Wiz integration

Wiz scans every layer of your cloud environment to provide complete visibility into every technology running in the cloud. Wiz connects to AWS, Azure, GCP, and Kubernetes using APIs across virtual machines, containers, and serverless functions. Traceable protects APIs hosted in this infrastructure and implements application business logic. As part of the integration, Traceable identifies threats for each APIs. These threats and issues in Wiz can be mapped directly in the Traceable Threat Activity screens. This allows you to understand the overall risks for the cloud-native application across API, Kubernetes, serverless, and underlying infrastructure. Infosec teams can accordingly prioritize addressing the threats at both layers, depending on overall risk.

To integrate Traceable with Wiz, you need the client ID and secret of the Wiz account. Traceable maps Kubernetes instances, services, VMs, and so on by utilizing the information our tracing agents capture at runtime to query Wiz for the relevant resources. This ensures you do not have to track the resources these APIs are running to understand the overall risk. Traceable allows you to pull Wiz-identified issues or push Traceable-identified issues to Wiz.

Before you begin

Make a note of the following before proceeding with Wiz integration:

• Ensure you have access to Wiz Client ID and Wiz Secret Access Key from the Wiz management console.

• Ensure you have the information on relevant services in Traceable, which has cloud resources visible in the Wiz Console.

• Ensure you have read and completed the steps mentioned in the Wiz documentation for integration with Traceable.

• Ensure that Traceable has the following permissions in Wiz:

  • Push notifications — System Activities and External Data Ingestion permissions.

  • Pull issues — Resources and Issues permissions.

The document assumes that you have reasonable knowledge of the Wiz management console, such as how to look for containers, VMs, and serverless functions under the overview tab.

Configuration

To configure Wiz integration in Traceable, log into your Traceable account and complete the following steps:

1. Navigate to the Integrations dashboard. 

   

2. Click on Configure to enter the configuration details:

   • API Endpoint URL — The Wiz Integration API has a single GraphQL endpoint, such as https://api.<region>.app.wiz.io/graphql. The region defines where the tenant resides, for example, us1, us2, eu1, or eu2.

   • Token URL — The token URL is an Auth0 or Amazon Cognito endpoint, depending on your service account's identity provider.

   • Client ID and secret — These are the OAuth credentials required to request a new API token with every API call. A token lasts 24 hours.

3. Choose whether to pull the issues from Wiz, push, or both.

4. Click on Test Connection to see whether Traceable can integrate with Wiz with the given credentials. If the connection fails, an error message is displayed. In case of an error, check the credentials you entered. The Save button is enabled only when the test connection succeeds.

Push events to Wiz

Traceable can push events based on the configuration that you completed above. You can view these events under Protection → Threat activity. The events that are pushed to Wiz are of the following two types:

• Logged threat activity

• Blocked threat activity

To push the events to Wiz, you need to set up notifications. Complete the following steps:

1. Navigate to Settings → Configurations → Notifications.

2. Click Create Notification to create a new notification.

3. Select Wiz Integration from the Who should receive the notification drop-down list on the Create Notification page.

   

4. Select Logged Threat Activity or Blocked Threat Activity from the Category drop-down list.

   Note

   You can create two different notifications, one each for Logged and Blocked threat activity.

5. Configure the remaining options and click Save.

Traceable sends a maximum of 250 events in the 24-hour time window, representing the total count of logged and blocked threat activity. You can view these events in the Cloud Events section of Wiz.

Note

You need to configure Notifications only to push events to Wiz. The pulling of issues from Wiz happens automatically.

You can view the events pushed to Wiz by navigating to Cloud Events as shown below:

Pull issues from Wiz

You can view the Wiz issues in Traceable by navigating to Protection → APIs Under Threat. To list the Wiz issues in Traceable, group by Service Name, as shown in the screenshot below.

You can click on Wiz under the Integrations column to view the Issues found through Wiz.

Traceable automatically determines which APIs are running on cloud resources that Wiz protects. You can further drill down in details by clicking on any of the service names as shown below: