WebsiteTest Drive

Wiz

Wiz

The Dropzone AI platform integrates with Wiz to ingest security findings and enrich investigations with context from Wiz such as cloud configurations, vulnerabilities, and exposure data via webhook automation rules.

Integrations Overview

To enable these integrations you will perform the following actions:

  • Create an API Key (within Dropzone AI)

  • Configure a webhook integration in Wiz

  • Create a custom automation rule in Wiz

Create an API Key

To create a Dropzone API key, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, navigate to Settings > API Keys

API Keys Dropdown

  • In the "Add New API Key" section, name the API key something memorable, such as "Wiz Webhook Integration"

  • If you want to assign an expiration date to the API Key, select your desired expiration date in the "Expiration" section

  • Click "Create Key"

Create API Key

  • Copy the value shown for use later in the Wiz UI

Copy the API Key

Create a Wiz Webhook Integration

To set up your webhook integration, do the following:

  • Navigate to your Wiz console

  • In the left hand sidebar, navigate to Settings > Integrations

Click Integrations

  • In the upper right corner, click "+ Add Integration" and select "Webhook"

  • Name the integration something memorable, such as "Dropzone AI"

  • Under "Scope", if you wish to limit project access to Dropzone, assign the Webhook to a selected project. Otherwise, click "All Projects"

Name and scope the Webhook

  • Under "URL," paste in your Dropzone webhook URL, e.g. https:///app/api/v1/investigation/create

  • In the "Additional Headers" section, click "+ Add Header"

  • Next to "Key Equals", select "Authorization"

  • Next to "Value Equals," set the header value to

  • Replace with the API key you generated from Dropzone AI (including the Api Key value, e.g. "Api-Key <YOUR_KEY_HERE>")

Configure the Webhook

  • Click "Save"

Create an Automation Rule

To create an automation rule, do the following:

  • In the left sidebar of your Wiz console, navigate to Policies > Automation Rules

Click Automation Rules

  • In the upper right corner, click "+ Add Rule"

  • Name the automation rule something memorable, such as "Wiz Detections to Dropzone AI"

  • You may choose to add a description, such as "Dropzone AI Section Forwarding Rule"

  • Under "Scope", if you wish to limit project access to Dropzone, assign the Automation rule to a selected project. Otherwise, click "All Projects"

Name and scope the Automation Rule

  • In the "Rule Conditions" section, set the "When" condition to "Detection is Created"

  • In the "If" section, you may choose the severity levels you wish Dropzone to ingest. Set the "If" condition to "Severity is "Critical" or "High" or Medium" (or your desired severity level)

Assign rule conditions (pt 1)

  • In the "Then" section, click "+ Add action"

Assign rule conditions (pt 2)

  • Select "POST a Webhook"

  • Select the webhook integration you created earlier, e.g. Dropzone AI

Assign rule conditions (pt 3)

  • In the "Request Body" section, replace the default action template with the JSON below


{
  "schema_key": "wiz_webhook_detection",
  "raw_alert_content": {
    "trigger": {
      "source": "{{triggerSource}}",
      "type": "{{triggerType}}",
      "ruleId": "{{ruleId}}",
      "ruleName": "{{ruleName}}"
    },
    "id": "{{detection.id}}",
    "threatId": "{{detection.issue.id}}",
    "threatURL": {{#detection.issue.url}}"{{detection.issue.url}}"{{/detection.issue.url}}{{^detection.issue.url}}null{{/detection.issue.url}},
    "title": "{{detection.rule.name}}",
    "description": {{#detection.description}}"{{detection.description}}"{{/detection.description}}{{^detection.description}}null{{/detection.description}},
    "severity": "{{detection.severity}}",
    "createdAt": "{{detection.createdAt}}",
    "tdrId": "{{detection.rule.id}}",
    "tdrSource": "{{detection.rule.sourceType}}",
    "mitreTactics": {{detection.rule.MITRETactics}}{{^detection.rule}}null{{/detection.rule}},
    "mitreTechniques": {{detection.rule.MITRETechniques}}{{^detection.rule}}null{{/detection.rule}},
    "cloudAccounts": {{detection.cloudAccounts}},
    "cloudOrganizations": {{detection.cloudOrganizations}},
    "timeframe": {
      "start": "{{detection.startedAt}}",
      "end": "{{detection.endedAt}}"
    },
    "actors": {{detection.actors}},
    "primaryActor": {{#detection.primaryActor}}{{detection.primaryActor}}{{/detection.primaryActor}}{{^detection.primaryActor}}null{{/detection.primaryActor}},
    "resources": {{detection.resources}},
    "primaryResource": {{#detection.primaryResource}}{{detection.primaryResource}}{{/detection.primaryResource}}{{^detection.primaryResource}}null{{/detection.primaryResource}},
    "triggeringEventsCount": {{detection.triggeringEventsCount}},
    "triggeringEvents": {{detection.triggeringEvents}}
  },
  "force_reinvestigation": false
}

  • Click "Add Action"

Assign rule conditions (pt 4)

  • Once returned to the New Automation Rule page, click "Save"

The new automation rule should look like this

Once this step has been committed, Wiz will start sending its alerts directly to Dropzone.

If you have any errors engage your Dropzone AI support representative.

PreviousSumo LogicNextCommunicators

Last updated

Was this helpful?