Wiz

Wiz is a leading cloud security platform that provides agentless visibility, risk prioritization, and security graph analysis across multi-cloud environments. It helps organizations secure their AWS, Azure, GCP, Oracle Cloud, and Kubernetes workloads by identifying vulnerabilities, misconfigurations, and potential attack paths.

Wiz is trusted by over 50% of Fortune 100 companies and focuses on providing comprehensive cloud security through its Security Graph technology, which maps relationships between cloud resources to identify toxic risk combinations and lateral movement paths.

Authentication Types

Wiz supports 1 authentication method:

• Client Credentials (Service Account) - OAuth2 client credentials flow using a service account
  • Pros: Secure for automation, supports granular scopes, audit trails per service account, recommended for production
  • Cons: Requires admin access to create service account, tokens expire after 24 hours (automatically refreshed)

General Settings

Before using the connector, you need to configure:

• API Endpoint URL - Your tenant-specific Wiz API endpoint (e.g., https://api.us1.app.wiz.io, https://api.eu1.app.wiz.io)
  • Find this in your Wiz portal: Click your profile icon → User Settings → Look for "API Endpoint URL" in the API section
  • Different regions and tenants have different endpoints
  • Format: https://api.[region].app.wiz.io (do NOT include /graphql or /oauth/token at the end)

Setting up Service Account (Client Credentials)

Service accounts provide secure, scoped API access for integrations and automation. Follow these steps:

1. Log in to your Wiz portal

2. Navigate to Settings (gear icon) → Access Management → Service Accounts

3. Click + Add Service Account (top right)

4. Configure the service account:

   • Name: Give it a descriptive name (e.g., "Webrix AI Integration")
   • Type: Select "Custom Integration (GraphQL API)"
   • Description: Optional description of what this service account will be used for

5. Configure API Scopes - Select the permissions needed:

   Minimum Required Scopes (read-only operations):

   • read:issues - View security issues
   • read:vulnerabilities - View vulnerability findings
   • read:projects - View projects
   • read:resources - View cloud resources

   Recommended Scopes (full functionality):

   • read:issues - View security issues
   • read:threats_issues - View threat intelligence
   • read:vulnerabilities - View vulnerabilities
   • read:projects - View projects
   • read:resources - View cloud resources
   • read:cloud_accounts - View cloud accounts
   • read:cloud_configuration - View configuration findings
   • read:host_configuration - View host configurations
   • read:reports - View reports
   • read:all - Comprehensive read access (alternatively, grant individual read scopes)

   Optional Write Scopes (for issue management):

   • write:issues - Update issue status and add notes
   • create:reports - Generate custom reports

6. Optionally, scope to specific projects if you want to limit access to certain projects only

7. Click Create Service Account

8. IMPORTANT: Copy the Client Secret immediately - it will only be shown once

   • Also copy the Client ID
   • Store both securely (e.g., password manager, secrets vault)

9. Find your API Endpoint URL:

   • Click your profile icon → User Settings
   • Look for "API Endpoint URL" in the API section
   • Example: https://api.us1.app.wiz.io

10. In Webrix, configure the Wiz connector:

    • Paste the API Endpoint URL in General Settings
    • Select Client Credentials as the authentication type
    • Enter the Token URL: Your API endpoint + /oauth/token (e.g., https://api.us1.app.wiz.io/oauth/token)
    • Paste the Client ID
    • Paste the Client Secret
    • Select the scopes you granted to the service account
    • Click Save Changes

tip

For security best practices, create separate service accounts for different integrations or use cases, each with only the minimum required scopes. This follows the principle of least privilege and makes auditing easier.

