Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Wiz Events | ✅ | ✅ | wiz_events | NDJSON | Webhook | ||
Wiz Threats | wiz_threats | CSV | Webhook | ||||
Wiz EKS Runtime Log | ✅ | wiz_eks_runtime_logs | NDJSON | S3 |
Overview
Wiz is a cloud security platform designed to help organizations secure their cloud environments by providing visibility, risk management, and compliance monitoring. It offers continuous scanning of cloud infrastructure to detect vulnerabilities, misconfigurations, and security risks across services such as AWS, Azure, and Google Cloud. Wiz provides real-time risk assessments, highlighting threats in areas like data exposure, access control, and misconfigured services. By offering deep security insights and automation, Wiz helps businesses identify and remediate risks, ensuring their cloud infrastructure is secure and compliant with industry standards.
Supported data types
Wiz Events
📘Note
Connecting this data type requires the involvement of Hunters Support.
Overview
Table name: wiz_events
Wiz event logs are an integral part of the platform, capturing detailed information about security events, configuration changes, and user activities within cloud environments. These logs offer valuable insights into potential security risks, misconfigurations, and compliance violations, enabling organizations to proactively identify and remediate issues to enhance their overall security posture.
Send data to Hunters
Hunters supports the collection of logs from Wiz using webhook. The webhook is created by Hunters. Once Hunters has created the webhook, we will share the following details:
URL
Bearer Authorization Key
To connect Wiz Events:
Contact Hunters support to retrieve the URL and Bearer Authorization Key.
Once you receive this information, log into your Wiz account and navigate to New Automation Action.
Supply the relevant details:
Action - Call a webhook
Authentication - Token
Token (Supplied by Hunters). Example:
ab830751cbdf4fe9a20f3b46af0ebb40c91099b121e842fe8438c6d01d80fe0b
URL (Supplied by Hunters). Example:
<https://sampledomain.execute-api.us-west-2.amazonaws.com/webhook/v1/e96b2531-de2c-442a-9d85-912165eff354>
Configure a rule in Wiz to send the Issues to the Webhook (specifically, Created, Opened, Closed, Reopened).
Complete the process on the Hunters platform, following this guide.
Expected format
The logs are expected to be in JSON format.
{"trigger": {"source": "ISSUE", "type": "Created", "ruleId": "dddddddd-1260-1260-1260-dddddddd", "ruleName": "hunters-rule", "updatedFields": " status field was changed from <nil> to OPEN, severity field was changed from <nil> to HIGH, ", "changedBy": "Wiz"}, "issue": {"id": "aaaaaaaaa-6767-6767-6767-aaaaaaaaa", "status": "OPEN", "severity": "HIGH", "created": "2022-08-03T05:34:44.000000Z", "projects": "AWS Prod related accounts, all aws accts, "}, "resource": {"id": "arn:aws:ec2:us-east-1:88888888:instance/i-88888888", "name": "Builder", "type": "virtualMachine", "cloudPlatform": "AWS", "subscriptionId": "888888888", "subscriptionName": "888888888 AWS 888888888", "region": "us-east-1", "status": "Active", "cloudProviderURL": "https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-888888888"}, "control": {"id": "wc-id-888888888", "name": "Critical/High severity network vulnerability with a known exploit was detected on a publicly exposed VM instance", "description": "This VM has Critical/High severity vulnerabilities with known and public exploits and is remotely exploitable. Furthermore, this VM is also widely exposed to the internet. This might allow an attacker to compromise the affected instance in your environment remotely exfiltrating data or disrupting workflows. All these factors make this a Critical severity Issue.", "severity": "HIGH"}}
Wiz Threats
📘Note
Connecting this data type requires the involvement of Hunters Support.
Overview
Table name: wiz_threats
Wiz Threats is the native threat detection and alerting capability inside the Wiz Security Graph platform. It consolidates suspicious activity, misconfigurations, and threat intelligence into actionable findings. Wiz Threats surface security-relevant signals across cloud resources, SaaS platforms, and identities, and presents them in a standardized alert format that enables security teams to triage, investigate, and remediate effectively.
Send data to Hunters
Hunters supports the collection of logs from Wiz using webhook. The webhook is created by Hunters. Once Hunters has created the webhook, we will share the following details:
URL
Bearer Authorization Key
To connect Wiz Threats:
Contact Hunters support to retrieve the URL and Bearer Authorization Key.
Once you receive this information, log into your Wiz account and navigate to New Automation Action.
Supply the relevant details:
Action - Call a webhook
Authentication - Token
Token (Supplied by Hunters). Example:
ab830751cbdf4fe9a20f3b46af0ebb40c91099b121e842fe8438c6d01d80fe0b
URL (Supplied by Hunters). Example:
<https://sampledomain.execute-api.us-west-2.amazonaws.com/webhook/v1/e96b2531-de2c-442a-9d85-912165eff354>
Configure a rule in Wiz to send the Issues to the Webhook (specifically, Created, Opened, Closed, Reopened).
Complete the process on the Hunters platform, following this guide.
Expected format
The logs are expected to be in CSV format.
Time,Threat,Principal,Resource,Subscription,MITRE,Severity,Status,Assignee
Sep 12 09:15,Suspicious IAM Role Assumption,,cloud-core-prod,AWS-Prod-001,T1078 – Valid Accounts,High,Open,
Sep 12 08:42,Multiple Failed Logins from Unusual Location,user123,db-cluster-analytics,Azure-Sub-987,T1110 – Brute Force,Medium,In Progress,analystA
Sep 12 07:30,Unusual API Key Usage,,payment-service-prod,GCP-Project-456,T1552 – Unsecured Credentials,High,Open,