Wiz Webhook (Beta)

Panther supports receiving logs from Wiz webhooks

Overview

The Wiz webhook integration is in open beta starting with Panther version 1.116, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther can receive real-time webhook notifications from Wiz containing Issues, Threats, and Detections events. This integration provides immediate visibility into security findings across your cloud infrastructure, enabling fast incident response.

To ingest different types of Wiz logs, you can additionally or instead use the Wiz API integration. Note that the Wiz.IssuesWebhook events available through this integration and the Wiz.Issues events available through the Wiz API integration differ slightly.

How to onboard Wiz webhook logs to Panther

Prerequisites

To set up this integration, you must have access to a Wiz tenant and permission to create a webhook.
To receive Threats and Detections events, you must have a subscription to Wiz Defend.

Step 1: Create a new Wiz webhook log source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Wiz Webhook," then click its tile.
In the upper-right corner of the slide-out panel, click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
- For the Auth method, you will be required to select either Basic or Bearer.
- Payloads sent to this source are subject to the payload requirements for all HTTP sources.
- Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Configure webhook notifications in Wiz

In your Wiz console, navigate to Settings > Integrations.
Click Add Integration.
Under SIEM & Automation Tools, click Webhook.
On the New Integration page, fill in the fields:
- Name: provide a descriptive name for the webhook, e.g., Panther Integration.
- Project Scope: select the scopes you'd like to include.
- URL: enter the HTTP Source URL you generated in Panther.
- Authentication: select the type of authentication you used in Panther in Step 1, and provide the associated credentials.
Click Add Integration.

Panther-managed detections

See Panther-managed rules for Wiz in the panther-analysis GitHub repository.

Supported log types

Wiz.IssuesWebhook

The Issues log records key events in Wiz related to issues, such as vulnerability findings and security incidents. It is used to track, manage, and remediate security vulnerabilities and incidents.

schema: Wiz.IssuesWebhook
description: The Issues Log records key events in Wiz related to issues, such as vulnerability findings and security incidents. It is used to track, manage, and remediate security vulnerabilities and incidents.
referenceURL: https://win.wiz.io/docs/issues-webhook
fields:
  - name: trigger
    required: true
    type: object
    description: Contains information about what triggered the webhook event
    fields:
      - name: source
        type: string
        description: Source of the trigger
      - name: type
        type: string
        description: Type of trigger event
      - name: ruleId
        type: string
        description: ID of the automation rule
      - name: ruleName
        type: string
        description: Name of the automation rule
      - name: updatedFields
        type: string
        description: List of updated fields
      - name: changedBy
        type: string
        description: User that initiated the change
        indicators:
          - username
      - name: triggeredBy
        type: string
        description: The user or Automation Rule that ran an Action
  - name: issue
    required: true
    type: object
    description: Contains information about the issue that was triggered
    fields:
      - name: id
        type: string
        description: Unique identifier of the Issue
      - name: status
        type: string