Available Operations

The Wiz connector provides 29 tools across 7 categories:

Issues Management (6 tools)

• List Issues - Query security issues with pagination and filters (severity, status, resource type)
• Get Issue - Retrieve detailed issue information including remediation steps and evidence
• Search Issues - Advanced issue search with flexible query syntax
• Update Issue Status - Change issue status (OPEN, IN_PROGRESS, RESOLVED, REJECTED)
• Add Issue Note - Add comments for collaboration and documentation
• Get Issue Statistics - Aggregated issue counts by severity, status, and type

Vulnerability Findings (5 tools)

• List Vulnerability Findings - Query vulnerabilities with CVE details and CVSS scores
• Get Vulnerability Finding - Detailed vulnerability information including exploitability
• Search Vulnerabilities by CVE - Find all resources affected by a specific CVE
• Get Vulnerabilities by Severity - Filter vulnerabilities by CRITICAL, HIGH, MEDIUM, or LOW
• Get Vulnerability Statistics - Summary statistics including fix availability and exploitability

Projects (3 tools)

• List Projects - Browse all projects with metadata and risk profiles
• Get Project - Detailed project information including resource counts and security posture
• Get Project Security Summary - Comprehensive security summary with issue and vulnerability counts

Cloud Resources (5 tools)

• List Cloud Resources - Inventory resources across AWS, Azure, GCP, and Kubernetes
• Get Cloud Resource - Detailed resource information including configuration and findings
• Search Cloud Resources - Advanced resource search with flexible query syntax
• List Resources by Type - Filter resources by type (VMs, containers, storage, etc.)
• Get Resource Security Graph - View resource relationships and potential attack paths

Configuration Findings (3 tools)

• List Configuration Findings - Query misconfigurations and policy violations
• Get Configuration Finding - Detailed finding with remediation instructions
• List Findings by Control - All resources failing a specific security control

Security & Compliance (4 tools)

• List Security Frameworks - Available compliance frameworks (CIS, PCI-DSS, SOC 2, etc.)
• Get Framework Compliance Status - Compliance score and control pass/fail counts
• List Security Controls - Browse security controls and their requirements
• Get Control Compliance Status - Compliance status for a specific control

Users & Access (3 tools)

• List Users - Organization users with roles and project access
• List Service Accounts - Service accounts with scopes and usage information
• Get User Role Assignments - Detailed user permissions and project access

Common Use Cases

Security Posture Assessment

List Issues (filter by CRITICAL severity) → Review security posture → 
Get Issue Statistics → Generate executive report

Vulnerability Management

List Vulnerability Findings (filter by severity) → 
Search Vulnerabilities by CVE → Identify affected resources → 
Update Issue Status (mark as IN_PROGRESS) → 
Add Issue Note (document remediation plan)

Incident Investigation

Get Issue (by ID) → Get Cloud Resource (affected resource) → 
Get Resource Security Graph (understand attack paths) → 
Search Cloud Resources (find similar resources) → 
Add Issue Note (document findings)

Compliance Reporting

List Security Frameworks → Get Framework Compliance Status (e.g., PCI-DSS) → 
List Configuration Findings (filter by failed controls) → 
Get Control Compliance Status → Generate compliance report

Cloud Resource Inventory

List Projects → List Cloud Resources (filter by project) → 
List Resources by Type (e.g., STORAGE_BUCKET) → 
Get Cloud Resource (detailed configuration)

Attack Path Analysis

Get Issue (security issue) → Get Cloud Resource (affected resource) → 
Get Resource Security Graph (map connections) → 
Identify lateral movement risks → Plan remediation

Troubleshooting

"Invalid credentials" or "Authentication failed"

Cause: The Client ID or Client Secret is incorrect, or the token URL is wrong.

Solution:

1. Verify you copied the complete Client Secret when the service account was created
2. Check the Client ID matches the service account in Wiz
3. Verify the Token URL format: https://api.[region].app.wiz.io/oauth/token
4. If credentials are lost, create a new service account (secrets cannot be recovered)

"Insufficient permissions" or "Access denied"

Cause: The service account doesn't have the required API scopes for the operation.

