Wiz

Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Wiz Events

✅

✅

wiz_events

NDJSON

Webhook

Wiz Threats

wiz_threats

CSV

Webhook

Wiz EKS Runtime Log

✅

wiz_eks_runtime_logs

NDJSON

S3


Overview

imageWiz is a cloud security platform designed to help organizations secure their cloud environments by providing visibility, risk management, and compliance monitoring. It offers continuous scanning of cloud infrastructure to detect vulnerabilities, misconfigurations, and security risks across services such as AWS, Azure, and Google Cloud. Wiz provides real-time risk assessments, highlighting threats in areas like data exposure, access control, and misconfigured services. By offering deep security insights and automation, Wiz helps businesses identify and remediate risks, ensuring their cloud infrastructure is secure and compliant with industry standards.

Supported data types

Wiz Events

📘Note

Connecting this data type requires the involvement of Hunters Support.

Overview

Table name: wiz_events

Wiz event logs are an integral part of the platform, capturing detailed information about security events, configuration changes, and user activities within cloud environments. These logs offer valuable insights into potential security risks, misconfigurations, and compliance violations, enabling organizations to proactively identify and remediate issues to enhance their overall security posture.

Send data to Hunters

Hunters supports the collection of logs from Wiz using webhook. The webhook is created by Hunters. Once Hunters has created the webhook, we will share the following details:

  • URL

  • Bearer Authorization Key


To connect Wiz Events:

  1. Contact Hunters support to retrieve the URL and Bearer Authorization Key.

  2. Once you receive this information, log into your Wiz account and navigate to New Automation Action.

  3. Supply the relevant details:

    • Action - Call a webhook

    • Authentication - Token

    • Token (Supplied by Hunters). Example: ab830751cbdf4fe9a20f3b46af0ebb40c91099b121e842fe8438c6d01d80fe0b

    • URL (Supplied by Hunters). Example: <https://sampledomain.execute-api.us-west-2.amazonaws.com/webhook/v1/e96b2531-de2c-442a-9d85-912165eff354>

      image

  4. Configure a rule in Wiz to send the Issues to the Webhook (specifically, Created, Opened, Closed, Reopened).

  5. Complete the process on the Hunters platform, following this guide.

Expected format

The logs are expected to be in JSON format.

{"trigger": {"source": "ISSUE", "type": "Created", "ruleId": "dddddddd-1260-1260-1260-dddddddd", "ruleName": "hunters-rule", "updatedFields": " status field was changed from <nil> to OPEN,  severity field was changed from <nil> to HIGH, ", "changedBy": "Wiz"}, "issue": {"id": "aaaaaaaaa-6767-6767-6767-aaaaaaaaa", "status": "OPEN", "severity": "HIGH", "created": "2022-08-03T05:34:44.000000Z", "projects": "AWS Prod related accounts, all aws accts, "}, "resource": {"id": "arn:aws:ec2:us-east-1:88888888:instance/i-88888888", "name": "Builder", "type": "virtualMachine", "cloudPlatform": "AWS", "subscriptionId": "888888888", "subscriptionName": "888888888 AWS 888888888", "region": "us-east-1", "status": "Active", "cloudProviderURL": "https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-888888888"}, "control": {"id": "wc-id-888888888", "name": "Critical/High severity network vulnerability with a known exploit was detected on a publicly exposed VM instance", "description": "This VM has Critical/High severity vulnerabilities with known and public exploits and is remotely exploitable. Furthermore, this VM is also widely exposed to the internet. This might allow an attacker to compromise the affected instance in your environment remotely exfiltrating data or disrupting workflows. All these factors make this a Critical severity Issue.", "severity": "HIGH"}}

Wiz Threats

📘Note

Connecting this data type requires the involvement of Hunters Support.

Overview

Table name: wiz_threats

Wiz Threats is the native threat detection and alerting capability inside the Wiz Security Graph platform. It consolidates suspicious activity, misconfigurations, and threat intelligence into actionable findings. Wiz Threats surface security-relevant signals across cloud resources, SaaS platforms, and identities, and presents them in a standardized alert format that enables security teams to triage, investigate, and remediate effectively.

Send data to Hunters

Hunters supports the collection of logs from Wiz using webhook. The webhook is created by Hunters. Once Hunters has created the webhook, we will share the following details:

  • URL

  • Bearer Authorization Key


To connect Wiz Threats:

  1. Contact Hunters support to retrieve the URL and Bearer Authorization Key.

  2. Once you receive this information, log into your Wiz account and navigate to New Automation Action.

  3. Supply the relevant details:

    • Action - Call a webhook

    • Authentication - Token

    • Token (Supplied by Hunters). Example: ab830751cbdf4fe9a20f3b46af0ebb40c91099b121e842fe8438c6d01d80fe0b

    • URL (Supplied by Hunters). Example: <https://sampledomain.execute-api.us-west-2.amazonaws.com/webhook/v1/e96b2531-de2c-442a-9d85-912165eff354>

      image

  4. Configure a rule in Wiz to send the Issues to the Webhook (specifically, Created, Opened, Closed, Reopened).

  5. Complete the process on the Hunters platform, following this guide.

Expected format

The logs are expected to be in CSV format.

Time,Threat,Principal,Resource,Subscription,MITRE,Severity,Status,Assignee
Sep 12 09:15,Suspicious IAM Role Assumption,,cloud-core-prod,AWS-Prod-001,T1078 – Valid Accounts,High,Open,
Sep 12 08:42,Multiple Failed Logins from Unusual Location,user123,db-cluster-analytics,Azure-Sub-987,T1110 – Brute Force,Medium,In Progress,analystA
Sep 12 07:30,Unusual API Key Usage,,payment-service-prod,GCP-Project-456,T1552 – Unsecured Credentials,High,Open,