diff --git a/.script/tests/KqlvalidationsTests/CustomTables/WizAuditLogsV3_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/WizAuditLogsV3_CL.json new file mode 100644 index 00000000000..d669d3541e5 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/WizAuditLogsV3_CL.json @@ -0,0 +1,21 @@ +{ + "Name": "WizAuditLogsV3_CL", + "Properties": [ + { + "name": "auditlogId", + "type": "string" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + } + ] +} diff --git a/.script/tests/KqlvalidationsTests/CustomTables/WizDetectionsV3_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/WizDetectionsV3_CL.json new file mode 100644 index 00000000000..bfd2b0a5e02 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/WizDetectionsV3_CL.json @@ -0,0 +1,21 @@ +{ + "Name": "WizDetectionsV3_CL", + "Properties": [ + { + "name": "detectionId", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "tdrSource", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + } + ] +} diff --git a/.script/tests/KqlvalidationsTests/CustomTables/WizIssuesV3_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/WizIssuesV3_CL.json new file mode 100644 index 00000000000..4660087aafb --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/WizIssuesV3_CL.json @@ -0,0 +1,25 @@ +{ + "Name": "WizIssuesV3_CL", + "Properties": [ + { + "name": "issueId", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "entitySnapshot", + "type": "dynamic" + }, + { + "name": "TimeGenerated", + "type": "datetime" + } + ] +} diff --git a/Solutions/Wiz/Data Connectors/WizSentinel.json b/Solutions/Wiz/Data Connectors/WizSentinel.json new file mode 100644 index 00000000000..eeda7b72dd7 --- /dev/null +++ b/Solutions/Wiz/Data Connectors/WizSentinel.json @@ -0,0 +1,119 @@ +{ + "id": "WizSentinel", + "title": "Wiz for Microsoft Sentinel", + "publisher": "Wiz", + "descriptionMarkdown": "The Wiz integration pushes Wiz **Issues**, **Detections**, and **Audit Logs** into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint using the Wiz service principal, so there is no Azure Function to host and no shared keys to manage. This connector grants that service principal the least-privilege RBAC it needs; Wiz then creates the data collection rule and tables and begins pushing once you configure the integration in the Wiz portal.", + "logo": "Wiz.svg", + "graphQueries": [ + { + "metricName": "Total Issues received", + "legend": "WizIssuesV3_CL", + "baseQuery": "WizIssuesV3_CL" + }, + { + "metricName": "Total Detections received", + "legend": "WizDetectionsV3_CL", + "baseQuery": "WizDetectionsV3_CL" + }, + { + "metricName": "Total Audit Logs received", + "legend": "WizAuditLogsV3_CL", + "baseQuery": "WizAuditLogsV3_CL" + } + ], + "sampleQueries": [ + { + "description": "All Wiz Issues", + "query": "WizIssuesV3_CL\n | sort by TimeGenerated desc" + }, + { + "description": "All Wiz Detections", + "query": "WizDetectionsV3_CL\n | sort by TimeGenerated desc" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "union isfuzzy=true (WizIssuesV3_CL), (WizDetectionsV3_CL), (WizAuditLogsV3_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "dataTypes": [ + { + "name": "WizIssuesV3_CL", + "lastDataReceivedQuery": "WizIssuesV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "WizDetectionsV3_CL", + "lastDataReceivedQuery": "WizDetectionsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "WizAuditLogsV3_CL", + "lastDataReceivedQuery": "WizAuditLogsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Subscription permissions", + "description": "**Owner** or **User Access Administrator** at the subscription is required to create the custom role definition (Microsoft.Authorization/roleDefinitions/write)." + }, + { + "name": "Microsoft Entra permissions", + "description": "Permission to read (and, if the Wiz enterprise application is not yet consented, create) the Wiz service principal in Microsoft Entra ID." + } + ] + }, + "instructionSteps": [ + { + "title": "STEP 1 - Get the Wiz service principal object ID", + "description": "ARM cannot resolve a Microsoft Entra object, so you supply the Wiz service principal **object ID**. In Azure Cloud Shell (no local install required; creating the service principal needs permission to register enterprise applications in Microsoft Entra ID) run the line below — it prints the object ID, creating the service principal first if it does not yet exist in your tenant:\n\n```bash\naz ad sp show --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv 2>/dev/null \\\n || az ad sp create --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv\n```" + }, + { + "title": "STEP 2 - Grant Wiz the RBAC", + "description": "Deploy the custom role and assignment into the resource group that hosts this workspace. Paste the object ID from Step 1 (and, optionally, a Data Collection Endpoint resource ID).\n\n1. Click **Deploy the Wiz RBAC role**: \n\n\t[![Deploy the Wiz RBAC role](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FWiz%2FData%20Connectors%2Fazuredeploy_WizSentinelIntegration.json) \n2. Select the **Subscription** and the **Resource group** that hosts this workspace. \n3. Enter **wizPrincipalObjectId** (from Step 1); optionally **dataCollectionEndpointId**. \n4. **Review + create**.