Wiz

the wiz connector facilitates seamless integration with wiz's cloud security platform, enabling automated security workflows and data retrieval within the swimlane ecosystem wiz is a comprehensive cloud security solution that provides deep visibility and advanced risk analysis across your cloud environment this connector enables swimlane turbine users to automate the retrieval and analysis of cloud resources, configuration findings, issues, reports, user information, and vulnerability findings directly within their security workflows by integrating with wiz, users can enhance their security posture with actionable insights, streamline compliance checks, and accelerate incident response with enriched cloud security data prerequisites to effectively utilize the wiz connector for turbine, ensure you have the following prerequisites oauth 2 0 client credentials authentication with the following parameters api endpoint url the base url for the wiz api endpoints client id the unique identifier for your registered wiz application client secret the secret key associated with your client id to authenticate requests authentication url the endpoint url used to obtain the oauth 2 0 access token audience the intended recipient of the issued token, typically the api that will accept the token capabilities this connector provides the following capabilities get cloud resources v2 get configuration findings get issues get report status and url get list of report names get users get vulnerability findings pull audit logs rerun report asset setup api endpoint url the wiz integration api has a single url for all the actions https //api \<region> app wiz io/graphql you can use the above url, and replace it with the region where your tenant resides, e g us1 , us2 , eu1 , or eu2 example https //api us17 app wiz io/graphql client credentials the client id and client secret must be provided by your wiz customer or wiz customer service team token url there are two possible token urls depending on your service account's identity provider idp endpoint endpoint for gov tenants amazon cognito https //auth app wiz io/oauth/token https //auth app wiz io/oauth/tokenhttps //auth gov wiz io/oauth/token https //auth gov wiz io/oauth/token auth0 https //auth wiz io/oauth/token https //auth wiz io/oauth/tokenhttps //auth0 gov wiz io/oauth/token https //auth0 gov wiz io/oauth/token audience choose a relevant audience from the following idp audience amazon cognito wiz api auth0 beyond api action setup you need different permissions for each of the actions to run please refer to the api documentation to know more configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the client id string required client secret the client secret string required audience permission scopes for this action string required first use as a pagination argument to refine your results possible values 1 5000 default will be 500 if not mentioned number optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get cloud resources v2 retrieve a filtered list of cloud resources from wiz using specified variables and query parameters endpoint method post input argument name type required description query string required the graphql query to execute variables object required parameter for get cloud resources v2 after string optional use as a pagination argument for results use the value returned by pageinfo endcursor from the previous response fetchtotalcount boolean optional whethwizer to fetch the total count of resources filterby object optional this object defines query filters to narrow down search results and return specific cloud resources cloudplatform object optional filter by cloud platform equals array optional parameter for get cloud resources v2 cloudaccountv2 object optional filter by cloud account external id(s) externalid object optional unique identifier hasadminprivileges object optional filter by whether the resource has admin privileges equals boolean optional parameter for get cloud resources v2 hashighprivileges object optional filter by whether the resource has high privileges equals boolean optional parameter for get cloud resources v2 hassensitivedata object optional filter by whether the resource contains sensitive data equals boolean optional parameter for get cloud resources v2 hasaccesstosensitivedata object optional filter by whether the resource has access to sensitive data equals boolean optional parameter for get cloud resources v2 isaccessiblefrominternet object optional filter by whether the resource is accessible from the internet equals boolean optional parameter for get cloud resources v2 isopentoallinternet object optional filter by whether the resource is open to all internet equals boolean optional parameter for get cloud resources v2 tag object optional filter by resource tags containsall array optional parameter for get cloud resources v2 type object optional the cloud managed resource object(s) to return entity types must be specified in all caps format for example, use virtual machine for virtual machines equals array optional parameter for get cloud resources v2 get configuration findings retrieve filtered cloud configuration findings from wiz using specified variables for rules, resources, or frameworks endpoint method post input argument name type required description variables object required parameter for get configuration findings after string optional parameter for get configuration findings orderby object optional parameter for get configuration findings direction string optional the order direction can be asc or desc field string optional the order field filterby object optional parameter for get configuration findings id array optional filter configuration findings matching these ids you can specify multiple values source array optional filter by source of the configuration you can specify multiple values rule object optional parameter for get configuration findings id array optional filter configuration findings that match these cloud configuration rule ids