Collects and processes Wiz Cloud Configuration Findings logs from the Wiz API, ensuring continuous monitoring and reporting of cloud misconfigurations and vulnerabilities.
Sync Type: Incremental
Requirements
Before connecting Monad to Wiz, you need to obtain API credentials (Client ID and Client Secret). These credentials allow access to the Wiz API to fetch cloud configuration findings.
Ensure that your Wiz account has the appropriate permissions to access the necessary API endpoints. To access Cloud Findings specifically, make sure your credentials have the read:cloud_configuration permission.
Details
Monad uses the Wiz API to fetch cloud configuration findings. The LastRunTime filter is applied to retrieve only the findings that were detected or updated after the last successful sync. If this is the first time connecting to the Wiz API, Monad performs a full sync of all available findings.
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
Setting
Type
Required
Description
Endpoint URL
string
Yes
Endpoint URL to connect to Wiz.
Severity
Array
No
Your Wiz Vendor Severity for Vulnerability Findings.
Status
Array
No
The status of a Vulnerability Finding.
Result
Array
No
Filters data by result type.
Backfill Start Time
string
No
The date to start fetching data from. If not specified, no past records will be fetched.
Secrets
Secret
Type
Required
Description
Client ID
string
Yes
Client ID for the Wiz API. This is required to authenticate requests.
Client Secret
string
Yes
Client Secret for the Wiz API. This is required to authenticate requests.
OCSF Conversion
The following JQ transformation converts Wiz Cloud Configuration Finding data to OCSF Version 1.1.0 compliant format.
The JQ transformation converts Wiz Cloud Configuration Findings to OCSF Version 1.1.0 with the following key mappings:
Core Fields
Category UID: Set to 2 (Findings)
Class UID: Set to 2003 (Compliance Finding)
Type UID: Set to 200302 (Compliance Finding: Update)
Activity ID: Set to 2 (Update)
Severity ID: Mapped from Wiz severity levels:
HIGH → 4
MEDIUM → 3
LOW → 2
others → 0 (Unknown)
Time: Maps directly from firstSeenAt field
Finding Information
UID: Maps from finding ID
Title: Maps from rule name
Description: Maps from rule description
Created Time: Maps from firstSeenAt
Modified Time: Maps from updatedAt
Types: Set to ["configuration"]
Resource Details
Type: Maps from resource type
UID: Maps from resource ID
Name: Maps from resource name
Labels: Converts resource labels to array of values
Owner Information:
Name: Maps from owner
UID: Maps from ownerID
Type ID mapping:
ADMIN → 2
SYSTEM → 3
USER → 1
others → 0 (Unknown)
Cloud Information
Provider: Maps from cloudPlatform
Account UID: Maps from subscription externalId
Region: Maps from resource region
Status Information
Status: Maps directly from status field
Status ID: Mapped from status:
OPEN → 1 (New)
RESOLVED → 4 (Resolved)
others → 0 (Unknown)
Observables
Includes resource ID as an observable with type "Resource UID" (type_id: 10)
Metadata
Version: Set to "1.1.0"
Product:
Vendor name: "Wiz"
Name: "Wiz"
Version: "1.0"
Customization
The transformation serves as a starting point and can be modified to accommodate specific requirements while maintaining OCSF compliance. The mapping prioritizes essential cloud configuration information while providing fallback values for optional fields.
Sample Record
Code
{ "data": { "configurationFindings": { "nodes": [ { "id": "23ieoqbfdnoenwqs", "targetExternalId": "Tom Miller", "targetObjectProviderUniqueId": "08b52ca9c8a44c0593d6b3f56235c291", "firstSeenAt": "2025-08-11T23:46:39Z", "severity": "HIGH", "result": "FAIL", "status": "OPEN", "remediation": "Follow the steps below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed. \r\n* `securityContext.capabilities.drop` key is set to `ALL`.", "resource": { "id": "7fe7c53e-0343-9e07-d32b-79af6784d552", "providerId": "67eb98e3-31b9-8a5c-9fcc-0fa7a2544f41", "name": "Alice Williams", "nativeType": "Pod", "type": "POD", "region": null, "subscription": { "id": "6bd718b6-9c03-4998-6c11-a27c1b707649", "name": "Wiz - PROD", "externalId": "08b52ca9c8a44c0593d6b3f56235c291", "cloudProvider": "GCP" }, "projects": "Jane Williams", "tags": [ { "key": "pod-template-hash", "value": "Alice Brown" }, { "key": "app.kubernetes.io/name", "value": "Tom Brown" }, { "key": "app.kubernetes.io/instance", "value": "Tom Smith" } ] }, "rule": { "id": "72a39ee6-12fd-0e86-bde4-1e7b0fecd5df", "graphId": "08b52ca9c8a44c0593d6b3f56235c291", "name": "Alice Johnson", "description": "dolore labore minim aute ut velit sint lorem ut aliquip in sed fugiat consectetur minim", "remediationInstructions": "dolore quis laboris qui dolor nostrud et duis magna do", "functionAsControl": false }, "securitySubCategories": [ { "id": "7b3531bf-a6fa-fa7b-60bd-0c283c5ca134", "title": "Peter Smith", "category": { "id": "08b52ca9c8a44c0593d6b3f56235c291", "name": "Tom Jones", "framework": { "id": "08b52ca9c8a44c0593d6b3f56235c291", "name": "Jane Williams" } } }, { "id": "08b52ca9c8a44c0593d6b3f56235c291", "title": "Jane Miller", "category": { "id": "08b52ca9c8a44c0593d6b3f56235c291", "name": "Jane Jones", "framework": { "id": "08b52ca9c8a44c0593d6b3f56235c291", "name": "Alice Jones" } } } ] } ], "pageInfo": { "hasNextPage": true, "endCursor": "daac8d5e-4759-6ab3-a79f-9938343bb6a6" } } }}
