Cloud Config Findings
Collects and processes Wiz Cloud Configuration Findings logs from the Wiz API, ensuring continuous monitoring and reporting of cloud misconfigurations and vulnerabilities.
Sync Type: Incremental
Requirements
- Before connecting Monad to Wiz, you need to obtain API credentials (Client ID and Client Secret). These credentials allow access to the Wiz API to fetch cloud configuration findings.
- Ensure that your Wiz account has the appropriate permissions to access the necessary API endpoints. To access Cloud Findings specifically, make sure your credentials have the
read:cloud_configurationpermission.
Details
Monad uses the Wiz API to fetch cloud configuration findings. The LastRunTime filter is applied to retrieve only the findings that were detected or updated after the last successful sync. If this is the first time connecting to the Wiz API, Monad performs a full sync of all available findings.
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Endpoint URL | string | Yes | Endpoint URL to connect to Wiz. |
| Severity | Array | No | Your Wiz Vendor Severity for Vulnerability Findings. |
| Status | Array | No | The status of a Vulnerability Finding. |
| Result | Array | No | Filters data by result type. |
| Backfill Start Time | string | No | The date to start fetching data from. If not specified, no past records will be fetched. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| Client ID | string | Yes | Client ID for the Wiz API. This is required to authenticate requests. |
| Client Secret | string | Yes | Client Secret for the Wiz API. This is required to authenticate requests. |
OCSF Conversion
The following JQ transformation converts Wiz Cloud Configuration Finding data to OCSF Version 1.1.0 compliant format.
JQ Transformation
{
category_uid: 2,
class_uid: 2003,
time: .firstSeenAt,
type_uid: 200302,
activity_id: 2,
category_name: "Findings",
class_name: "Compliance Finding",
type_name: "Compliance Finding: Update",
activity_name: "Update",
severity: .severity,
severity_id: (
if .severity == "MEDIUM" then 3
elif .severity == "HIGH" then 4
elif .severity == "LOW" then 2
else 0
end
),
finding_info: {
title: (.rule.name // null),
uid: .id,
desc: (.rule.description // null),
created_time: (.firstSeenAt // null),
modified_time: (.updatedAt // null),
types: [
"configuration"
]
},
metadata: {
product: {
name: "Wiz",
vendor_name: "Wiz",
version: "1.0"
},
version: "1.1.0"
},
message: (.rule.name // null),
resource: {
type: (.resource.type // null),
uid: (.resource.id // null),
name: (.resource.name // null),
labels: (if .resource.labels then (.resource.labels | to_entries | map(.value)) else [] end),
owner: (.resource | if .owner then {
name: (.owner // null),
uid: (.ownerId // null),
type_id: (
if .ownerType == "ADMIN" then 2
elif .ownerType == "SYSTEM" then 3
elif .ownerType == "USER" then 1
else 0
end
),
type: (.ownerType // null)
} else null end),
cloud: {
provider: (.resource.cloudPlatform // null),
account: {
uid: (.resource.subscription.externalId // null)
},
region: (.resource.region // null)
}
},
remediation: (.remediation // null),
status: (.status // null),
status_id: (
if .status == "OPEN" then 1
elif .status == "RESOLVED" then 4
else 0
end
),
raw_data: (. | tostring),
observables: [{
name: "resource_id",
value: (.targetExternalId // null),
type: "Resource UID",
type_id: 10
}]
}
OCSF Mapping Details
The JQ transformation converts Wiz Cloud Configuration Findings to OCSF Version 1.1.0 with the following key mappings:
Core Fields
- Category UID: Set to 2 (Findings)