        description: Current status of the Issue
      - name: severity
        type: string
        description: Severity level of the Issue
      - name: created
        type: timestamp
        timeFormats:
          - rfc3339
        description: Creation timestamp
        isEventTime: true
      - name: projects
        type: string
        description: Projects associated with the issue
      - name: evidence
        type: json
        description: Evidence details (see note below)
      - name: link
        type: string
        indicators:
          - url
        description: Direct link to the issue in Wiz
  - name: resource
    required: true
    type: object
    description: Represents the affected cloud resource
    fields:
      - name: id
        type: string
        description: Cloud provider's resource ID
      - name: name
        type: string
        description: Resource name
      - name: type
        type: string
        description: Native resource type
      - name: resourceType
        type: string
        description: Resource type
      - name: cloudPlatform
        type: string
        description: Cloud platform identifier
      - name: subscriptionId
        type: string
        description: Subscription ID
      - name: subscriptionName
        type: string
        description: Subscription name
      - name: subscriptionTags
        type: json
        description: Tags associated with the subscription
      - name: region
        type: string
        description: Resource region
      - name: status
        type: string
        description: Resource status
      - name: cloudProviderURL
        type: string
        indicators:
          - url
        description: URL to resource in cloud console
      - name: resourceGroupId
        type: string
        description: Resource group ID
      - name: tags
        type: json
        description: Tags associated with the resource
      - name: externalId
        type: string
        description: External identifier
      - name: created
        type: timestamp
        timeFormats:
          - rfc3339
        description: Creation time of primary resource
      - name: kubernetesClusterId
        type: string
        description: K8s cluster ID
      - name: kubernetesClusterName
        type: string
        description: K8s cluster name
      - name: kubernetesNamespaceName
        type: string
        description: K8s namespace name
      - name: containerServiceId
        type: string
        description: Container service ID
      - name: containerServiceName
        type: string
        description: Container service name
      - name: originalJson
        type: json
        description: Original JSON from cloud provider
  - name: control
    required: true
    type: object
    description: Represents the Control that generated the Issue
    fields:
      - name: id
        type: string
        description: Control identifier
      - name: name
        type: string
        description: Control name
      - name: description
        type: string
        description: Control description
      - name: severity
        type: string
        description: Control severity level
      - name: risks
        type: json
        description: Associated risks
      - name: resolutionRecommendation
        type: string
        description: Resolution recommendation
      - name: resolutionRecommendationPlainText
        type: string
        description: Plain text resolution recommendation
      - name: sourceCloudConfigurationRuleId
        type: string
        description: Source cloud configuration rule ID
      - name: sourceCloudConfigurationRuleName
        type: string
        description: Source cloud configuration rule name

Wiz.Threats

The Threats log records webhook notifications for threat detection events. This helps track active threats, malicious activities, and security incidents across your cloud infrastructure.

schema: Wiz.Threats
description: The Threats Log records key events in Wiz related to threats, such as vulnerability findings and security incidents. It is used to track, manage, and remediate security vulnerabilities and incidents.
referenceURL: https://win.wiz.io/docs/threats-webhook
fields:
  - name: trigger
    required: true
    type: object
    description: Contains information about the event that triggered the webhook
    fields:
      - name: source
        type: string
        description: The source of the trigger. For this webhook, the value is always THREATS
      - name: type
        type: string
        description: The type of trigger, e.g., Manually Triggered or Rule Triggered
      - name: ruleId
        type: string
        description: If triggered by a rule, the unique identifier of that rule
      - name: ruleName
        type: string
        description: The name of the trigger, e.g., Manual or the name of the automation rule
      - name: updatedFields
        type: string
        description: A description of fields that were changed, triggering the webhook
      - name: changedBy
        type: string
        description: The user or system that initiated the change
  - name: threat
    required: true
    type: object
    description: The main object containing all the details of the exported Threat
    fields:
      - name: id
        type: string
        description: Unique identifier for the Threat
      - name: title
        type: string
        description: The title of the Threat
      - name: description
        type: string
        description: A detailed description of the Threat
      - name: status
        type: string
        description: The current status of the Threat (e.g., IN_PROGRESS, RESOLVED)
      - name: severity
        type: string
        description: The severity level of the Threat (e.g., CRITICAL, HIGH)
      - name: created
        type: timestamp
        timeFormats:
          - rfc3339
        isEventTime: true
        description: ISO 8601 timestamp for when the Threat was created
      - name: resolutionNote
        type: string
        description: The note added when the Threat was resolved
      - name: projects
        type: string
        description: A comma-separated list of projects associated with the Threat
      - name: threatURL
        type: string
        indicators:
          - url
        description: A direct URL to the Threat in the UI
      - name: resolvedAt
        type: timestamp
        timeFormats:
          - rfc3339
        description: ISO 8601 timestamp for when the Threat was resolved
      - name: updatedAt
        type: timestamp
        timeFormats:
          - rfc3339
        description: ISO 8601 timestamp for the last time the Threat was updated
      - name: cloudPlatform
        type: string
        description: The cloud platform where the Threat was detected (e.g., Azure, AWS)
      - name: cloudAccounts
        type: array
        description: List of associated cloud accounts
        element:
          type: object
          fields:
            - name: id
              type: string
              description: The unique identifier for the cloud account
            - name: name
              type: string
              description: The name of the cloud account
      - name: cloudOrganizations
        type: array
        description: List of associated cloud organizations
        element:
          type: object
          fields:
            - name: id
              type: string
              description: The unique identifier for the cloud organization
            - name: name
              type: string
              description: The name of the cloud organization
      - name: actors
        type: array
        description: List of actors involved in the Threat
        element:
          type: object
          fields:
            - name: externalId
              type: string
              description: The ID of the actor as defined in the cloud provider
            - name: id
              type: string
              description: The internal unique identifier for the actor
              indicators:
                - actor_id
            - name: name
              type: string
              description: The name of the actor
            - name: nativeType
              type: string
              description: The specific type of the actor from the cloud provider's perspective
            - name: type
              type: string
              description: The general type of the actor (e.g., Service Account)
      - name: resources
        type: array
        description: List of resources involved in the Threat
        element:
          type: object
          fields:
            - name: name
              type: string
              description: The name of the resource
            - name: externalId
              type: string
              description: The full resource identifier from the cloud provider
            - name: id
              type: string
              description: The internal unique identifier for the resource
            - name: nativeType
              type: string
              description: The specific type of the resource from the cloud provider's perspective
            - name: type
              type: string
              description: The general type of the resource (e.g., Virtual Machine)
      - name: tdrNames
        type: string
        description: A comma-separated list of the names of the underlying detection rules
      - name: detectionIds
        type: string
        description: A comma-separated list of the IDs of the underlying detections
      - name: mitreTechniques
        type: array
        description: A list of MITRE ATT&CK technique IDs
        element:
          type: string
          indicators:
            - mitre_attack_technique
      - name: mitreTactics
        type: array
        description: A list of MITRE ATT&CK tactic IDs
        element:
          type: string
          indicators:
            - mitre_attack_technique
      - name: notes
        type: string
        description: A comma-separated list of notes added to the Threat

Wiz.Detections

The Detections log captures webhook notifications for security detection findings. This includes alerts from security rules, anomaly detection, and behavioral analysis.

