Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Wiz Events | ✅ | ✅ | wiz_events | NDJSON | Webhook | ||
Wiz EKS Runtime Log | ✅ | wiz_eks_runtime_logs | NDJSON | S3 |
Overview
Wiz is a cloud security platform designed to help organizations secure their cloud environments by providing visibility, risk management, and compliance monitoring. It offers continuous scanning of cloud infrastructure to detect vulnerabilities, misconfigurations, and security risks across services such as AWS, Azure, and Google Cloud. Wiz provides real-time risk assessments, highlighting threats in areas like data exposure, access control, and misconfigured services. By offering deep security insights and automation, Wiz helps businesses identify and remediate risks, ensuring their cloud infrastructure is secure and compliant with industry standards.
Supported data types
Wiz Events
📘Note
Connecting this data type requires the involvement of Hunters Support.
Overview
Table name: wiz_events
Wiz event logs are an integral part of the platform, capturing detailed information about security events, configuration changes, and user activities within cloud environments. These logs offer valuable insights into potential security risks, misconfigurations, and compliance violations, enabling organizations to proactively identify and remediate issues to enhance their overall security posture.
Send data to Hunters
Hunters supports the collection of logs from Wiz using webhook. The webhook is created by Hunters. Once Hunters has created the webhook, we will share the following details:
URL
Bearer Authorization Key
To connect Wiz Events:
Contact Hunters support to retrieve the URL and Bearer Authorization Key.
Once you receive this information, log into your Wiz account and navigate to New Automation Action.
Supply the relevant details:
Action - Call a webhook
Authentication - Token
Token (Supplied by Hunters). Example:
ab830751cbdf4fe9a20f3b46af0ebb40c91099b121e842fe8438c6d01d80fe0bURL (Supplied by Hunters). Example:
<https://sampledomain.execute-api.us-west-2.amazonaws.com/webhook/v1/e96b2531-de2c-442a-9d85-912165eff354>
Configure a rule in Wiz to send the Issues to the Webhook (specifically, Created, Opened, Closed, Reopened).
Complete the process on the Hunters platform, following this guide.
Expected format
The logs are expected to be in JSON format.
{"trigger": {"source": "ISSUE", "type": "Created", "ruleId": "dddddddd-1260-1260-1260-dddddddd", "ruleName": "hunters-rule", "updatedFields": " status field was changed from <nil> to OPEN, severity field was changed from <nil> to HIGH, ", "changedBy": "Wiz"}, "issue": {"id": "aaaaaaaaa-6767-6767-6767-aaaaaaaaa", "status": "OPEN", "severity": "HIGH", "created": "2022-08-03T05:34:44.000000Z", "projects": "AWS Prod related accounts, all aws accts, "}, "resource": {"id": "arn:aws:ec2:us-east-1:88888888:instance/i-88888888", "name": "Builder", "type": "virtualMachine", "cloudPlatform": "AWS", "subscriptionId": "888888888", "subscriptionName": "888888888 AWS 888888888", "region": "us-east-1", "status": "Active", "cloudProviderURL": "https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-888888888"}, "control": {"id": "wc-id-888888888", "name": "Critical/High severity network vulnerability with a known exploit was detected on a publicly exposed VM instance", "description": "This VM has Critical/High severity vulnerabilities with known and public exploits and is remotely exploitable. Furthermore, this VM is also widely exposed to the internet. This might allow an attacker to compromise the affected instance in your environment remotely exfiltrating data or disrupting workflows. All these factors make this a Critical severity Issue.", "severity": "HIGH"}}
Wiz EKS Runtime Log
Overview
Table name: wiz_eks_runtime_logs
Wiz's EKS Runtime logs contain monitoring and security insights provided for Amazon Elastic Kubernetes Service (EKS) workloads. Wiz enhances cloud-native security by analyzing runtime logs to detect misconfigurations, vulnerabilities, and runtime threats within EKS clusters. These logs provide real-time visibility into containerized applications, helping organizations identify suspicious behavior, such as unauthorized access or privilege escalation. By integrating runtime logs with Wiz’s broader cloud security platform, teams can ensure compliance and maintain a robust security posture across Kubernetes environments.
Send data to Hunters
Hunters supports the collection of Wiz EKS Runtime logs via an intermediary S3 bucket.
To connect Wiz EKS Runtime logs:
Route your Wiz EKS Runtime logs into an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
The logs are expected to be in JSON format.
{
"containerId": "asijf9ivojq23908ruvj139urionvwerv",
"containerImageExternalId": "ecr-host.us-east-1.amazonaws.com##test@sha256:rv2k39r0gk230irong32r",
"containerImageRef": "ecr-host.us-east-1.amazonaws.com/test@sha256:rv2k39r0gk230irong32r",
"eventType": "Incoming connection",
"exeAtime": 1551480292,
"exeCtime": 1726715495,
"exeInWritableLayer": false,
"exeMtime": 1551480292,
"exeSha1": "rk1g09rjg129irnog123rg12",
"exeSize": 15252432,
"kubernetesClusterExternalId": "kgjr0192jr9g12rgi01j2nrg",
"kubernetesNamespace": "api-core",
"lastSeenExe": "2024-10-13T23:46:22.817Z",
"podName": "test-6d668fbd78-7l47n",
"programName": "/usr/bin/test",
"resourceExternalId": "test/g1r92ng91i2rngio12ngr",
"sourceIP": "10.11.240.16",
"sourcePort": 11211,
"time": "2024-10-14T09:42:05.612Z"
}