adding Wiz Defend to External Alerts

Author: terrancedejesus

rules/promotions/external_alerts.toml

@@ -40,7 +40,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)
+event.kind:alert or (data_stream.dataset: wiz.defend) and not event.module:(endgame or endpoint or cloud_defend)
 '''
 note = """## Triage and analysis