
app_instance.message | String | The error message describing the access denial and the required permissions. |
app_instance.path | Array | The path indicating the location of the error in the GraphQL request. |
Action: Get Audit Logs
This action retrieves the audit logs available on Wiz.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Status | Enter the audit log status to filter the result. Example: $LIST[success,failed] | List | Optional | Allowed values:
|
User | Enter users to filter audit logs. Example: $LIST[aeef292e-13dd-4c50-992b-bb1dc0734123] | List | Optional | |
User Type | Enter a user type to filter the audit logs. Example: $LIST[user_account] | List | Optional | Allowed values:
|
Before Time | Enter the time to fetch logs before. | Text | Optional | Allowed format: yyyy-mm-dd't'hh:mm:ss'z' |
After Time | Enter the time to fetch logs after. | Text | Optional | Allowed format: yyyy-mm-dd't'hh:mm:ss'z' |
Search | Enter a search term to filter the logs. Example: ip-12.32.44.5 | Text | Optional | |
Limit | Enter the number of audit logs to retrieve. | Integer | Optional | Default value: 15 |
Action Response Parameters
Parameter | Type | Description |
---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.extensions | Object | The extensions object containing additional information about the error. |
app_instance.code | String | The error code indicating the type of error occurred. |
app_instance.effective_scopes | Array | The scopes that are effectively granted to the user. |
app_instance.required_scopes | Array | The scopes that are required to perform the requested operation. |
app_instance.message | String | The error message describing the access denial and the required permissions. |
app_instance.path | Array | The path indicating the location of the error in the GraphQL request. |
Action: Get Configuration Findings
This action retrieves a list of cloud configuration findings.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Finding IDs | Enter a list of finding IDs to filter in the response. Example: $LIST[1239-sdc-123-1239-sdc-124, 1239-sdc-123-1239-sdc-124] | List | Optional | Default value: All findings |
Sources | Enter a list of sources to filter in the response. | List | Optional | Default value: All sources |
Result | Enter a list of scan results to filter in the response. Example: $LIST[fail, pass] | List | Optional | Default value: All results Allowed values:
|
Severity | Enter a list of severity levels to filter in the response. Example: $LIST[none, low] | List | Optional | Default value: All severities Allowed values:
|
Benchmark | Enter a list of benchmarks to filter in the response. | List | Optional | Default value: All benchmarks |
Has Remediation Instructions | Enter true to return responses that have remediation instructions. | Boolean | Optional | Default value: All responses |
Order by Direction | Enter the direction to order (sort) the results. Example: desc | Text | Optional | Default value: asc Allowed values:
|
Order by Field | Enter the field to order the results. Example: id | Text | Optional | Default value: id |
Limit | Enter the number of results to retrieve. Example: 50 | Integer | Optional | Default value: 5 |
Action Response Parameters
Parameter | Type | Description |
---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.data | Null | The data returned by the response. Example: null |
app_instance.errors | Array | List of errors in the response. Example: [{...}] |
app_instance.extensions_code | String | Error code indicating the type of error. Example: UNAUTHORIZED |
app_instance.effective_scopes | Array | List of scopes the user has. Example: ["read:issues", "read:reports", "read:vulnerabilities", "update:reports", "create:reports"] |
app_instance.required_scopes | Array | List of scopes required to access the resource. Example: ["read:all", "read:cloud_configuration"] |
app_instance.message | String | Error message describing the access issue. Example: access denied, at least one of the following is required: [read:all read:cloud_configuration], your permissions: [read:issues read:reports read:vulnerabilities update:reports create:reports] |
app_instance.path | Array | Path to the resource that caused the error. Example: ["configurationFindings"] |
app_instance.status_code | Integer | HTTP status code of the response. Example: 200 |
Action: Get Vulnerability Findings
This action retrieves a list of vulnerability findings in Wiz.
A vulnerability finding is a specific instance of a vulnerability in a specific asset. This action can also be used to filter the results based on the parameters provided. You should use the vulnerability findings API for small data sets, such as pulling vulnerabilities from a certain date. Returning a large number of vulnerability findings may take up to a week due to the enormous volume of data required. If you want to pull all vulnerability findings, then create a vulnerability report.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Status | Enter a list of statuses to filter the vulnerabilities. Note: You must pass the status or statuses as a list. Example: $LIST[OPEN, RESOLVED] | List | Optional | Allowed values:
|
Vendor Severity | Enter a list of vendor severities to filter the vulnerabilities. Example: $LIST[HIGH] | List | Optional | Allowed values:
|
First Seen At | Enter a date to filter vulnerabilities by the first time they were detected. Example: 2025-03-14T10:30:00Z | Text | Optional | Allowed format: yyyy-mm-ddthh:mm:ssz |
Last Updated Before | Enter a date to filter vulnerabilities by the time they were last updated. Example: 2025-05-14T10:30:00Z | Text | Optional | Allowed format: yyyy-mm-ddthh:mm:ssz |
Detection Method | Enter a list of detection methods to filter the vulnerabilities. Example: $LIST[OS,LIBRARY] | List | Optional | Allowed values:
|
Asset Status | Enter a list of asset statuses to filter the vulnerabilities. Example: $LIST[Active,Inactive] | List | Optional | Allowed values:
|
Has Fix | Choose to filter the vulnerabilities with a fix. | Boolean | Optional | Allowed Values:
Default Value: True |
Has Exploit | Choose to filter the vulnerabilities with an exploit. | Boolean | Optional | Allowed Values:
Default Value: True |
Has Admin Privileges | Choose to filter the vulnerabilities by the impacted assets with admin privileges. | Boolean | Optional | Allowed Values:
Default Value: False |
Has High Privileges | Choose to filter the vulnerabilities by the impacted assets with high privileges. | Boolean | Optional | Allowed Values:
Default Value: False |
Limit | Enter the maximum number of results to retrieve. Example: 50 | Integer | Optional | Default value: 15 |
Vulnerability ID | Enter the list of vulnerability IDs to fetch. Example: $LIST[fa2bda25-8116-5a55-bb46-9a3dc1053b62] | List | Optional | |
Vulnerability External ID | Enter the list of external IDs of vulnerabilities. Example: $LIST[EOL-CLOUD-SERVICE] | List | Optional | Allowed values: EOL-CLOUD-SERVICE, EOL-OPERATING-SYSTEM, EOL-TECHNOLOGY, or CVE or CWE ID |
Asset ID | Enter the list of asset IDs. Example: $LIST[e1ceded0-c62c-52f7-892f-f2d9462f846d] | List | Optional | |
Additional Parameters | Enter any additional parameters to pass to the API. Example: {cloudPlatforms : $LIST[Alibaba]} | Key value | Optional |
Action Response Parameters
Parameter | Type | Description |
---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.CVEDescription | String | The description of the Common Vulnerabilities and Exposures (CVE) found. |
app_instance.CVSSSeverity | String | The severity of the vulnerability according to the Common Vulnerability Scoring System (CVSS). Example: Medium |
app_instance.description | String | The detailed description of the vulnerability, including the affected package, version, detection method, impact score, vendor severity, and remediation steps. |
app_instance.detailedName | String | The detailed name of the vulnerability. |
app_instance.detectionMethod | String | The method used for detecting the vulnerability. |
app_instance.exploitabilityScore | Number | The exploitability score of the vulnerability. |
app_instance.firstDetectedAt | String | The timestamp when the vulnerability was first detected. |
app_instance.fixedVersion | String | The fixed version of the vulnerable package. |
app_instance.hasCisaKevExploit | Boolean | Indicates if the vulnerability has an exploit associated with it. |
app_instance.hasExploit | Boolean | Indicates if the vulnerability has any exploit. |
app_instance.id | String | The unique identifier of the vulnerability. |
app_instance.impactScore | Number | The impact score of the vulnerability. |
app_instance.lastDetectedAt | String | The timestamp when the vulnerability was last detected. |
app_instance.link | String | The link to the official security advisory where the vulnerability is documented. |
app_instance.locationPath | Null | The path of the location where the vulnerability is detected. |
app_instance.name | String | The name of the vulnerability. |
