Wiz

The Dropzone AI platform integrates with Wiz to ingest security findings and enrich investigations with context from Wiz such as cloud configurations, vulnerabilities, and exposure data via webhook automation rules.

Integrations Overview

To enable these integrations you will perform the following actions:

Create an API Key (within Dropzone AI)
Configure a webhook integration in Wiz
Create a custom automation rule in Wiz

Create an API Key

To create a Dropzone API key, do the following:

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, navigate to Settings > API Keys

In the "Add New API Key" section, name the API key something memorable, such as "Wiz Webhook Integration"
If you want to assign an expiration date to the API Key, select your desired expiration date in the "Expiration" section
Click "Create Key"

Copy the value shown for use later in the Wiz UI

Create a Wiz Webhook Integration

To set up your webhook integration, do the following:

Navigate to your Wiz console
In the left hand sidebar, navigate to Settings > Integrations

In the upper right corner, click "+ Add Integration" and select "Webhook"
Name the integration something memorable, such as "Dropzone AI"
Under "Scope", if you wish to limit project access to Dropzone, assign the Webhook to a selected project. Otherwise, click "All Projects"

Under "URL," paste in your Dropzone webhook URL, e.g. https:///app/api/v1/investigation/create
In the "Additional Headers" section, click "+ Add Header"
Next to "Key Equals", select "Authorization"
Next to "Value Equals," set the header value to
Replace with the API key you generated from Dropzone AI (including the Api Key value, e.g. "Api-Key <YOUR_KEY_HERE>")

Click "Save"

Create an Automation Rule

To create an automation rule, do the following:

In the left sidebar of your Wiz console, navigate to Policies > Automation Rules

In the upper right corner, click "+ Add Rule"
Name the automation rule something memorable, such as "Wiz Detections to Dropzone AI"
You may choose to add a description, such as "Dropzone AI Section Forwarding Rule"
Under "Scope", if you wish to limit project access to Dropzone, assign the Automation rule to a selected project. Otherwise, click "All Projects"

In the "Rule Conditions" section, set the "When" condition to "Detection is Created"
In the "If" section, you may choose the severity levels you wish Dropzone to ingest. Set the "If" condition to "Severity is "Critical" or "High" or Medium" (or your desired severity level)

In the "Then" section, click "+ Add action"

Select "POST a Webhook"
Select the webhook integration you created earlier, e.g. Dropzone AI

In the "Request Body" section, replace the default action template with the JSON below


{
  "schema_key": "wiz_webhook_detection",
  "raw_alert_content": {
    "trigger": {
      "source": "{{triggerSource}}",
      "type": "{{triggerType}}",
      "ruleId": "{{ruleId}}",
      "ruleName": "{{ruleName}}"
    },
    "id": "{{detection.id}}",
    "threatId": "{{detection.issue.id}}",
    "threatURL": {{#detection.issue.url}}"{{detection.issue.url}}"{{/detection.issue.url}}{{^detection.issue.url}}null{{/detection.issue.url}},
    "title": "{{detection.rule.name}}",
    "description": {{#detection.description}}"{{detection.description}}"{{/detection.description}}{{^detection.description}}null{{/detection.description}},
    "severity": "{{detection.severity}}",
    "createdAt": "{{detection.createdAt}}",
    "tdrId": "{{detection.rule.id}}",
    "tdrSource": "{{detection.rule.sourceType}}",
    "mitreTactics": {{detection.rule.MITRETactics}}{{^detection.rule}}null{{/detection.rule}},
    "mitreTechniques": {{detection.rule.MITRETechniques}}{{^detection.rule}}null{{/detection.rule}},
    "cloudAccounts": {{detection.cloudAccounts}},
    "cloudOrganizations": {{detection.cloudOrganizations}},
    "timeframe": {
      "start": "{{detection.startedAt}}",
      "end": "{{detection.endedAt}}"
    },
    "actors": {{detection.actors}},
    "primaryActor": {{#detection.primaryActor}}{{detection.primaryActor}}{{/detection.primaryActor}}{{^detection.primaryActor}}null{{/detection.primaryActor}},
    "resources": {{detection.resources}},
    "primaryResource": {{#detection.primaryResource}}{{detection.primaryResource}}{{/detection.primaryResource}}{{^detection.primaryResource}}null{{/detection.primaryResource}},
    "triggeringEventsCount": {{detection.triggeringEventsCount}},
    "triggeringEvents": {{detection.triggeringEvents}}
  },
  "force_reinvestigation": false
}

Click "Add Action"

Once returned to the New Automation Rule page, click "Save"

Once this step has been committed, Wiz will start sending its alerts directly to Dropzone.

If you have any errors engage your Dropzone AI support representative.

PreviousSumo Logic NextCommunicators

Last updated 3 months ago

Was this helpful?

hashtagWiz

hashtagIntegrations Overview

hashtagCreate an API Key

hashtagCreate a Wiz Webhook Integration

hashtagCreate an Automation Rule

Wiz

Integrations Overview

Create an API Key

Create a Wiz Webhook Integration

Create an Automation Rule