you can specify multiple values name array optional filters configuration findings that match the name of these cloud configuration rules you can specify multiple values description array optional filter by these cloud configuration rule descriptions you can specify multiple values resource object optional parameter for get configuration findings id array optional filter configuration findings by resource id you can specify multiple values type array optional filter configuration findings by specific entity types you can specify multiple values projectid array optional filter configuration findings by wiz project id you can specify multiple values name array optional filter by configuration finding resource name you can specify multiple values status array optional filter by resource status you can specify multiple values subscriptionid array optional filter by subscription id you can specify multiple values cloudplatform array optional filter configuration findings by cloud platform you can specify multiple values nativetype array optional the name of the resource provided by its cloud service provider, as opposed to how wiz normalizes its name tags array optional filter by tags associated with the resource you can specify multiple values analyzedat object optional parameter for get configuration findings before string optional parameter for get configuration findings after string optional parameter for get configuration findings output parameter type description status code number http status code of the response reason string response reason phrase data object response data configurationfindings object output field configurationfindings nodes array output field nodes id string unique identifier targetexternalid string unique identifier targetobjectprovideruniqueid string unique identifier firstseenat string output field firstseenat severity string output field severity result string result of the operation status string status value remediation object output field remediation resource object output field resource id string unique identifier providerid string unique identifier name string name of the resource nativetype string type of the resource type string type of the resource region string output field region subscription object output field subscription projects array output field projects tags array output field tags rule object output field rule id string unique identifier example \[ { "status code" 200, "response headers" { "date" "mon, 31 jul 2023 09 08 42 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "content security policy" "default src 'self';base uri 'self';font src 'self' https data ;form action 'sel ", "cross origin embedder policy" "require corp", "cross origin opener policy" "same origin", "cross origin resource policy" "same origin", "x dns prefetch control" "off", "x frame options" "sameorigin", "strict transport security" "max age=15552000; includesubdomains", "x download options" "noopen", "x content type options" "nosniff", "origin agent cluster" "?1", "x permitted cross domain policies" "none" }, "reason" "ok", "json body" { "data" {} } } ] get issues obtain a collection of issues from wiz using targeted queries with specified variables for precise search results endpoint method post input argument name type required description variables object required parameter for get issues after string optional use as a pagination argument to refine your results use the value returned by pageinfo endcursor from the previous response orderby object optional the query's results order can be asc or desc direction string optional parameter for get issues field string optional the order field filterby object optional parameter for get issues status array optional filter by issue handling status you can specify multiple values if no values are provided, then returns results from all statuses id array optional filter only issues that match these ids you can specify multiple values if no values are provided, then returns results from all issues search string optional free text search on issue title or object name returns null if no match is found frameworktegory array optional filter issues by security framework ids you can specify multiple values if no values are provided, then returns results from all framework categories stacklayer array optional filter issues from a specific stack layer (as defined by the control) you can specify multiple values if no values are provided, then returns results from all stack layers project array optional filter issues associated with these project ids you can specify multiple values if no values are provided, then returns results from all projects severity array optional filter issues according to control severity you can specify multiple values if no values are provided, then returns results from all severities sourcesecurityscan string optional filter by security scan source resolutionreason array optional filter issues by resolution reason you can specify multiple values if no values are provided, then returns results from all resolution reasons type array optional filter by issue type you can specify multiple values if no values are provided, then returns results from all issue types createdat object optional parameter for get issues after string optional datetime in iso 8601 format before string optional datetime in iso 8601 format resolvedat object optional parameter for get issues after string optional datetime in iso 8601 format before string optional datetime in iso 8601 format dueat object optional parameter for get issues after string optional datetime in iso 8601 format before string optional datetime in iso 8601 format output parameter type description status code number http status code of the response reason string response reason phrase data object response data issues object output field issues nodes array output field nodes id string unique identifier sourcerule object output field sourcerule typename string name of the resource id string unique identifier name string name of the resource controldescription string output field controldescription resolutionrecommendation string output field resolutionrecommendation securitysubcategories array output field securitysubcategories createdat string output field createdat updatedat string output field updatedat dueat object output field dueat resolvedat object output field resolvedat statuschangedat string status value projects array output field projects id string unique identifier name string name of the resource slug string output field slug businessunit string output field businessunit riskprofile object output field riskprofile status string status value example \[ { "status code" 200, "response headers" { "date" "mon, 31 jul 2023 06 07 08 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "content security policy" "default src 'self';base uri 'self';font src 'self' https data ;form action 'sel ", "cross origin embedder policy" "require corp", "cross origin opener policy" "same origin", "cross origin resource policy" "same origin", "x dns prefetch control" "off", "x frame options" "sameorigin", "strict transport security" "max age=15552000; includesubdomains", "x download options" "noopen", "x content type options" "nosniff", "origin agent cluster" "?1", "x permitted cross domain policies" "none" }, "reason" "ok", "json body" { "data" {} } } ] get report status and url retrieve the status and access url for a wiz report, requiring specific variables in the request body endpoint method post input argument name type required description variables object required parameter for get report status and url reportid string required the id of the report to return output parameter type description status code number http status code of the response reason string response reason phrase data object response data report object output field report lastrun object output field lastrun url string url endpoint for the request status string status value example \[ { "status code" 200, "response headers" { "date" "sun, 30 jul 2023 09 07 18 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "content security policy" "default src 'self';base uri 'self';font src 'self' https data ;form action 'sel ", "cross origin embedder policy" "require corp", "cross origin opener policy" "same origin", "cross origin resource policy" "same origin", "x dns prefetch control" "off", "x frame options" "sameorigin", "strict transport security" "max age=15552000; includesubdomains", "x download options" "noopen", "x content type options" "nosniff", "origin agent cluster" "?1", "x permitted cross domain policies" "none" }, "reason" "ok", "json body" { "data" {} } } ] get list of report names retrieves a filtered list of reports from wiz using criteria such as id and name specified in the json body endpoint method post input argument name type required description variables object required parameter for get list of report names first number required use as a pagination argument to refine your results possible values 1 5000 after string optional use as a pagination argument to refine your results use the value returned by pageinfo endcursor from the previous response filterby object optional parameter for get list of report names search string optional filter reports matching these names type array optional filter reports of specific types you can specify multiple values projectid string optional filter reports associated with a specific project identified by its project id lastreportrunstatus array optional filter reports with a specific last run status you can specify multiple values output parameter type description status code number http status code of the response reason string response reason phrase data object response data reports object output field reports nodes array output field nodes id string unique identifier name string name of the resource pageinfo object output field pageinfo hasnextpage boolean output field hasnextpage endcursor string output field endcursor example \[ { "status code" 200, "response headers" { "date" "sun, 30 jul 2023 09 01 15 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "content security policy" "default src 'self';base uri 'self';font src 'self' https data ;form action 'sel ", "cross origin embedder policy" "require corp", "cross origin opener policy" "same origin", "cross origin resource policy" "same origin", "x dns prefetch control" "off", "x frame options" "sameorigin", "strict transport security" "max age=15552000; includesubdomains", "x download options" "noopen", "x content type options" "nosniff", "origin agent cluster" "?1", "x permitted cross domain policies" "none" }, "reason" "ok", "json body" { "data" {} } } ] get users retrieves a list of wiz users filtered by role, authentication provider, or project assignments using specified variables endpoint method post input argument name type required description variables object required parameter for get users after string optional use as a pagination argument to refine your results use the value returned by pageinfo endcursor from the previous response filterby object optional parameter for get users role array optional filter by user role can be created by a user or built in authprovidertype array optional unique identifier deleted boolean optional whether the user is deleted assignedprojects array optional filter users that are assigned (have access to) specific projects search string optional free text search on name, email title, or object name updatedat object required parameter for get users after string optional datetime in iso 8601 format before string optional datetime in iso 8601 format output parameter type description status code number http status code of the response reason string response reason phrase data object response data users object output field users nodes array output field nodes id string unique identifier name string name of the resource email string output field email lastloginat string output field lastloginat issuspended boolean output field issuspended createdat string output field createdat identityprovider object unique identifier identityprovidertype string unique identifier assignedprojects object output field assignedprojects role object output field role id string unique identifier name string name of the resource scopes array output field scopes pageinfo object output field pageinfo endcursor object output field endcursor hasnextpage boolean output field hasnextpage example \[ { "status code" 200, "response headers" { "date" "mon, 31 jul 2023 06 58 20 gmt", "content type" "application/json; charset=utf 8", "content length" "488", "connection" "keep alive", "content security policy" "default src 'self';base uri 'self';font src 'self' https data ;form action 'sel ", "cross origin embedder policy" "require corp", "cross origin opener policy" "same origin", "cross origin resource policy" "same origin", "x dns prefetch control" "off", "x frame options" "sameorigin", "strict transport security" "max age=15552000; includesubdomains", "x download options" "noopen", "x content type options" "nosniff", "origin agent cluster" "?1", "x permitted cross domain policies" "none" }, "reason" "ok", "json body" { "data" {} } } ] get vulnerability findings retrieve categorized vulnerability findings from wiz using specified variables for asset and severity filtering endpoint method post input argument name type required description variables object required parameter for get vulnerability findings after string optional use as a pagination argument to refine your results use the value returned by pageinfo endcursor from the previous response orderby object optional the query's results order can be asc or desc determined by the firstdetectedat value direction string optional parameter for get vulnerability findings filterby object optional parameter for get vulnerability findings id array optional filter vulnerability findings matching these ids you can specify multiple values if no values are provided, then returns results from all ids vendorseverity array optional filter vulnerability findings according to the vendor severity you can specify multiple values if no values are provided, then returns results from all vendor severities firstseenat object optional parameter for get vulnerability findings after string optional datetime in iso 8601 format before string optional datetime in iso 8601 format updatedat object required parameter for get vulnerability findings after string optional datetime in iso 8601 format before string optional datetime in iso 8601 format resolvedat object optional parameter for get vulnerability findings after string optional datetime in iso 8601 format before string optional datetime in iso 8601 format hasfix boolean optional filter only vulnerability findings for vulnerabilities with an available fix hasexploit boolean optional filter only vulnerability findings for vulnerabilities with an available exploit hascisakevexploit boolean optional filter only vulnerability findings for vulnerabilities with an available cisa kev exploit vulnerabilityexternalid array optional filter only vulnerability findings whose external id matches these you can specify multiple values if no values are provided, then returns results from all external ids subscriptionexternalid array optional filter vulnerability findings from these subscription external ids you can specify multiple values if no values are provided, then returns results from all subscriptions assetid array optional filter only vulnerability findings on these asset ids you can specify multiple values if no values are provided, then returns results from all asset ids assettype string optional the type of asset object to appear in the vulnerability report if not specified, returns results for all asset types assetstatus array optional filter only vulnerability findings for assets with these statuses you can specify multiple values if no values are provided, then returns results for all asset statuses detectionmethod array optional filter only vulnerability findings found via these detection methods you can specify multiple values if no values are provided, then returns results for all detection methods output parameter type description status code number http status code of the response reason string response reason phrase data object response data vulnerabilityfindings object output field vulnerabilityfindings nodes array output field nodes id string unique identifier portalurl string url endpoint for the request name string name of the resource cvedescription string output field cvedescription cvssseverity string output field cvssseverity score number score value exploitabilityscore number score value impactscore number score value datasourcename object response data hasexploit boolean output field hasexploit hascisakevexploit boolean output field hascisakevexploit status string status value vendorseverity string output field vendorseverity firstdetectedat string output field firstdetectedat lastdetectedat string output field lastdetectedat resolvedat object output field resolvedat description string output field description remediation string output field remediation detailedname string name of the resource version string output field version example \[ { "status code" 200, "response headers" { "date" "sun, 30 jul 2023 13 08 22 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "content security policy" "default src 'self';base uri 'self';font src 'self' https data ;form action 'sel ", "cross origin embedder policy" "require corp", "cross origin opener policy" "same origin", "cross origin resource policy" "same origin", "x dns prefetch control" "off", "x frame options" "sameorigin", "strict transport security" "max age=15552000; includesubdomains", "x download options" "noopen", "x content type options" "nosniff", "origin agent cluster" "?1", "x permitted cross domain policies" "none" }, "reason" "ok", "json body" { "data" {} } } ] pull audit logs retrieves a filtered set of audit log activities from wiz based on specified criteria like action, status, or user