app_instance.portalUrl | String | The URL to the vulnerability findings in the security tool portal. |
app_instance.remediation | String | The remediation steps to fix the vulnerability. |
app_instance.score | Number | The overall score of the vulnerability. |
app_instance.status | String | The status of the vulnerability. |
app_instance.vendorSeverity | String | The severity of the vulnerability, according to the vendor. Example: Medium |
app_instance.version | String | The version of the vulnerable package. |
app_instance.vulnerableAsset | Object | The details of the vulnerable asset. |
Action: Get Issues
This action retrieves the issues found in a tenant object.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
---|---|---|---|---|
Issue ID | Enter an issue ID to filter the response. | Text | Optional | Default value: All Issues |
Search | Enter a search term to filter in the title of the issues. | Text | Optional | Default value: All Issues |
Framework Category | Enter a list of framework categories to filter in the response. | List | Optional | Default value: All Framework Categories |
Stack Layer | Enter a list of stack layers to filter in the response. | List | Optional | Default value: All Stack Layers Allowed values:
|
Project | Enter a list of project IDs to filter in the response. Example: $LIST[123e4567-e89b-12d3-a456-426614174000] | List | Optional | Default value: All Projects |
Severity | Enter a list of severity levels to filter in the response. | List | Optional | Default value: All Severities Allowed values:
|
Status | Enter a list of issue statuses to filter the response. | List | Optional | Default value: All Statuses Allowed values:
|
Cloud Platform | Enter a list of cloud platforms to filter in the response. | List | Optional | Default value: All Platforms Allowed values:
|
Created Before | Enter a date to filter issues created before this date. | Text | Optional | Default value: All Issues Allowed format: yyyy-mm-ddthh:mm:ssz |
Created After | Enter a date to filter issues created after this date. | Text | Optional | Default value: All Issues Allowed format: yyyy-mm-ddthh:mm:ssz |
Resolved Before | Enter a date to filter issues resolved before this date. | Text | Optional | Default value: All Issues Allowed format: yyyy-mm-ddthh:mm:ssz |
Resolved After | Enter a date to filter issues resolved after this date. | Text | Optional | Default value: All Issues Allowed format: yyyy-mm-ddthh:mm:ssz |
Limit | Enter the response limit. Example: 50 | Integer | Optional | Default value: 15 |
Order By Direction | Enter the direction to order (sort) the results. Example: asc | Text | Optional | Default value: asc Allowed values:
|
Order By Field | Enter the field to order the results. Example: id | Text | Optional | Default value: id |
Example Request
[ { "limit": "15" } ]
Action Response Parameters
Parameter | Type | Description |
---|---|---|
app_instance | JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.control_id | String | Unique identifier for the control. Example: 4144c5de-c2aa-43e0-a0b7-fe7c43324d80 |
app_instance.control_name | String | Name of the control. Example: Findings with Critical Severity Vulnerabilities |
app_instance.created_at | String | Timestamp when the issue was created. Example: 2024-04-16T16:40:20.698327Z |
app_instance.due_at | Null | Due date for the issue, if applicable. |
app_instance.entity_snapshot_cloud_platform | Null | Cloud platform associated with the entity snapshot, if applicable. Example: null |
app_instance.entity_snapshot_id | String | Unique identifier for the entity snapshot. Example: afbe8836-fe9d-54b1-a224-b7c2e6edc568 |
app_instance.entity_snapshot_name | String | Name of the entity snapshot. Example: CVE-2021-3129 |
app_instance.entity_snapshot_region | String | Region associated with the entity snapshot. |
app_instance.entity_snapshot_status | Null | Status of the entity snapshot, if applicable. |
app_instance.entity_snapshot_type | String | Type of the entity snapshot. Example: SECURITY_TOOL_FINDING |
app_instance.id | String | Unique identifier for the issue. Example: fffffc5c-2a6d-41d8-865e-68d17270a74f |
app_instance.note | String | Additional notes associated with the issue. |
app_instance.project | Null | Project associated with the issue, if applicable. |
app_instance.service_ticket | Null | Service ticket associated with the issue, if applicable. |
app_instance.severity | String | Severity level of the issue. Example: MEDIUM |
app_instance.status | String | Current status of the issue. Example: RESOLVED |
app_instance.updated_at | String | Timestamp when the issue was last updated. Example: 2024-04-24T19:29:04.460658Z |