schema: Wiz.Detections
description: The Detections Log records key events in Wiz related to detections, such as vulnerability findings and security incidents. It is used to track, manage, and remediate security vulnerabilities and incidents.
referenceURL: https://win.wiz.io/docs/detections-webhook
fields:
  - name: trigger
    required: true
    type: object
    description: Details on the trigger including source, type, ruleId, and ruleName
    fields:
      - name: source
        type: string
        description: Source of the trigger
      - name: type
        type: string
        description: Type of trigger event
      - name: ruleId
        type: string
        description: ID of the automation rule
      - name: ruleName
        type: string
        description: Name of the automation rule
  - name: id
    required: true
    type: string
    description: Unique identifier for the detection
  - name: threatId
    required: true
    type: string
    description: ID of the associated threat
  - name: threatURL
    required: true
    type: string
    indicators:
      - url
    description: URL linking to more details on the threat
  - name: title
    type: string
    description: Title or summary of the detection
  - name: description
    type: string
    description: Description providing more details on the detection
  - name: severity
    type: string
    description: Severity level of the detection
  - name: createdAt
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
    description: ISO8601 timestamp for when detection was created
  - name: tdrId
    type: string
    description: TDR identifier
  - name: tdrSource
    type: string
    description: TDR source
  - name: mitreTactics
    type: array
    element:
      type: string
    description: MITRE tactic related to detection
  - name: mitreTechniques
    type: array
    element:
      type: string
    description: MITRE technique related to detection
  - name: cloudAccounts
    type: array
    description: List of associated cloud accounts
    element:
      type: object
      fields:
        - name: cloudPlatform
          type: string
          description: Name of cloud provider
        - name: externalId
          type: bigint
          description: External ID for cloud account
        - name: id
          type: string
          description: ID of the cloud account
        - name: name
          type: string
          description: Name of the cloud account
  - name: cloudOrganizations
    type: array
    description: List of associated cloud organizations
    element:
      type: object
      fields:
        - name: cloudPlatform
          type: string
          description: Name of cloud provider
        - name: externalId
          type: bigint
          description: External ID for cloud organization
        - name: id
          type: string
          description: ID of the cloud organization
        - name: name
          type: string
          description: Name of the cloud organization
  - name: timeframe
    type: object
    description: Object containing start and end timestamps for the detection timeframe
    fields:
      - name: start
        type: timestamp
        timeFormats:
          - rfc3339
        description: Start timestamp of the detection timeframe
      - name: end
        type: timestamp
        timeFormats:
          - rfc3339
        description: End timestamp of the detection timeframe
  - name: actors
    type: array
    description: List of actor details
    element:
      type: object
      fields:
        - name: externalId
          type: string
          description: External ID
        - name: id
          type: string
          description: Actor ID
        - name: providerUniqueId
          type: string
          description: Unique identifier from the provider.
        - name: name
          type: string
          description: Name of the actor
        - name: nativeType
          type: string
          description: Native type classification
        - name: type
          type: string
          description: Type of the actor
        - name: actingAs
          type: object
          description: Actor acting as
          fields:
            - name: externalId
              type: string
              description: External ID
            - name: id
              type: string
              description: Actor ID
            - name: name
              type: string
              description: Name of the actor
            - name: nativeType
              type: string
              description: Native type classification
            - name: type
              type: string
              description: Type of the actor
        - name: email
          type: string
          description: Email of the actor
  - name: primaryActor
    type: object
    description: Primary actor associated with the detection
    fields:
      - name: externalId
        type: string
        description: External ID
      - name: id
        type: string
        description: Actor ID
        indicators:
          - actor_id
      - name: providerUniqueId
        type: string
        description: Unique identifier from the provider.
      - name: name
        type: string
        description: Name of the actor
      - name: nativeType
        type: string
        description: Native type classification
      - name: type
        type: string
        description: Type of the actor
      - name: actingAs
        type: object
        description: Actor acting as
        fields:
          - name: externalId
            type: string
            description: External ID
          - name: id
            type: string
            description: Actor ID
          - name: name
            type: string
            description: Name of the actor
          - name: nativeType
            type: string
            description: Native type classification
          - name: type
            type: string
            description: Type of the actor
      - name: email
        type: string
        description: Email of the actor
  - name: resources
    type: array
    description: List of resource details
    element:
      type: object
      fields:
        - name: cloudAccount
          type: object
          description: Associated cloud account information
          fields:
            - name: cloudPlatform
              type: string
              description: Name of cloud provider
            - name: externalId
              type: bigint
              description: External ID for cloud account
            - name: id
              type: string
              description: ID of the cloud account
            - name: name
              type: string
              description: Name of the cloud account
        - name: externalId
          type: string
          description: External ID
        - name: id
          type: string
          description: Resource ID
        - name: providerUniqueId
          type: string
          description: Unique identifier from the provider.
        - name: name
          type: string
          description: Name of the resource
        - name: nativeType
          type: string
          description: Native type classification
        - name: region
          type: string
          description: Geographic region
        - name: status
          type: string
          description: Status of the eventCurrent status of the resource
        - name: type
          type: string
          description: Type of resource
        - name: kubernetesNodeId
          type: string
          description: Kubernetes node ID
        - name: kubernetesNodeName
          type: string
          description: Kubernetes node name
        - name: kubernetesNamespaceId
          type: string
          description: Kubernetes namespace ID
        - name: kubernetesNamespaceName
          type: string
          description: Kubernetes namespace name
        - name: kubernetesClusterId
          type: string
          description: ID of the Kubernetes cluster
        - name: kubernetesClusterName
          type: string
          description: Name of the Kubernetes cluster
        - name: cloudProviderUrl
          type: string
          description: URL to resource in cloud provider console.
          indicators:
            - url
  - name: primaryResource
    type: object
    description: Primary resource associated with the detection
    fields:
      - name: cloudAccount
        type: object
        description: Associated cloud account information
        fields:
          - name: cloudPlatform
            type: string
            description: Name of cloud provider
          - name: externalId
            type: bigint
            description: External ID for cloud account
          - name: id
            type: string
            description: ID of the cloud account
          - name: name
            type: string
            description: Name of the cloud account
      - name: externalId
        type: string
        description: External ID
      - name: id
        type: string
        description: Resource ID
      - name: providerUniqueId
        type: string
        description: Unique identifier from the provider.
      - name: name
        type: string
        description: Name of the resource
      - name: nativeType
        type: string
        description: Native type classification
      - name: region
        type: string
        description: Geographic region
      - name: status
        type: string
        description: Status of the eventCurrent status of the resource
      - name: type
        type: string
        description: Type of resource
      - name: kubernetesNodeId
        type: string
        description: Kubernetes node ID
      - name: kubernetesNodeName
        type: string
        description: Kubernetes node name
      - name: kubernetesNamespaceId
        type: string
        description: Kubernetes namespace ID
      - name: kubernetesNamespaceName
        type: string
        description: Kubernetes namespace name
      - name: kubernetesClusterId
        type: string
        description: ID of the Kubernetes cluster
      - name: kubernetesClusterName
        type: string
        description: Name of the Kubernetes cluster
      - name: cloudProviderUrl
        type: string
        description: URL to resource in cloud provider console.
        indicators:
          - url
  - name: triggeringEventsCount
    type: bigint
    description: Count of events that triggered detection
  - name: triggeringEvents
    type: array
    description: List of event details
    element:
      type: object
      fields:
        - name: actor
          type: object
          description: Actor associated with event
          fields:
            - name: externalId
              type: string
              description: External ID
            - name: id
              type: string
              description: Actor ID
              indicators:
                - actor_id
            - name: providerUniqueId
              type: string
              description: Unique identifier from the provider.
            - name: name
              type: string
              description: Name of the actor
            - name: nativeType
              type: string
              description: Native type classification
            - name: type
              type: string
              description: Type of the actor
            - name: actingAs
              type: object
              description: Actor acting as
              fields:
                - name: externalId
                  type: string
                  description: External ID
                - name: id
                  type: string
                  description: Actor ID
                - name: name
                  type: string
                  description: Name of the actor
                - name: nativeType
                  type: string
                  description: Native type classification
                - name: type
                  type: string
                  description: Type of the actor
            - name: email
              type: string
              description: Email of the actor
              indicators:
                - email
        - name: actorIP
          type: string
          indicators:
            - ip
          description: IP address of the actor
        - name: actorIPMeta
          type: object
          description: Metadata object containing IP information
          fields:
            - name: autonomousSystemNumber
              type: bigint
              description: ASN number
            - name: autonomousSystemOrganization
              type: string
              description: Organization associated with ASN (ASO)
            - name: country
              type: string
              description: Country of origin for IP
            - name: isForeign
              type: boolean
              description: Whether IP is from foreign source
            - name: reputation
              type: string
              description: IP reputation rating
            - name: reputationSource
              type: string
              description: Source of reputation data
            - name: reputationDescription
              type: string
              description: Description of IP reputation
            - name: relatedAttackGroupNames
              type: json
              description: Attack groups associated with IP
            - name: customIPRanges
              type: json
              description: Object containing custom IP range definitions
        - name: category
          type: string
          description: Event category
        - name: cloudPlatform
          type: string
          description: Cloud platform where event occurred
        - name: cloudProviderUrl
          type: string
          indicators:
            - url
          description: URL to event in cloud provider console
        - name: description
          type: string
          description: Description of the event
        - name: eventTime
          type: timestamp
          timeFormats:
            - rfc3339
          description: ISO8601 timestamp of when event occurred
        - name: externalId
          type: string
          description: External ID of the event
        - name: id
          type: string
          description: Event ID
        - name: name
          type: string
          description: Name of the event
        - name: origin
          type: string
          description: Origin of the event
        - name: resources
          type: array
          description: Resource objects affected by event
          element:
            type: object
            fields:
              - name: cloudAccount
                type: object
                description: Associated cloud account information
                fields:
                  - name: cloudPlatform
                    type: string
                    description: Name of cloud provider
                  - name: externalId
                    type: bigint
                    description: External ID for cloud account
                  - name: id
                    type: string
                    description: ID of the cloud account
                  - name: name
                    type: string
                    description: Name of the cloud account
              - name: externalId
                type: string
                description: External ID
              - name: id
                type: string
                description: Resource ID
              - name: providerUniqueId
                type: string
                description: Unique identifier from the provider.
              - name: name
                type: string
                description: Name of the resource
              - name: nativeType
                type: string
                description: Native type classification
              - name: region
                type: string
                description: Geographic region
              - name: status
                type: string
                description: Status of the eventCurrent status of the resource
              - name: type
                type: string
                description: Type of resource
              - name: kubernetesNodeId
                type: string
                description: Kubernetes node ID
              - name: kubernetesNodeName
                type: string
                description: Kubernetes node name
              - name: kubernetesNamespaceId
                type: string
                description: Kubernetes namespace ID
              - name: kubernetesNamespaceName
                type: string
                description: Kubernetes namespace name
              - name: kubernetesClusterId
                type: string
                description: ID of the Kubernetes cluster
              - name: kubernetesClusterName
                type: string
                description: Name of the Kubernetes cluster
              - name: cloudProviderUrl
                type: string
                description: URL to resource in cloud provider console.
                indicators:
                  - url
        - name: runtimeDetails
          type: object
          description: Runtime details of the event
          fields:
            - name: processTree
              type: array
              description: Process tree leading to event
              element:
                type: object
                fields:
                  - name: command
                    type: string
                    description: Process command line
                  - name: container
                    type: object
                    description: Container metadata including id, name, and image details
                    fields:
                      - name: externalId
                        type: string
                        description: Container external ID
                      - name: id
                        type: string
                        description: Container ID
                      - name: imageExternalId
                        type: string
                        description: Image external ID
                      - name: imageId
                        type: string
                        description: Image ID
                      - name: name
                        type: string
                        description: Container name
                  - name: executionTime
                    type: timestamp
                    timeFormats:
                      - rfc3339
                    description: ISO8601 timestamp when process executed
                  - name: hash
                    type: string
                    indicators:
                      - sha1
                    description: Executable SHA1 hash
                  - name: id
                    type: string
                    description: Process ID
                  - name: path
                    type: string
                    description: Executable path
                  - name: size
                    type: bigint
                    description: Executable size in bytes
                  - name: userId
                    type: string
                    description: User ID that executed process
                  - name: username
                    type: string
                    description: Username that executed process
                    indicators:
                      - username
        - name: source
          type: string
          description: Source of the event
        - name: subjectResourceId
          type: string
          description: ID of the primary affected resource
        - name: subjectResourceIp
          type: string
          description: IP of the primary affected resource
          indicators:
            - ip
        - name: status
          type: string
          description: Status of the event

PreviousWiz API NextZeek Logs

Last updated 1 month ago

Was this helpful?