Wiz
Wiz.io CLI
This CLI is provided to perform batch processing and orchestration of the Wiz.io Cloud-Native Application Protection Platform (CNAPP). It is designed to perform bulk processing of Wiz data to create, update, and otherwise sync with RegScale to allow for compliance automation reporting. The CLI currently supports two functionalities:
authenticate
- Authenticate with Wiz and get a JSON Web Token (JWT) for future requests to Wizinventory
- syncs all Wiz entities into RegScale as assetsissues
- syncs any identified problems as issues/POAMs to RegScale
Permissions required from Wiz.io
This CLI functionality uses the Wiz API to pull issues and entities from Wiz. We require that the user sets up a service account with the following permissions:
create:reports read:all read:resources read:connectors read:outposts
read:sensors read:security_scans read:scanner_settings read:issue_settings read:users
read:service_accounts read:projects read:issues read:controls read:automation_actions
read:integrations read:action_templates read:reports read:inventory read:vulnerabilities
read:host_configuration read:cloud_accounts read:scan_policies read:security_settings
read:security_frameworks read:system_activities read:cloud_events read:cloud_event_rules
read:licenses read:kubernetes_clusters read:digital_trust_settings read:admission_controllers
read:custom_file_detection read:network_exposure create:reports update:reports write:reports
Update bash environment for CLI
# These environment variables need to be optionally available to the CLI, OR they can be passed as a command line argument.
export WizClientID='WIZ CLIENT ID'
export WizClientSecret='WIZ CLIENT SECRET'
init.yaml Configuration
There are multiple pieces of information needed to configure the Wiz.io integration via the CLI:
maxThreads
- The total number of threads the application is allowed to use for bulk processing. The default value is 1000. (NOTE: Changing this number can have a negative or positive impact on performance.)wizUrl
- GraphQL endpoint for your Wiz.io instancewizAuthUrl
- URL for granting authentication tokens (default set in the example file, but government customers may require an alternate URL)wizExcludes
- flags the specific assets to exclude from syncing to RegScale. For each node, this is based on theentities[0]["name"]
attribute.issues: {wiz: {critical: 30, high: 90, medium: 90, low: 365, status: Open}}
- number of days to add to today's date when setting due dates to RegScale issues based on Wiz severity and the status to use for a new RegScale issue.
Wiz Setup Workfow
- Get the Wiz URL.
- Click the user profile icon in the top right, and navigate to "User Settings".
- Copy and paste the API Endpoint URL from this page into the
wizUrl
field.
- Create a service account within Wiz.
- Click the gears icon for setup in the top right and navigate to "Service Accounts" -> "Add Service Account". Give it the appropriate name and permissions (minimum of "read:all").
- Add the service account and copy and paste the client ID and client secret into the
init.yaml
file. - The
wizAuthUrl
is set by default for commercial customers but you may need to change it if using a specific service such as GovCloud. - The
wizExcludes
flag lets you determine which assets you do not want to sync and will exclude them from processing. - Once done, you should have all configuration necessary to perform Wiz integrations using the RegScale CLI.
Issue Processing Workflow
The CLI currently supports processing Wiz issues. The issue processing workflow is shown below:
- The user first logs into RegScale via the CLI to set the access token or otherwise creates a service account as described in the CLI Login documentation.
- The user then logs into Wiz using the Client ID and Client Secret to generate an access token with the appropriate scope (NOTE: The access token and scope are automatically generated from the Wiz authenticate CLI).
- The user then calls the CLI to process Wiz issues while setting the following flags:
regscale_id
- the ID # of the RegScale record associated with these issuesregscale_module
- the RegScale module of the record associated wit these issues, please view RegScale Modules for options.
- The CLI retrieves all existing issues in RegScale for the key value pair provided above.
- The CLI then creates an automated report in Wiz, waits for it to update and retrieves all open issues in Wiz.io.
- The CLI then processes through all retrieved Wiz issues and does the following:
- Sees if a RegScale issue already exists, if so, it updates it.
- If no RegScale issue exists, it creates a new one.
- The CLI then processes through all existing RegScale issues and sees if the Wiz.io issue still exists. If not, it has been remediated and the CLI closes the RegScale issue.
The CLI provides detailed logging throughout the process to indicate progress and to provide troubleshooting in case of issues.
Issue CLI Command Example
The following command provide an example of processing Wiz issues for a given RegScale System Security Plan (SSP). These commands can be easily adapted for the customer's specific use case. The steps are shown below:
- Log into RegScale to set the token, which is good for 24 hours, and will secure all future RegScale API calls. (NOTE: You can skip this step if you are using a RegScale Service Account)
regscale login
- Authenticate to Wiz to get an access token for GraphQL calls.
regscale wiz authenticate
- Process the appropriate level of issues for the given security plan.
regscale wiz issues --regscale_id=5 --regscale_module="securityplans"
Inventory Processing Workflow
The CLI currently supports processing Wiz entities as assets into RegScale. The inventory processing workflow is shown below:
- The user first logs into RegScale via the CLI to set the access token or otherwise creates a service account as described in the CLI Login documentation.
