|
| 1 | +--- |
| 2 | +title: "Wiz connector for Microsoft Sentinel" |
| 3 | +description: "Learn how to install the connector Wiz to connect your data source to Microsoft Sentinel." |
| 4 | +author: cwatson-cat |
| 5 | +ms.topic: how-to |
| 6 | +ms.date: 09/26/2023 |
| 7 | +ms.service: microsoft-sentinel |
| 8 | +ms.author: cwatson |
| 9 | +--- |
| 10 | + |
| 11 | +# Wiz connector for Microsoft Sentinel |
| 12 | + |
| 13 | +The Wiz connector allows you to easily send Wiz Issues, Vulnerability Findinsg, and Audit logs to Microsoft Sentinel. |
| 14 | + |
| 15 | +## Connector attributes |
| 16 | + |
| 17 | +| Connector attribute | Description | |
| 18 | +| --- | --- | |
| 19 | +| **Log Analytics table(s)** | WizIssues_CL<br/> WizVulnerabilities_CL<br/> WizAuditLogs_CL<br/> | |
| 20 | +| **Data collection rules support** | Not currently supported | |
| 21 | +| **Supported by** | [Wiz](https://support.wiz.io/) | |
| 22 | + |
| 23 | +## Query samples |
| 24 | + |
| 25 | +**Summary by Issues's severity** |
| 26 | + ```kusto |
| 27 | +WizIssues_CL |
| 28 | + |
| 29 | + | summarize Count=count() by severity_s |
| 30 | + ``` |
| 31 | + |
| 32 | + |
| 33 | + |
| 34 | +## Prerequisites |
| 35 | + |
| 36 | +To integrate with Wiz make sure you have: |
| 37 | + |
| 38 | +- **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](/azure/azure-functions/). |
| 39 | +- **Wiz Service Account credentials**: Ensure you have your Wiz service account client ID and client secret, API endpoint URL, and auth URL. Instructions can be found on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz). |
| 40 | + |
| 41 | + |
| 42 | +## Vendor installation instructions |
| 43 | + |
| 44 | + |
| 45 | +> [!NOTE] |
| 46 | + > This connector: Uses Azure Functions to connect to Wiz API to pull Wiz Issues, Vulnerability Findings, and Audit Logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details. |
| 47 | +Creates an Azure Key Vault with all the required parameters stored as secrets. |
| 48 | + |
| 49 | +STEP 1 - Get your Wiz credentials |
| 50 | + |
| 51 | + |
| 52 | +Follow the instructions on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz) to get the erquired credentials. |
| 53 | + |
| 54 | +STEP 2 - Deploy the connector and the associated Azure Function |
| 55 | + |
| 56 | + |
| 57 | +>**IMPORTANT:** Before deploying the Wiz Connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Wiz credentials from the previous step. |
| 58 | +
|
| 59 | + |
| 60 | + |
| 61 | +Option 1: Deploy using the Azure Resource Manager (ARM) Template |
| 62 | + |
| 63 | +1. Click the **Deploy to Azure** button below. |
| 64 | + |
| 65 | + [](https://aka.ms/sentinel-wiz-azuredeploy) |
| 66 | +2. Select the preferred **Subscription**, **Resource Group** and **Location**. |
| 67 | +3. Enter the following parameters: |
| 68 | +> - Choose **KeyVaultName** and **FunctionName** for the new resources |
| 69 | + >- Enter the following Wiz credentials from step 1: **WizAuthUrl**, **WizEndpointUrl**, **WizClientId**, and **WizClientSecret** |
| 70 | +>- Enter the Workspace credentials **AzureLogsAnalyticsWorkspaceId** and **AzureLogAnalyticsWorkspaceSharedKey** |
| 71 | +>- Choose the Wiz data types you want to send to Microsoft Sentinel, choose at least one from **Wiz Issues**, **Vulnerability Findings**, and **Audit Logs**. |
| 72 | + |
| 73 | +>- (optional) follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#optional-create-a-filter-for-wiz-queries) to add **IssuesQueryFilter**, **VulnerbailitiesQueryFilter**, and **AuditLogsQueryFilter**. |
| 74 | + |
| 75 | +4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. |
| 76 | +5. Click **Purchase** to deploy. |
| 77 | + |
| 78 | + |
| 79 | +Option 2: Manual Deployment of the Azure Function |
| 80 | + |
| 81 | +>Follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#manual-deployment) to deploy the connector manually. |
| 82 | +
|
| 83 | + |
| 84 | + |
| 85 | +## Next steps |
| 86 | + |
| 87 | +For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/wizinc1627338511749.wizinc1627338511749_wiz_mss-sentinel?tab=Overview) in the Azure Marketplace. |
0 commit comments