Integrate Wiz with Red Canary
- 20 Nov 2025
- 7 Minutes to read
- PDF
Integrate Wiz with Red Canary
- Updated on 20 Nov 2025
- 7 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Limited Access Feature
The Wiz integration is currently available by invitation as a Limited Access feature. For more information about our Limited Access program, please see Red Canary Release Stages. To enable Red Canary to investigate your Wiz alerts, contact your Red Canary account representative or open a support ticket to request access to Wiz Alert Investigations.
This guide outlines how to integrate Wiz with Red Canary’s MDR for Cloud offering. Wiz is a cloud-native security platform that provides comprehensive posture analysis and threat detection across your cloud environments. The integration combines Wiz detection capabilities with Red Canary’s expert investigation, enabling our teams to investigate Wiz-generated alerts and enrich Red Canary investigations with valuable Wiz risk context. For more information on how Red Canary ingests data from Wiz, see the FAQ.
Prerequisites
Before you start the Wiz integration, please make sure the following requirements are met:
You have an active Red Canary MDR Cloud subscription
You are sending control plane telemetry to Red Canary through the AWS, Azure, or GCP integrations
You have the following Wiz licenses:
Wiz Advanced Cloud License: This is the minimum required license and must include Threat Detection Issues, Toxic Combinations, and Cloud Config Findings.
Wiz Defend Ingestion Add-on: This add-on enables additional features. To ingest identity threats and additional detections into Red Canary, you must have the Wiz Defend add-on and at least one integrated identity provider (Okta, Entra ID, or Google Workspace).
You consent to the required permissions (configured in Step 3). For more details, see the FAQ.
1 Red Canary | Add the Integration
From your Red Canary homepage, go to the Integrations page, then click Add Integration.
On the Add integration dialog, search for the Wiz integration, then click Configure.
On the Red Canary configuration page, enter a name for the integration.
2 Red Canary | Choose How Red Canary Will Receive This Data
On the Red Canary configuration page, set Ingest Format / Method to Wiz via API Poll.
Click Next.
3 Wiz | Create a Service Account
From your Wiz dashboard, go to Settings > Service Accounts.
On the Service Accounts page, click Add Service Account.
Name the service account.
From the Type dropdown, select Custom Integration (GraphQL API).
Leave Projects and Expiration Date blank.
In the API Scopes section, enable the following permissions:
Issues
Read/list (read:issues)
Read/list (read:threat_issues)
Threat Issues
Read/list (read:threat_issues)
Issue Status
Write Status (write:issue_status)
Issue Comments
Create, update, delete (write:issue_comments)
Cloud Events
Read (read:cloud_events_cloud)
Automation Actions
Read/list (read:automation_actions)
Update (update:automation_actions)
Create (create:automation_actions)
Integrations
Read/list (read:integrations)
Update (update:integrations)
Create (create:integrations)
Action Templates
Read/list (read:action_templates)
Create (create:action_templates)
Delete (delete:action_templates)
Automation Rules
Read/list (read:automation_rules)
Update (update:automation_rules)
Create (create:automation_rules)
Inventory
Read/list (read:inventory)
Cloud Accounts
Read/list (read:cloud_accounts)
Detections
Read/list (read:detections)
To learn more about why Red Canary needs these permissions, see the FAQ.
Click Add Service Account.
4 Wiz/Red Canary | Configure Red Canary to Retrieve Data from This Integration
Warning
Do not click Finish until you’ve copied and pasted both secret credentials into Red Canary in the step below.
Copy your secret credentials and paste them into the Red Canary configuration page:
Paste Client ID into the Wiz OAuth Client ID field.
Paste Client Secret into the Wiz OAuth Client Secret field.
Return to Wiz and click Finish.
In the top-right corner, click your user icon, then Tenant Info.
From the General tab:
Paste API Endpoint URL into the Wiz API base URL field.
Paste Authentication URL into the Wiz OAuth Token URL field.
To obtain the Auth Token URL, follow the steps in the Wiz documentation, then paste it into the Wiz OAuth Audience field.
Click Next.
5 Red Canary | Customize How Data From This Integration Is Handled
[OPTIONAL] You can enable Process Correlation, which allows Red Canary to correlate user-defined alerts from Wiz with our rule metadata when displaying them in the timeline:
Check the Enable process correlation for user-defined alerts box.
Click Next.
6 Red Canary | Customize How This Data Is Retained
[OPTIONAL] If you’re subscribed to the Red Canary Security Data Lake managed storage solution, you can choose to copy the telemetry generated by the integration to long-term storage for later query or retrieval.
Check the Store in the Security Data Lake box.
Enter your desired data retention period in days. The maximum is 1095 days (three years).
7 Red Canary | Activate the Integration
After you’ve completed the configuration, click Save to activate the integration.
The Wiz integration is now live!
Wiz data should appear in Red Canary within 5 minutes, provided it is a supported data type that meets our filtering criteria. For additional details, see the FAQ.
8 Red Canary | Modify the Integration
After the Wiz integration is active, you can make the following modifications to the configuration:
Update the API configuration used by the integration
Adjust the Security Data Lake retention period
Decommission the integration
To modify the configuration:
From your Red Canary homepage, go to the Integrations page, then click on the name of the integration you want to modify.
After you’ve finished editing the configuration, click Save to apply your changes.
Deleting the Integration
To delete the integration from Red Canary, click the 
button, then click OK to confirm.
Important
Deleting the integration will prevent any new alerts from being sent to Red Canary. While existing threat data will remain, all processed alerts will be permanently deleted, and this action cannot be undone.
For this reason, we recommend deactivating the integration instead, which will retain all previously processed alerts but stop further ingestion. You can reactivate the integration at any time.
FAQ
What are the required permissions for the Wiz integration?
The table below details all required permissions and explains why Red Canary requires each one.
Category | Permission | Justification |
|---|---|---|
Issues
| Read/list | Used to retrieve issues for display in portal |
Read/list (read:threat_issues) | Used to retrieve threat issues and display them in the Red Canary portal | |
Issue Status | Write Status (write:issue_status) | Used to update status issues (open, resolved, etc) |
Issue Comments | Create, update, delete (write:issue_comments) | Used to create and manage comments on updated issues |
Cloud Events | Read (read:cloud_events_cloud) | Used for data enrichment |
Automation Actions | Read/list (read:automation_actions) | Used to support any potential future transition to automation rules-based ingest |
Update (update:automation_actions) | Used to support any potential future transition to automation rules-based ingest | |
Create (create:automation_actions) | Used to support any potential future transition to automation rules-based ingest | |
Integrations | Read/list | Used to support any potential future transition to automation rules-based ingest |
Update
| Used to support any potential future transition to automation rules-based ingest | |
Create | Used to support any potential future transition to automation rules-based ingest | |
Action Templates | Read/list (read:action_templates) | Used to support any potential future transition to automation rules-based ingest |
Create (create:action_templates) | Used to support any potential future transition to automation rules-based ingest | |
Delete (delete:action_templates) | Used to support any potential future transition to automation rules-based ingest. Action templates are write-once and must be replaced instead of updated. | |
Automation Rules | Read/list (read:automation_rules) | Used to support any potential future transition to automation rules-based ingest |
Update (update:automation_rules) | Used to support any potential future transition to automation rules-based ingest | |
Create (create:automation_rules) | Used to support any potential future transition to automation rules-based ingest | |
Inventory | Read/list | Used for data enrichment |
Cloud Accounts | Read/list (read:cloud_accounts) | Used for data scoping |
Detections | Read/list | Used to retrieve detections and display them in the Red Canary portal
|
Which types of Wiz data does Red Canary ingest?
Red Canary is capable of ingesting the following types of alert data, each serving specific purposes for threat detection and investigation:
Alerts processed through Red Canary's investigative workflows
These alerts undergo comprehensive analysis through Red Canary's investigative workflows. They enable Red Canary to identify and address potential threats effectively.
Detections: Detections represent findings generated by Threat Detection Rules when analyzing cloud events, logs, or runtime activity. These high-fidelity alerts are designed to identify suspicious and unusual activity in cloud environments. Wiz automatically groups related Detections into a broader Threat for better context.
Threat Detection Issues: Generated by Threat Detection Rules, these Issues arise from the evaluation of cloud events affecting individual resources.
They indicate the detection of specific suspicious activities within a cloud environment.
Alerts used as supplemental data to enhance investigations
These alerts provide additional context to help investigators better understand and respond to security threats.
Toxic Combination Issues: Created by Graph Control queries, these Issues identify “Toxic combinations" of risks within a cloud environment. They highlight correlated risks that increase vulnerability to high-impact exploitation by attackers.
Cloud Configuration Findings: Generated by Cloud Configuration Rules, these Findings result from evaluating resource settings for posture management. They detect misconfigurations that could weaken the overall security posture of a cloud environment.
Why is Wiz data not appearing in Red Canary?
If you're not seeing Wiz data in Red Canary, it may be due to one or more of the following reasons:
Non-essential Alert Data: Red Canary only ingests alerts categorized as Medium, High, or Critical. Any Low-level alerts sent to Red Canary will be filtered out and will not appear in the portal.
Unsupported Data Types: Red Canary is only capable of ingesting the following types of Wiz data:
Alerts processed through Red Canary's investigative workflows (Detections and Threat Detection Issues)
Alerts processed as supplement data, contextual to other investigations (Toxic Combination Issues and Cloud Configuration Findings)
If your Wiz data does not align with these supported types, it will not be visible in the portal.
Incorrect Permissions Configuration: Red Canary requires certain permissions, which are configured in Step 3 of the setup process. If any of these permissions are missing or misconfigured, it could prevent the ingestion of Wiz data into Red Canary.
Was this article helpful?