endpoint method post input argument name type required description variables object required parameter for pull audit logs first number required use as a pagination argument to refine your results possible values 1 5000 after string optional use as a pagination argument to refine your results use the value returned by pageinfo endcursor from the previous response filterby object optional parameter for pull audit logs timestamp object optional parameter for pull audit logs after string optional datetime in iso 8601 format before string optional datetime in iso 8601 format action string optional filter by specific action name in wiz search string optional filter by string matching id or request id status array optional filter by audit log event status you can specify multiple values user array optional filter by specific user ids or service account ids usertype array optional filter audit logs entries by the type of user you can specify multiple values useragent string optional filter by user agent sourceip string optional filter audit log entries by source ip output parameter type description status code number http status code of the response reason string response reason phrase data object response data auditlogentries object output field auditlogentries nodes array output field nodes id string unique identifier action string output field action requestid string unique identifier status string status value timestamp string output field timestamp actionparameters object parameters for the pull audit logs action clientid string unique identifier groups object output field groups name string name of the resource products array output field products role string output field role scopes array output field scopes useremail string output field useremail userid string unique identifier userpoolid string unique identifier useragent object output field useragent sourceip object output field sourceip serviceaccount object count value id string unique identifier name string name of the resource example \[ { "status code" 200, "response headers" { "date" "mon, 31 jul 2023 06 44 55 gmt", "content type" "application/json; charset=utf 8", "content length" "922", "connection" "keep alive", "content security policy" "default src 'self';base uri 'self';font src 'self' https data ;form action 'sel ", "cross origin embedder policy" "require corp", "cross origin opener policy" "same origin", "cross origin resource policy" "same origin", "x dns prefetch control" "off", "x frame options" "sameorigin", "strict transport security" "max age=15552000; includesubdomains", "x download options" "noopen", "x content type options" "nosniff", "origin agent cluster" "?1", "x permitted cross domain policies" "none" }, "reason" "ok", "json body" { "data" {} } } ] rerun report initiates a rerun of an existing wiz report using specified variables and returns the original report id endpoint method post input argument name type required description variables object required parameter for rerun report reportid string required the id of the report to return output parameter type description status code number http status code of the response reason string response reason phrase data object response data rerunreport object output field rerunreport report object output field report id string unique identifier example \[ { "status code" 200, "response headers" { "date" "sun, 30 jul 2023 09 10 38 gmt", "content type" "application/json; charset=utf 8", "content length" "82", "connection" "keep alive", "content security policy" "default src 'self';base uri 'self';font src 'self' https data ;form action 'sel ", "cross origin embedder policy" "require corp", "cross origin opener policy" "same origin", "cross origin resource policy" "same origin", "x dns prefetch control" "off", "x frame options" "sameorigin", "strict transport security" "max age=15552000; includesubdomains", "x download options" "noopen", "x content type options" "nosniff", "origin agent cluster" "?1", "x permitted cross domain policies" "none" }, "reason" "ok", "json body" { "data" {} } } ] response headers header description example access control allow credentials http response header access control allow credentials true connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 922 content security policy http response header content security policy default src 'self';base uri 'self';font src 'self' https data ;form action 'self';frame ancestors 'self';img src 'self' data ;object src 'none';script src 'self';script src attr 'none';style src 'self' https 'unsafe inline';upgrade insecure requests content type the media type of the resource application/json; charset=utf 8 cross origin embedder policy http response header cross origin embedder policy require corp cross origin opener policy http response header cross origin opener policy same origin cross origin resource policy http response header cross origin resource policy same origin date the date and time at which the message was originated sun, 30 jul 2023 09 01 15 gmt etag an identifier for a specific version of a resource w/"98d h4owu9n6wujypouplht1oiadwp0" origin agent cluster http response header origin agent cluster ?1 referrer policy http response header referrer policy no referrer strict transport security http response header strict transport security max age=15552000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary origin, accept encoding x content type options http response header x content type options nosniff x dns prefetch control http response header x dns prefetch control off x download options http response header x download options noopen x frame options http response header x frame options sameorigin x permitted cross domain policies http response header x permitted cross domain policies none x xss protection http response header x xss protection 0 notes as of version 1 6 0, all report related actions have been removed from the wiz connector to align with wiz api best practices wiz api documentation https //integrate wiz io/reference/prerequisites