Wiz
  • 5 Minutes to read
  • PDF

Wiz

  • PDF

Article summary

1. About this document


This document provides step-by-step instructions to configure Wiz in SAFE.

2. Introduction


SAFE seamlessly integrates with Wiz and pulls assets and their corresponding security issues in SAFE. This integration provides users with insight into the security threats that are most relevant to their cloud environment through these security issues.

3. Prerequisites


Important

To authenticate with Wiz APIs, users must use https://auth.app.wiz.io/oauth/token since SAFE currently supports authentication only through the Cognito Identity Provider.

You need the following connection details to configure Wiz in SAFE:

  1. Wiz API URL (API Endpoint URL)
  2. Client ID and Client Secret
  3. Project IDs (Optional)

4. Generate Connection Details


4.1. Wiz API URL

To get the Wiz API URL:

  1. Login to your Wiz account.
  2. Click the User Profile icon available at the top right of the screen and click the User Settings option.
  3. Click the Tenant option from the left options menu.
  4. The system displays the API Endpoint URL.
  5. Copy and save the API URL to use while configuring Wiz in SAFE.
    Alternatively, you can open the Wiz configuration page in SAFE in a new tab and paste the API URL in the respective field.
    For more details, refer to GraphQL Endpoint documentation.
    Wiz 1

4.2. Client ID and Client Secret

You must create a service account in Wiz to generate the Client ID and Client Secret. Follow the below steps to get the Client ID and Client Secret:

  1. Login to Wiz with the Project Admin role.
  2. Click the Settings icon available at the top-right of the page.
  3. On the Settings page, Click Service Accounts from the left menu.
  4. Click the Add Service Account button.
    Wiz 2
  5. Enter a Service Account Name.
  6. Select the Custom Integration(GraphQL API) option from the Type drop-down.
  7. Select a Project from the drop-down. You must select the projects with the resources you wish to sync the issues.
  8. Select only the read:issues permission in the API Scopes.
  9. Click the Add Service Account button at the bottom.
    Wiz 3
  10. The system displays the ClientID and Client Secret.
  11. Copy and save the Client ID and Client Secret to use while configuring Wiz in SAFE.
    Alternatively, you can copy and paste the Client ID and Client Secret in their respective fields on the Wiz configuration page in SAFE.
    For more details, refer to Add a Service Account.
    Wiz 4

4.3. Project IDs (Optional)

Wiz permits the organization of cloud resources into Projects, and SAFE has the ability to limit data synchronization to specific projects. You need to indicate the projects you want to retrieve security issues. If no projects are specified, the connector will fetch issues from all projects accessible to the configured Service Account.

To get the Project IDs:

  1. Login to Wiz and navigate to the Projects page.
  2. Click the three dop options menu and copy the ProjectId.
  3. Copy and save the Project IDs to use while configuring Wiz in SAFE.
    Wiz 5

5. Configure Wiz in SAFE


To configure Wiz in SAFE :

  1. Login to SAFE as admin and navigate to SAFE Hooks.
  2. Search and click the Wiz card.
  3. Enter the Wiz API URL, ClientID, and Client Secret.
  4. (Optional) If required, enter the Project ID. You can enter multiple Project IDs separated by a comma.
    • Project ID limits the data synchronization between Wiz and SAFE to specific projects. You must enter the Project IDs from which you want to retrieve issues.
    • If no projects are specified, the connector will fetch issues from all projects accessible to the configured Service Account.
  5. Enter the Auto Sync frequency in a number of days. SAFE continuously sync with Wiz after the number of days you specify here. If the Auto sync frequency is 1 day, SAFE daily sync with Wiz to fetch assets and issues.
  6. If required, uncheck the Auto Onboard New Assets checkbox. 
    • By default, this checkbox is marked, and any resource present in Wiz and not found in SAFE will be onboarded in SAFE. 
    • You can uncheck this box to limit the integration only to assess the assets that are present in SAFE.
  7. Mark the Update Existing Asset Metadata checkbox to ensure up-to-date information in the system.
  8. Click the Test Connection button.
  9. Once the connection is verified, click the Save button.
  10. Once the configuration is saved, click the SyncNow button to trigger the on-demand sync outside of the Scheduled Auto Sync.
    The Auto Sync time is 01:15 UTC.
    WIZ Configuration
  11. The system displays the sync status in the History table.
    Wiz 7

6. View Results


To view the assets and the assessment result:

  1. Click the See Updated Assets option available at the top-right of the History table.
  2. The system redirects you to a filtered assets list of Wiz assets. Alternatively, you can navigate to Technology > Assets and filter the asset list for signal source equals security.safe.wiz.
    Wiz 8
  3. Clicking an asset from the list, you will be redirected to the assets details page, where you can find the controls list.
  4. To see the issues pulled from Wiz, filter the controls list for Control Type as Finding.
    The Issues pulled from Wiz are identified as Findings control type in SAFE.
    Wiz Issues statuses are mapped to SAFE statuses as follows:
    1. Open → Failed
    2. In Progress → Failed
    3. Ignored → Accepted Failed
    4. Resolved → Qualified
      Wiz 9
  5. Click a Finding control type to see the ATT&CK mapping.
    Wiz 10
  6. The Observation tab displays the Wiz link of the particular issue on an asset.
    Wiz 11
Note
Wiz retains Issues till 180 days of resolution. SAFE will delete those issues 90 days after they are deleted from Wiz.

7. Integration History


SAFE displays the Integration Sync History table on each integration's configuration page, providing a comprehensive overview of sync history, including action, start time, started by, and sync status.

Refer to Integration History for more details.

8. SAFE's Outgoing IP Addresses

Click here to find the outgoing IP addresses of SAFE. All traffic to any integrations in SAFE will see one IP address as the source IP of the incoming connection.

9. FAQs


Question 1. I see some issues that are visible in Wiz but are not visible in SAFE. What can be the reason?

Answer: There can be three reasons:

  1. SAFE only sync issues with Critical, High, Medium, and Low severity.
  2. There may be issues in Wiz that are linked to a deleted resource. Such issues and resources will not be pulled in SAFE.
  3. SAFE only pulls AWS, Azure, and GCP resources as of now.

Question 2. What is the source of remediation steps?

Answer: Remediation steps mentioned under each finding are provided by Wiz.

Question 3. What is the equivalent status in SAFE for the "Ignored" status in Wiz

Answer: Ignored status in Wiz is equal to Accepted Failed in SAFE.

Question 4. Where can I see the technologies corresponding to an asset in SAFE?

Answer: Technologies of Wiz assets will be visible as Asset Types in SAFE. You can add the Asset Type column in the Asset List using customize button.

Question 5. If I mark Accepted Failed from SAFE, what would happen if Wiz sync runs again?

Answer: SAFE will only comply with the status marked in Wiz. If you mark a control as Accepted Failed in SAFE, it will get overridden in the next sync. The issue needs to be marked as Ignored in Wiz, and in the next sync, it will automatically get marked as Accepted Faild in SAFE.


Was this article helpful?

What's Next