- The user then logs into Wiz passing the Client ID and Client Secret to the command line to generate an access token with the appropriate scope (NOTE: The access token and scope are automatically generated from the Wiz authenticate CLI).
- The user then calls the CLI to process Wiz inventory while setting the following flags:
regscale_id
- the ID # of the RegScale record associated with these issuesregscale_module
- the RegScale module of the record associated wit these issues (OPTIONS - securityplans, supplychain, projects, policies, components)
- The CLI then retrieves all existing assets in RegScale for the key value pair provided above.
- The CLI then creates an automated report in Wiz, waits for it to update and retrieves all entities in Wiz.io using a user provided filter (see init.yaml below) or using a default filter.
- The CLI then processes through all retrieved Wiz entities and does the following:
- Sees if a RegScale asset already exists, if so, it updates it.
- If no RegScale asset exists, it creates a new one.
The CLI provides detailed logging throughout the process to indicate progress and to provide troubleshooting in case of any problems.
Inventory CLI Command Example
The following command provide an example of processing Wiz entities for a given RegScale Security Plan. These commands can be easily adapted for the customer's specific use case. The steps are shown below:
- Log into RegScale to set the token, which is good for 24 hours, and will secure all future RegScale API calls. (NOTE: You can skip this step if you are using a RegScale Service Account)
regscale login
- Authenticate to Wiz to get an access token for GraphQL calls.
regscale wiz authenticate
- Process assets for the given security plan.
regscale wiz inventory --regscale_id=5 --regscale_module="securityplans"
init.yaml Example
For a basic Wiz integration with RegScale, the following init.yaml
structure is necessary (example/notional key structure shown below, replace with actual customer keys):
domain: https://mycompany.regscale.com
token: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVC38.eyJzdWIiOiJob3dpZWF2cCIsImp0aSI6ImI0NDIxMjRhLTYxOWEtNGI1Mi1hMzUzLTA5YzdjZTRmM2JmOCIsImlhdCI6MTY0NDc4NzY4MiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZWlkZW50aWZpZXIiOiJjOWY1NzllMi1hOGM4LTRjMDItOGU5MS1jZTEyMmExYWE1MTciLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiaG93aWVhdnAiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOiJBZG1pbmlzdHJhdG9yIiwibmJmIjoxNjQ0Nzg3NjgyLCJleHAiOjE2NDQ4NzQwODIsImlzcyI6IkF0bGFzIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwLyJ9.SkjmRktGLkljysVeoRqcx_hHiVR2gjcA2uZiSJbVkPc
maxThreads: 1000
userId: c9f579e2-a8c9-4c02-8e91-ce122a1aa518
wizAccessToken: ztJhbGciOiTHUzI1NiIsInR5cCI5IkpXVCIsImtpZCI6IndJUnZwVWpBTU93WHQ5ZG5CXzRrVCU8.eyJodHRwczovL3dpei5pbyI6eyJ0ZW5hbnRJZCI6IjljZWQ3NmZjLTM3YjMtNDMxNy05OWQ3LTUwYjE1MDA4MDc3MiIsImVtYWlsIjoidGhvd2VydG9uQGMybGFicy5jb20iLCJkYXRhQ2VudGVyIjoidXM4IiwiaXNTZXJ2aWNlQWNjb3VudCI6dHJ1ZSwicHJvZHVjdElkcyI6WyIqIl19LCJpc3MiOiJodHRwczovL2F1dGgud2l6LmlvLyIsInN1YiI6InRGdzhWZVNnVnlsaTlXd0N4UkZCTDZzemZ6eW9DV3lzQGNsaWVudHMiLCJhdWQiOiJiZXlvbmQtYXBpIiwiaWF0IjoxNjQ0Nzg3NzM2LCJleHAiOjE2NDQ4NzQxMzYsImF6cCI6InRGdzhWZVNnVnlsaTlXd0N4UkZCTDZzemZ6eW9DV3lzIiwic2NvcGUiOiJjcmVhdGU6Y29udHJvbHMgY3JlYXRlOnNlY3VyaXR5X2ZyYW1ld29ya3MgZGVsZXRlOmNvbnRyb2xzIGRlbGV0ZTpzZWN1cml0eV9mcmFtZXdvcmtzIHJlYWQ6aXNzdWVzIHJlYWQ6Y29udHJvbHMgcmVhZDppbnZlbnRvcnkgcmVhZDp2dWxuZXJhYmlsaXRpZXMgcmVhZDpzZWN1cml0eV9mcmFtZXdvcmtzIHVwZGF0ZTppc3N1ZXMgdXBkYXRlOmNvbnRyb2xzIHVwZGF0ZTppbnZlbnRvcnkgdXBkYXRlOnNlY3VyaXR5X2ZyYW1ld29ya3MiLCJndHkiOiJjbGllbnQtY3JlZGVudGlhbHMiLCJwZXJtaXNzaW9ucyI6WyJjcmVhdGU6Y29udHJvbHMiLCJjcmVhdGU6c2VjdXJpdHlfZnJhbWV3b3JrcyIsImRlbGV0ZTpjb250cm9scyIsImRlbGV0ZTpzZWN1cml0eV9mcmFtZXdvcmtzIiwicmVhZDppc3N1ZXMiLCJyZWFkOmNvbnRyb2xzIiwicmVhZDppbnZlbnRvcnkiLCJyZWFkOnZ1bG5lcmFiaWxpdGllcyIsInJlYWQ6c2VjdXJpdHlfZnJhbWV3b3JrcyIsInVwZGF0ZTppc3N1ZXMiLCJ1cGRhdGU6Y29udHJvbHMiLCJ1cGRhdGU6aW52ZW50b3J5IiwidXBkYXRlOnNlY3VyaXR5X2ZyYW1ld29ya3MiXX0.ql8YFHdwbTkKkNjHxOSWvcsi9t7n1NeFQ4IXGP3-WGGwsPob14jK9_hLQpqYq9TF4lj_J82wGp57GHBN0VEc5E3sHW035ED4H8g9yxMRnCHgFuC9m8rTyIP6FKdxk8ttJ7nmNE5BVQAYAgpV0SeAUTiu0AD64s_2ocesfQ6P3pb_7xSsHsuU3ZzKLhZtvwcAjYbWXu2YAu9JXVci354m6e38ZVK7d8m5Tc0_lVCRHRsmVYgwBJKbvnGfP9czhZ7GVt9vxRxuJJu7jph-gXgbHj4ma6dQCIHLQ5-jEFSkHiQfVsVXD1McR1A2y80-ix7I8Ygj0nq-lQlEx3ADf-iBzQ
wizClientId: jth895StaYLli9WwCxRFBL6szfzyobeth
wizClientSecret: SarahLy58hzLvy37830TfpozrKpexLhaPcoGU2hY4fJiIBwVAelbTHkupjTdknox
wizScope: create:controls create:security_frameworks delete:controls delete:security_frameworks
read:issues read:controls read:inventory read:vulnerabilities read:security_frameworks
update:issues update:controls update:inventory update:security_frameworks
wizUrl: https://api.us7.app.wiz.io/graphql
wizAuthUrl: https://auth.wiz.io/oauth/token
wizEntities:
- API_GATEWAY
- APPLICATION
- BACKUP_SERVICE
- BUCKET
- CDN
- CONTAINER
- DATABASE
- DB_SERVER
- DOMAIN
- POD
- REGISTERED_DOMAIN
- SWITCH
- VIRTUAL_DESKTOP
- VIRTUAL_MACHINE
- VIRTUAL_MACHINE_IMAGE
- VOLUME
- WEB_SERVICE
wizInventoryReportId:
- 937a4c31-3036-4069-a35b-2efblah0880
- 19sklb70-5653-4a1f-bd2e-ed5612f8ec75
- a6booab07-888a-4e30-a286-fe8cb8e458f5
- 1a92d35e-e9ad-421d-b55d-275wsa1150
wizIssuesReportId:
last_seen: '2023-01-23 08:22:12'
report_id: 63asaq6f-d361-415f-b68b-6dfewb9883f
wizExcludes: Azure AD Builtin Application Service Principal, Azure Active Directory (AAD) User
issues:
wiz:
critical: 30
high: 90
low: 365
medium: 90
status: Open
NOTE: The wizScope
and wizAccessToken
will auto-populate after authenticated to Wiz via the CLI.
Building a Bash Script to Execute the CLI
You can chain together RegScale CLI commands using scripts. These scripts could be in Bash, Python, PowerShell, etc. Below is an example Bash file (named "regscaleScheduler.sh") in Ubuntu for executing the Wiz CLI that pulls all issues and inventory after authenticating and assigns them to a specific Security Plan in RegScale:
#!/bin/sh
# Wiz will now authenticate for a fresh token on every execution of the issues or inventory functions.
regscale wiz issues --regscale_id=5 --regscale_module="securityplans"
regscale wiz inventory --regscale_id=5 --regscale_module="securityplans"
To execute the Bash file, run this command: . regscaleScheduler.sh
. You can chain together any arbitrary set of CLI commands to have them execute sequentially.
Updated 11 months ago