Wiz Audit Logs
Collects and processes audit log events from the Wiz API, enabling continuous monitoring and tracking of user actions, configuration changes, and security events across your Wiz environment.
Sync Type: Incremental
Requirements
Before connecting to Wiz, you need:
- Wiz API credentials (Client ID and Client Secret)
- The
admin:auditscope granted to your service account to access Audit Logs API endpoints - Access to view audit logs in your Wiz account
- Find your tenant data center on the Tenant Info page in Wiz, or request it from your Wiz customer contact. e.g., "us1", "us2", "us3".
Details
This input connects to the Wiz API to fetch audit log events. It performs incremental synchronization by tracking the timestamp of the last ingested event and only fetching new events in subsequent syncs.
Key Features:
- Incremental sync using timestamp-based filtering
- Maximum lookback period of 180 days
- Automatic state checkpointing to prevent data loss
- OAuth2 authentication with automatic token refresh
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Tenant Data Center | string | Yes | The Wiz tenant data center (e.g., "us1", "us2", "us3"). Find your tenant data center on the Tenant Info page in Wiz, or request it from your Wiz customer contact. |
| Backfill Start Time | string | No | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| Client ID | string | Yes | Client ID for the Wiz API authentication. This is required to authenticate requests. |
| Client Secret | string | Yes | Client Secret for the Wiz API authentication. This is required to authenticate requests. |
Authentication
The Wiz Audit Logs input uses OAuth2 Client Credentials flow for authentication. The access token is automatically refreshed 5 minutes before expiration to ensure uninterrupted data collection.
Required Scope: Your Wiz service account must have the admin:audit scope to access audit log data.
Sample Record
{
"id": "9cad8ff8-ce4a-4956-8b02-632309de7305",
"action": "Login",
"requestId": "9cad8ff8-ce4a-4956-8b02-632309de7305",
"status": "SUCCESS",
"timestamp": "2022-09-01T11:28:07.404058Z",
"actionParameters": {
"clientID": "kr7ngoiolk3d9i8ravmuutlb6",
"groups": null,
"name": "MetronLabs",
"products": [
"*"
],
"role": "",
"scopes": [
"read:issues",
"read:vulnerabilities",
"admin:audit"
],
"userEmail": "",
"userID": "mlipebtwsndhxdmnzdwrxzmiol4ih3ksni4vannkle4n4xtle3sa",
"userpoolID": "us-east-2_GQ3gwvxsQ"
},
"userAgent": null,
"sourceIP": null,
"serviceAccount": {
"id": "mlipebtwsndhxdmnzdwrxzmiol4ih3ksni4vannkle4n4xtle3sa",
"name": "MetronLabs"
},
"user": null
}