Solution:

1. Go to Settings → Access Management → Service Accounts in Wiz
2. Find your service account and click Edit
3. Review and add the required scopes (see tool descriptions for required scopes)
4. Common required scopes:
   • Issues: read:issues or write:issues
   • Vulnerabilities: read:vulnerabilities
   • Projects: read:projects
   • Resources: read:resources
   • Configuration: read:cloud_configuration
5. Save changes and reconnect in Webrix

"Invalid API endpoint" or "Unable to connect"

Cause: The API Endpoint URL is incorrect or formatted incorrectly.

Solution:

1. Go to your Wiz portal → Profile → User Settings
2. Copy the exact "API Endpoint URL" shown
3. Format should be: https://api.[region].app.wiz.io (examples: api.us1.app.wiz.io, api.eu1.app.wiz.io)
4. Do NOT include /graphql, /oauth/token, or any path at the end
5. Do NOT include www in the URL
6. Ensure HTTPS (not HTTP)

Token expiration errors

Cause: Wiz access tokens expire after 24 hours.

Solution:

• Tokens are automatically refreshed by Webrix using the client credentials
• If you see persistent token errors, verify your Client ID and Secret are correct
• Check that the service account hasn't been deactivated in Wiz

"Query too complex" or timeout errors

Cause: GraphQL query is too large or requesting too much data.

Solution:

1. Reduce the first parameter to request fewer items per page
2. Use pagination with the after cursor to retrieve data in smaller chunks
3. Add more specific filters to narrow down results
4. For large datasets, consider breaking the query into multiple smaller requests

Service account not found or deactivated

Cause: The service account was deleted or deactivated in Wiz.

Solution:

1. Go to Settings → Access Management → Service Accounts
2. Verify the service account exists and is active
3. If deleted, create a new service account and update credentials in Webrix
4. Check if the service account has been reassigned to different projects

GraphQL query errors

Cause: The GraphQL query syntax is invalid or field doesn't exist.

Solution:

1. This typically indicates a tool implementation issue
2. Check if your Wiz API version supports the queried fields
3. Use the Wiz API Console (in Wiz portal) to test queries
4. Contact support if specific tools consistently fail

Best Practices

1. Use granular scopes - Only grant the minimum scopes needed for your use case
2. Create separate service accounts - Use different service accounts for different integrations
3. Rotate credentials regularly - Create new service accounts and deactivate old ones periodically (e.g., every 90 days)
4. Monitor service account usage - Review "Last Used" timestamps in Wiz to identify unused accounts
5. Use project scoping - Limit service accounts to specific projects when possible
6. Document service account purposes - Use clear names and descriptions
7. Paginate large queries - Use the first and after parameters for large datasets
8. Filter queries - Apply filters to reduce data transfer and improve performance
9. Review audit logs - Regularly check Wiz audit logs for service account activity
10. Secure credential storage - Never commit credentials to source control

Security Considerations

• Service account credentials provide programmatic access to your security data - treat them like passwords
• Client Secrets are shown only once during creation - store them securely immediately
• Tokens expire after 24 hours for security (automatically refreshed)
• Use read:all scope with caution - it grants broad read access across all data
• Write operations (write:issues) can modify issue status - use carefully
• Deactivated service accounts immediately lose all access
• All service account API calls are logged in Wiz audit logs
• Consider network restrictions or IP allowlisting for production service accounts
• Regular access reviews help identify unused or overprivileged service accounts

Rate Limits

Wiz enforces rate limits on API requests to ensure platform stability:

• Standard rate limits apply per service account
• If you hit rate limits, implement exponential backoff retry logic
• Use pagination to spread large queries across multiple requests
• Contact Wiz support if you need higher rate limits for your use case

Additional Resources

• Wiz Documentation
• Wiz API Console - Test GraphQL queries in your tenant
• Wiz Security Graph - Learn about attack path analysis
• Wiz Academy - Cloud security best practices