- Class UID: Set to 2003 (Compliance Finding)
- Type UID: Set to 200302 (Compliance Finding: Update)
- Activity ID: Set to 2 (Update)
- Severity ID: Mapped from Wiz severity levels:
- HIGH → 4
- MEDIUM → 3
- LOW → 2
- others → 0 (Unknown)
- Time: Maps directly from
firstSeenAtfield
Finding Information
- UID: Maps from finding ID
- Title: Maps from rule name
- Description: Maps from rule description
- Created Time: Maps from
firstSeenAt - Modified Time: Maps from
updatedAt - Types: Set to ["configuration"]
Resource Details
- Type: Maps from resource type
- UID: Maps from resource ID
- Name: Maps from resource name
- Labels: Converts resource labels to array of values
- Owner Information:
- Name: Maps from owner
- UID: Maps from ownerID
- Type ID mapping:
- ADMIN → 2
- SYSTEM → 3
- USER → 1
- others → 0 (Unknown)
Cloud Information
- Provider: Maps from cloudPlatform
- Account UID: Maps from subscription externalId
- Region: Maps from resource region
Status Information
- Status: Maps directly from status field
- Status ID: Mapped from status:
- OPEN → 1 (New)
- RESOLVED → 4 (Resolved)
- others → 0 (Unknown)
Observables
- Includes resource ID as an observable with type "Resource UID" (type_id: 10)
Metadata
- Version: Set to "1.1.0"
- Product:
- Vendor name: "Wiz"
- Name: "Wiz"
- Version: "1.0"
Customization
The transformation serves as a starting point and can be modified to accommodate specific requirements while maintaining OCSF compliance. The mapping prioritizes essential cloud configuration information while providing fallback values for optional fields.
Sample Record
{
"data": {
"configurationFindings": {
"nodes": [
{
"id": "23ieoqbfdnoenwqs",
"targetExternalId": "Tom Miller",
"targetObjectProviderUniqueId": "08b52ca9c8a44c0593d6b3f56235c291",
"firstSeenAt": "2025-08-11T23:46:39Z",
"severity": "HIGH",
"result": "FAIL",
"status": "OPEN",
"remediation": "Follow the steps below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed. \r\n* `securityContext.capabilities.drop` key is set to `ALL`.",
"resource": {
"id": "7fe7c53e-0343-9e07-d32b-79af6784d552",
"providerId": "67eb98e3-31b9-8a5c-9fcc-0fa7a2544f41",
"name": "Alice Williams",
"nativeType": "Pod",
"type": "POD",
"region": null,
"subscription": {
"id": "6bd718b6-9c03-4998-6c11-a27c1b707649",
"name": "Wiz - PROD",
"externalId": "08b52ca9c8a44c0593d6b3f56235c291",
"cloudProvider": "GCP"
},
"projects": "Jane Williams",
"tags": [
{
"key": "pod-template-hash",
"value": "Alice Brown"
},
{
"key": "app.kubernetes.io/name",
"value": "Tom Brown"
},
{
"key": "app.kubernetes.io/instance",
"value": "Tom Smith"
}
]
},
"rule": {
"id": "72a39ee6-12fd-0e86-bde4-1e7b0fecd5df",
"graphId": "08b52ca9c8a44c0593d6b3f56235c291",
"name": "Alice Johnson",
"description": "dolore labore minim aute ut velit sint lorem ut aliquip in sed fugiat consectetur minim",
"remediationInstructions": "dolore quis laboris qui dolor nostrud et duis magna do",
"functionAsControl": false
},
"securitySubCategories": [
{
"id": "7b3531bf-a6fa-fa7b-60bd-0c283c5ca134",
"title": "Peter Smith",
"category": {
"id": "08b52ca9c8a44c0593d6b3f56235c291",
"name": "Tom Jones",
"framework": {
"id": "08b52ca9c8a44c0593d6b3f56235c291",
"name": "Jane Williams"
}
}
},
{
"id": "08b52ca9c8a44c0593d6b3f56235c291",
"title": "Jane Miller",
"category": {
"id": "08b52ca9c8a44c0593d6b3f56235c291",
"name": "Jane Jones",
"framework": {
"id": "08b52ca9c8a44c0593d6b3f56235c291",
"name": "Alice Jones"
}
}
}
]
}
],
"pageInfo": {
"hasNextPage": true,
"endCursor": "daac8d5e-4759-6ab3-a79f-9938343bb6a6"
}
}
}
}