Wiz IO¶
About¶
Agentless coverage of your entire cloud environment
- Wiz scans every resource across entire cloud stack and multi-cloud environments using a 100% API approach that deploys in minutes.
Analysis that goes beyond standalone point solutions
- Wiz redefines cloud security, combining what used to be addressed by standalone CSPM and CWPP products with our innovative Cloud Risk Engine to reveal effective risk.
The most critical risks surfaced and prioritized instantly
- Wiz finds the toxic combinations of cloud risk factors that together create an actual breach path
Product Details¶
Vendor URL: Wiz IO
Product Type: Monitoring
Product Tier: Tier II
Integration Method: Custom
Integration URL: Wiz IO - Cyderes Documentation
Log Guide: Sample Logs by Log Type - Cyderes Documentation
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Near 100%
Data Label: WIZ_IO
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Control.Description | extensions.vulns.vulnerabilities |
| Control ID | principal.hostname |
| Control Name | metadata.product_event_type |
| Entity ID | target.cloud.project.id |
| Entity Name | target.cloud.project.name |
| Entity Technologies Name | security_result.about.resource.name |
| Entity.Technologies.StackLayer | security_result.about.resource.resource_subtype |
| Entity.Type | target.cloud.project.type |
| ID | metadata.product_log_id |
| Projects ID | security_result.about.cloud.project.id |
| Projects Name | security_result.about.cloud.project.name |
| Severity | security_result.severity |
| Status | security_result.about.investigation.comments |
| sysloghost | observer.hostname |
| tagCountry | principal.asset.location.country_or_region |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all | SCAN_VULN_HOST |
Log Sample¶
{"ID":"id","Severity":"HIGH","Status":"OPEN","ResolutionReason":"","Description":"This VM instance group is widely accessible on any port. Thus, an attacker can easily access it and compromise it. It is highly recommended to limit the network access to each resource for only the required paths. ","Note":"","Control":{"ID":"id","Name":"VM instance group widely accessible on any port","Description":"This VM instance group is widely accessible on any port. Thus, an attacker can easily access it and compromise it. It is highly recommended to limit the network access to each resource for only the required paths. ","ResolutionRecommendation":"To resolve this issue follow these steps:\n1. Inspect the evidence.\n2. If the resource is stale, remove it.\n3. Restrict the public exposure:\n * Inspect the Wiz network exposure calculation and restrict public access to the VM.\n * Ensure that exposed ports allow only encrypted communications.\n* Limit the range of addresses that allows access to this VM group.","Tags":[],"Type":"SECURITY_GRAPH","Severity":"HIGH","CreatedAt":"2021-04-04T07:16:35Z","LastRunAt":"2021-11-19T16:04:51Z","LastSuccessfulRunAt":"2021-11-19T16:04:51Z","Enabled":true},"Projects":[{"ID":"HOSTNAME","Name":"Azure Production ","Description":"","Identifiers":[],"BusinessUnit":"","RiskProfile":{"BusinessImpact":"HBI"},"Slug":"azure-production","Archived":false}],"ServiceTickets":[],"Entity":{"ID":"HOSTNAME","Name":"name","Type":"COMPUTE_INSTANCE_GROUP","FirstSeen":"0001-01-01T00:00:00Z","LastSeen":"0001-01-01T00:00:00Z","Technologies":[{"Name":"Azure Databricks","Description":"Fast, easy, and collaborative Apache Spark-based analytics platform","Note":"","Risk":"HIGH","Categories":[{"Name":"Machine Learning \u0026 AI"}],"StackLayer":"APPLICATION_AND_DATA","DeploymentModel":"CLOUD_PLATFORM_SERVICE"}],"UserMetadata":{"Note":"","IsIgnored":false,"IsInWatchlist":false},"CustomIPRangeExposures":{"Nodes":[],"TotalCount":0},"OtherSubscriptionExposures":{"Nodes":[],"TotalCount":0},"OtherVnetExposures":{"Nodes":[],"TotalCount":0},"PublicExposures":{"Nodes":[],"TotalCount":0},"VPNExposures":{"Nodes":[],"TotalCount":0}},"EntitySnapshot":{"ID":"HOSTNAME","Name":"name","Type":"COMPUTE_INSTANCE_GROUP","CloudPlatform":"Azure"},"CreatedAt":"2021-11-19T16:04:51Z","DueAt":"0001-01-01T00:00:00Z","ResolvedAt":"0001-01-01T00:00:00Z","UpdatedAt":"2021-11-19T16:04:51Z"}
Sample Parsing¶
metadata.product_log_id = "id"
metadata.event_timestamp = "2021-11-19T16:08:39.365219Z"
metadata.event_type = "SCAN_VULN_HOST"
metadata.vendor_name = "WIZ"
metadata.product_name = "IO"
metadata.product_event_type = "VM instance group widely accessible on any port"
metadata.ingested_timestamp = "2021-11-19T16:08:39.365219Z"
principal.hostname = "HOSTNAME"
principal.asset.hostname = "HOSTNAME"
target.cloud.project.type = "COMPUTE_INSTANCE_GROUP"
target.cloud.project.id = "id"
target.cloud.project.name = "name"
security_result.about.resource.name = "Azure Databricks"
security_result.about.resource.resource_subtype = "APPLICATION_AND_DATA"
security_result.about.cloud.project.id = "id"
security_result.about.cloud.project.name = "Azure Production "
security_result.about.investigation.status = "NEW"
security_result.about.investigation.comments = "OPEN"
security_result.severity = "HIGH"
extensions.vulns.vulnerabilities.description = "This VM instance group is widely accessible on any port. Thus, an attacker can easily access it and compromise it. It is highly recommended to limit the network access to each resource for only the required paths. "
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon