Wiz

The Wiz Graph API Collector utilizes a pull-based mechanism to retrieve security audit logs and issue data from Wiz's cloud security platform.The collector actively queries the Wiz GraphQL API at configured intervals, fetching audit trails and security findings to enable comprehensive security monitoring and compliance tracking within Observo AI.

Purpose

The purpose of the Wiz Graph API Collector source in Observo AI is to enable the platform to actively retrieve security data from Wiz's GraphQL API endpoints. It pulls audit log entries and security issues from your Wiz tenant into Observo AI for analysis and processing. This integration supports streamlined security data pipelines, real-time security monitoring, and compliance analytics, allowing organizations to enhance observability, security posture management, and data-driven decision-making by proactively fetching security events from Wiz.

Prerequisites

Before configuring the Wiz Graph API Collector source in Observo AI, ensure the following requirements are met to facilitate seamless data ingestion:

• Wiz Tenant Access:

  • An active Wiz tenant with API access enabled.

  • Identify your Wiz tenant region (e.g., us1, eu1, us2) for constructing the correct API endpoint URL.

• Wiz Service Account:

  • A service account must be created in Wiz with appropriate permissions:

    • Read Audit Logs permission for collecting audit log entries.

    • Read Issues permission for collecting security issues (if enabled).

  • Obtain the Client ID and Client Secret from the service account configuration.

• Authentication:

  • Prepare OAuth 2.0 credentials:

    • Client ID: Service account client identifier from Wiz.

    • Client Secret: Service account client secret from Wiz.

    • Token URL: Default is https://auth.app.wiz.io/oauth/token.

    • Required Scopes: admin:audit, read:reports, create:reports.

    • Audience: Must be set to wiz-api for Wiz OAuth authentication.

• Network and Connectivity:

  • Ensure Observo AI can communicate with the Wiz API endpoint (https://api.<TENANT_REGION>.app.wiz.io/graphql).

  • Check for proxy settings, firewall rules, or network policies that may affect connectivity to Wiz endpoints.

Data Types Collected

The Wiz Graph API Collector retrieves two primary data types from your Wiz tenant:

1. Audit Log Entries

Captures following user actions and system events within your Wiz tenant for compliance and security monitoring.

• User login/logout activities

• Configuration changes

• API calls, request IDs, IP addresses

• Action parameters and status codes

2. Issues (Optional)

Captures the following security issues and vulnerabilities

• Detected vulnerabilities/misconfigurations

• Severity, type, and status

• Associated cloud resources (VMs, containers, subscriptions, projects)

• Source rules and remediation details

• Tags and metadata

Integration

The Integration section outlines the configurations for the Wiz Graph API Collector source. To configure the Wiz Graph API Collector as a source in Observo AI, follow these steps to set up and test the data flow:

1. Log in to Observo AI:

• Navigate to the Sources tab.

• Click the Add Source button and select Create New.

• Choose Wiz Graph API Collector from the list of available sources to begin configuration.

1. General Settings:

• Name: A unique identifier for the source, such as wiz-audit-collector.

• Description: (Optional): Provide a description for the source, such as "Wiz security audit logs and issues collector".

• Time in seconds to pause between script executions: Configure the polling interval (default: 1800 seconds / 30 minutes).

• Config: Configuration parameters for Wiz Graph API.

  Key (Default)

  Value (Default)

  WIZ_API_URL

  https://api.<TENANT_REGION>.app.wiz.io/graphql

  Note: Replace <TENANT_REGION> with your actual Wiz tenant region (e.g., us1, eu1, us2).

• Checkpoints: Enable checkpoints to track the last successful data collection point. This is useful for incremental data collection. This will be the seed value for the first run.

  Key (Default)

  Value (Default)

  AUDIT_SINCE_TIME

  2025-09-12T21:00:09Z

  ISSUES_SINCE_TIME

  2025-09-12T21:00:09Z

  Note: These timestamps are automatically updated after each successful run. Set initial values to your desired starting point.

1. Authentication: The source supports OAuth 2.0 authentication:

   • Client ID: Service account client ID from Wiz.

   • Client Secret: Service account client secret from Wiz.

   • Token URL: https://auth.app.wiz.io/oauth/token

   • Scopes (Add as needed):

     • admin:audit - Required for audit log collection

     • read:reports - Required for issue collection

     • create:reports - Optional for report generation

     • Token Refresh Margin (seconds): Time in seconds before token expiry to refresh the token. Default is 60 seconds.

     • Headers (Optional): Additional headers to include in OAuth2 authentication requests.

     • Additional Data: Additional data for OAuth2 authentication request. Default includes {"audience": "wiz-api"} which is required for Wiz authentication.

Error Handling

The Wiz Graph API Collector implements comprehensive error handling to ensure reliable data collection:

HTTP Status Code Handling

Checkpoint Recovery

Checkpoints ensure data integrity and prevent data loss:

• Updated only after successful data processing

• Separate checkpoints for audit logs (AUDIT_SINCE_TIME) and issues (ISSUES_SINCE_TIME)

• Enables resumption from last successful point after failures or restarts