Integrate Wiz with Red Canary
- 10 Sep 2024
- 3 Minutes to read
- PDF
Integrate Wiz with Red Canary
- Updated on 10 Sep 2024
- 3 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Wiz is a cloud-based security tool offering posture analysis and threat detection. Wiz identifies vulnerabilities and active exploits. Through our integration with Wiz, Red Canary users receive these notifications under Alerts. We aim to investigate these notifications, especially those related to active exploitation.
Currently, Wiz serves solely as a source of stored data as we are building expertise with this data set.
Note: By configuring this integration you are opting into Red Canary’s Wiz design partnership and therefore acknowledging this is an Early Access integration and alerts will be stored only during our Research phase leading up to General Access.
Contact your Red Canary account representative to request participation in our design partnership. Wiz also has a Red Canary-specific help article outlining this process.
Wiz Terminology
Issue—an alert; any threat detection, configuration problem, or otherwise problematic item.
Integration—a destination for automation rule notifications; it is not an API client or used to configure Red Canary at this time.
Graph Control Issue—these issues typically stem from posture discrepancies detected by observing the system’s state, such as its configuration. These observations are then compared against predefined controls. Any deviations from these controls trigger the generation of issues. Customers may create custom controls. For example, Red Canary implements a control named ‘Servers not running LEDR,’ also referred to as a ‘Toxic Combination.’ These issues do not always indicate active exploitation but rather highlight the potential for exploitation.
Threat Detection Issue—an issue resulting from activity within an environment, as might be gleaned from audit logs. These issues indicate active exploitation.
Configuration Issue—an issue a policy generates when the state of some configuration item does not comply with that policy.
Step 1: Choose the scope of your integration
From your Red Canary homepage, click Integrations.
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(272).png")
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(272).png")
From the Integrations section, locate and then click Wiz.
Click Configure.
From the Ingest Format/Method dropdown, select Wiz via Api Poll.
To fill out the rest of the fields, proceed to the next step.
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(274).png")
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(274).png")
Step 2: Create and save your Wiz Service Account
Create the Service Account
From your Wiz dashboard, click Settings.
Click Service Accounts.
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(275).png")
Click + Add Service Account.
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(276).png")
When prompted, name the service account.
From the Type dropdown, select Custom Integration (GraphQL API).
Leave Projects and Expiration Date blank.
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(277).png")
Select the account access scope.
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(278).png")
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(275).png")
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(276).png")
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(277).png")
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(278).png")
Note: This image is an example of what scope selection looks like and does not show all the required scopes. The screenshot is meant to help identify where to look on the page.
Required Permissions
Issues
Read/list (read:issues) - retrieve issues for display in portal
Update (update:issues) - for future status (open, resolved, etc…) update support
Cloud Events
Read (read:cloud_events) - data enrichment
Issue Comments
Create, update, delete (write:issue_comments) - for future status update comment support
Automation Actions
Read, list (read:automation_actions) - (reserved, 2024-04) to be used to support any potential future transition to automation-rules based ingest
Update (update:automation_actions) - (reserved, 2024-04) to be used to support any potential future transition to automation-rules based ingest
Create (create:automation_actions) - (reserved, 2024-04) to be used to support any potential future transition to automation-rules based ingest
Integrations
Read, list (read:integrations) - (reserved, 2024-04) to be used to support any potential future transition to automation-rules based ingest
Update (update:integrations) - (reserved, 2024-04) to be used to support any potential future transition to automation-rules based ingest
Create (create:integrations) - (reserved, 2024-04) to be used to support any potential future transition to automation-rules based ingest
Action Templates
Read, list (read:action_templates) - (reserved, 2024-04) to be used to support any potential future transition to automation-rules based ingest
Create (create:action_templates) - (reserved, 2024-04) to be used to support any potential future transition to automation-rules based ingest
Delete (delete:action_templates) - (reserved, 2024-04) to be used to support any potential future transition to automation-rules based ingest; needed because should we choose to use them, action templates are write-once and must be replaced as opposed to updated.
Automation Rules
Read, list (read:automation_rules) - (reserved, 2024-04) to be used to support any potential future transition to automation-rules based ingest
Update (update:automation_rules) - (reserved, 2024-04) to be used to support any potential future transition to automation-rules based ingest
Create (create:automation_rules) - (reserved, 2024-04) to be used to support any potential future transition to automation-rules based ingest
Inventory
Read, list (read:inventory) - data enrichment
Save the Service Account and Copy Credentials
Note: Collect the service account’s credentials when creating the service account, as they won’t be available again.
Copy the credentials created in Step 2 into the Client Secret field.
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(279).png")
Click Finish.
Open the user menu and select Tenant Info to obtain the API Base URL.
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(280).png")
Copy the API Endpoint URL. This will be pasted into Red Canary.
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(281).png")
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(279).png")
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(280).png")
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(281).png")
Step 3: Enter your Wiz credentials into Red Canary
Paste the API Endpoint URL into the Wiz Api Base Url field.
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(282).png")
Click Save Configuration.
.png?sv=2022-11-02&spr=https&st=2024-11-21T16%3A04%3A07Z&se=2024-11-21T16%3A14%3A07Z&sr=c&sp=r&sig=ZKDk7eQRFXXbK7olMUo7rw9kg2EGokPUdEShPF5nOCk%3D "image(282).png")
Was this article helpful?
