Wiz integration

Wiz scans every layer of your cloud environments to provide complete visibility into every technology running in the cloud. Wiz connects to AWS, Azure, GCP, Kubernetes across virtual machines, containers, serverless functions using APIs. Traceable protects APIs which are hosted in this infrastructure and are used to implement business logic for the applications. As part of the integration, Traceable identifies threats for each of the APIs. These threats and issues in Wiz can be mapped directly in the Traceable Threat Activity screens. This allows you to understand the overall risks for the cloud native application across API, Kubernetes, serverless and underlying infrastructure. Infosec teams can accordingly prioritize addressing the threats at both the layers, depending on overall risk.

To integrate Traceable with Wiz, you need the client ID and secret of the Wiz accounts. Traceable does the mapping of Kubernetes instances, services, VM’s and so on by utilizing the information our tracing agents capture at runtime to query Wiz for the relevant resources. This ensures that you do not have to track the resources where these APIs are running to understand the overall risk.

Before you begin

Make a note of the following before proceeding with Wiz integration:

• Make sure that you have access to Wiz Client ID and Wiz Secret Access Key from Wiz management console.
• Make sure that you have the information on relevant services in Traceable, which have cloud resources that are visible in the Wiz Console.

The document assumes that you have reasonable knowledge of Wiz management console, for example, how to look for containers, VM’s, serverless functions under the overview tab and so on.

Configuration

To configure Wiz integration in Traceable, log into your Traceable account and complete the following steps:

1. Navigate to the Integrations dashboard. 
2. Click on Configure to enter the configuration details:
   • API Endpoint URL - The Wiz Integration API has a single GraphQL endpoint, such as https://api.<region>.app.wiz.io/graphql. The region defines where the tenant resides, for example, us1, us2, eu1, or eu2.
   • Token URL - The token URL is an Auth0 or Amazon Cognito endpoint, depending on your service account's identity provider.
   • Client ID and secret - These are the OAuth credentials required to request a new API token with every API call. A token lasts for 24-hours.
3. Click on Test Connection to test whether Traceable can integrate with Wiz with the given credentials. If the connection fails, an error message is displayed. Check the credentials that you entered in case of error. The Save button is enabled only when the test connection succeeds.

Wiz issues mapping in Traceable

You can view the Wiz issues in Traceable by navigating to Protection → APIs Under Threat. Group by service name as shown in the screenshot below to list the Wiz issues in Traceable. 

Traceable automatically figures out which APIs are running on cloud resources that Wiz protects. You can further drill down in details by clicking on any of the service name as shown below: