# Wiz ## About The Wiz NetoFuse module provides enriched asset context to Netography Fusion from the Wiz Cloud Security Platform. It gathers vulnerability, issue, and network exposure data about the cloud assets in your environment from the Wiz API, and uploads that data as [Context Labels](/enrich-traffic-with-context/labels.md) to the Netography Fusion API. {% hint style="info" %} **☁️NetoFuse Modules: Cloud deployment vs. On-Prem deployment** This page documents how to add and configure the NetoFuse module for an on-prem deployment with a container or Python package. If you want to use the cloud deployment model and have this integration run in the Netography Fusion SaaS, you can add it as a context integration in the Netography Fusion Portal instead by consulting the [Context Integrations](/enrich-traffic-with-context/configure-context-integrations.md) documentation. {% endhint %} ## Use cases ### Reduce investigation time An AWS EC2 instance that has only ever communicated to the corporate network makes a new outbound connection to China. You may want to know more about this EC2 instance as you investigate this. The vulnerability context provided by Wiz is immediately available to you without having to pivot to another tool or ask another analyst with direct access to Wiz for this information. ### Enhance monitoring for vulnerable assets Cloud assets with high-severity vulnerabilities are at higher risk of being exploited and becoming the source of malicious activity. Now that the vulnerability state of these assets is directly available, you can use that information to monitor these assets, including: * Creating and viewing dashboards focused on activity from the most vulnerable assets * Create a custom escalation workflow for network activity, such as potential network scanning or exfiltration when it comes from a highly vulnerable asset * Build custom detections that include the vulnerability state of the asset You can use the following `NQL` to accomplish this:\ `label.ip.cvss_rating == critical || label.ip.cvss_rating == high` ### Monitor network activity for assets with high-profile vulnerabilities while they are being remediated A new vulnerability has been released and is being actively exploited in cloud environments. You can focus your attention on the network activity for assets that Wiz has identified as vulnerable to this issue. By watching the assets with a highly visible vulnerability more closely, you can identify potential indicators of compromise and act on them during the critical period before the vulnerability is remediated. You can use the following `NQL` to accomplish this:\ `label.ip.cve == CVE-2023-0123` ## Context Labels These context labels are written when using the default module configuration. | Context Name | Description | Examples | | ---------------- | --------------------------------------------------------------- | --------------- | | vuln\_count | The number of vulnerabilities found on the asset | 5 | | cvss\_rating | The list CVSS ratings of the vulnerabilities found on the asset | critical | | cve | The CVEs of the vulnerabilities found on the asset | CVE-2023-0123 | | cvss\_score | List of CVSS scores of the vulnerabilities found on the asset | 9.8, 7.5, 5.0 | | os | The operating system of the asset | linux | | wiz\_asset\_name | The name of the asset in Wiz | my-ec2-instance | If network exposures are enabled, the following additional context labels are available: | Context Name | Description | Examples | | ---------------------------------------- | --------------------------------------------------------------------------- | --------------------- | | wiz\_network\_max\_severity | The highest severity of the network exposure found on the asset | critical | | wiz\_network\_max\_severity\_value | The CVSS score of the highest severity network exposure found on the asset | 9.8 | | wiz\_network\_max\_severity\_description | The description of the highest severity network exposure found on the asset | Remote Code Execution | If issue monitoring is enabled, the following additional context labels are available: | Context Name | Description | Examples | | -------------------- | ---------------------------------------- | --------------------- | | wiz\_issue\_id | The IDs of the issue in Wiz | 12345 | | wiz\_issue\_title | The title list of the issues in Wiz | Remote Code Execution | | wiz\_issue\_severity | The severities list of the issues in Wiz | critical | | wiz\_issue\_status | The status list of the issues in Wiz | open | | wiz\_issue\_type | The type list of the issues in Wiz | vulnerability | {% hint style="info" %} **ℹ️The Wiz NetoFuse module is named wiz2** The first version of Wiz context integration pre-dated NetoFuse and was available only for cloud deployment. The new version is a NetoFuse module, so it is named `wiz2` to differentiate it from the original context integration. {% endhint %} ## Configuring ### Configure a service account A Wiz Service Account is used to authenticate with the Wiz Integration API. The service account must possess these listed permissions: | Permissions Required | | ----------------------- | | create:reports | | read:reports | | update:reports | | read:vulnerabilities | | read:issues | | read:network\_exposures | Consult Wiz documentation for the steps needed to create this account and configure permissions. ### API parameters required All the fields required for this integration are listed here. | Wiz Field | Description | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Wiz API Endpoint URL | The URL for the Wiz API endpoint. Find this parameter in your Wiz tenant by clicking Profile > User Settings and copying the API Endpoint URL field. e.g.`http://api..app.wiz.io/graphql` | | Wiz Token URL | The URL for the Wiz token endpoint. For all Wiz commercial customers, this should be set to:`https://auth.app.wiz.io/oauth/token` | | Wiz Client ID | The client ID for the Wiz service account | | Wiz Client Secret | The client secret for the Wiz service account | ## `wiz2` NetoFuse Module Configuration All the fields required for this integration are listed above in the [API Configuration Parameters](#api-configuration-parameters) section. See [Configure > module](/netofuse/configure.md#module) for additional options for setting configuration fields and [Security Considerations](https://docs.netography.com/netofuse/security-considerations) for additional options for setting credentials. ### Advanced Configuration Options The following configuration options are available for the module. | Configuration Option | Description | Default Value | | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | | `severities` |

If this is set, vulnerabilities and issues are filtered only to include those with the listed severities. Valid values are LOW, MEDIUM, HIGH, CRITICAL
Format (in Fusion Portal or JSON config): Comma-separated list enclosed in brackets, e.g. \["HIGH","CRITICAL"]
Format in YAML: a YAML list, e.g.:
severities:
- CRITICAL
- HIGH
All severities are included if this is left blank

| `None` | | `fetch_issues` | Set to true to fetch issues from Wiz | `false` | | `fetch_network_exposures` | Set to true to fetch network exposures from Wiz | `false` | | `project_id` | The Wiz project ID to use for the integration. If you would like this to run as global, leave as the default `*` | `*` | | `issue_report_id` | The ID of the report to fetch issues from. If left blank, this will create a new report. *This can typically be left blank.* | `None` | | `audience` | This value is passed to the Wiz API and is used internally by Wiz. | `wiz-api` | #### Default `wiz2` Module Configuration {% tabs %} {% tab title="YAML" %} ``` wiz2: token_url: endpoint_url: audience: project_id: credentials: client_id: client_secret: severities: fetch_issues: fetch_network_exposures: issue_report_id: transform: vulnerableAsset.ipAddresses: context: ip vulnerableAsset.operatingSystem: context: os function: function: transform_os score: context: cvss_score cve: context: cve CVSSSeverity: context: cvss_rating vulnerableAsset.name: context: wiz_asset_name issue_id: context: wiz_issue_id issue_title: context: wiz_issue_title issue_severity: context: wiz_issue_severity issue_status: context: wiz_issue_status issue_type: context: wiz_issue_type vuln_count: context: vuln_count network_max_severity: context: wiz_network_max_severity network_max_severity_value: context: wiz_network_max_severity_value network_max_severity_description: context: wiz_network_max_severity_description removed: context: removed ``` {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/netofuse/modules/wiz2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.