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceResourceId" + ], + "label": "Workspace Resource ID" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "STEP 3 - Configure the integration in Wiz", + "description": "In Wiz, go to **Settings > Integrations > Add > Microsoft Sentinel**. Paste your **Tenant ID**, **Workspace Resource ID**, and **Data Collection Endpoint Resource ID**, tick *Deployment completed*, and save. Wiz then creates the data collection rule and tables and begins pushing Issues, Detections, and Audit Logs into this workspace." + } + ] +} diff --git a/Solutions/Wiz/Data Connectors/azuredeploy_Connector_Wiz_API_AzureFunction.json b/Solutions/Wiz/Data Connectors/azuredeploy_Connector_Wiz_API_AzureFunction.json deleted file mode 100644 index 4753ea23e89..00000000000 --- a/Solutions/Wiz/Data Connectors/azuredeploy_Connector_Wiz_API_AzureFunction.json +++ /dev/null @@ -1,489 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "KeyVaultName": { - "defaultValue": "Wiz-SentinelVault", - "type": "string", - "metadata": { - "description": "Specifies The KeyVault name that stores all the integration credentials" - } - }, - "FunctionName": { - "defaultValue": "WizToSentinel", - "type": "string", - "metadata": { - "description": "Specifies The Function App name that executes the integration flow." - } - }, - "WizAuthUrl": { - "defaultValue": "https://auth.app.wiz.io/oauth/token", - "type": "string", - "metadata": { - "description": "URL to obtain Wiz token." - } - }, - "WizEndpointUrl": { - "type": "string", - "metadata": { - "description": "URL to fetch Wiz data." - } - }, - "WizClientId": { - "type": "string", - "metadata": { - "description": "Wiz Service Account Client ID." - } - }, - "WizClientSecret": { - "type": "securestring", - "metadata": { - "description": "Wiz Service Account Client Secret." - } - }, - "AzureLogsAnalyticsWorkspaceId": { - "type": "string", - "metadata": { - "description": "Azure Logs Analytics Workspace Id." - } - }, - "AzureLogAnalyticsWorkspaceSharedKey": { - "type": "securestring", - "metadata": { - "description": "Azure Logs Analytics Workspace shared key." - } - }, - "EnableIssuesSending": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Specifies whether to enable sending Wiz Issues to Microsoft Sentinel." - } - }, - "EnableVulnerbilitiesSending": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Specifies whether to enable sending Wiz Vulnerability Findings to Microsoft Sentinel." - } - }, - "EnableAuditLogsSending": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Specifies whether to enable sending Wiz Audit Logs to Microsoft Sentinel." - } - }, - "IssuesQueryFilter": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Copy the Wiz filters in a JSON format you would like to apply on the pull Issues query. Leave empty to not use any filters. i.e - {\"severity\": \"HIGH\"}" - } - }, - "VulnerbailitiesQueryFilter": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Copy the Wiz filters in a JSON format you would like to apply on the pull Vulnerabilities query. Leave empty to not use any filters. i.e - {\"severity\": \"HIGH\"}" - } - }, - "AuditLogsQueryFilter": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Copy the Wiz filters in a JSON format you would like to apply on the pull Audit Logs query. Leave empty to not use any filters. i.e - {\"status\": \"FAILED\"}" - } - }, - "AppInsightsWorkspaceResourceID": { - "type": "string", - "metadata": { - "description": "Migrate Classic Application Insights to Log Analytic Workspace which is retiring by 29 Febraury 2024. Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'" - } - } - }, - "functions": [], - "variables": { - "WizAuthUrl_SecretName": "WizAuthUrl", - "wiz_auth_url_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('WizAuthUrl_SecretName'))]", - "WizApiEndpointUrl_SecretName": "WizApiEndpointUrl", - "wiz_api_endpoint_url_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('WizApiEndpointUrl_SecretName'))]", - "WizClientId_SecretName": "WizClientId", - "wiz_client_id_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('WizClientId_SecretName'))]", - "WizClientSecret_SecretName": "WizClientSecret", - "wiz_secret_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('WizClientSecret_SecretName'))]", - "AzureLogAnalyticsWorkspaceId_SecretName": "AzureLogAnalyticsWorkspaceId", - "logspace_workspace_id_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('AzureLogAnalyticsWorkspaceId_SecretName'))]", - "AzureLogAnalyticsWorkspaceSharedKey_SecretName": "AzureLogAnalyticsWorkspaceSharedKey", - "logspace_workspace_shared_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('AzureLogAnalyticsWorkspaceSharedKey_SecretName'))]", - "EnableIssuesSending_SecretName": "EnableIssuesSending", - "enable_issues_sending_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('EnableIssuesSending_SecretName'))]", - "EnableVulnerabilitiesSending_SecretName": "EnableVulnerabilitiesSending", - "enable_vulns_sending_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('EnableVulnerabilitiesSending_SecretName'))]", - "EnableAuditLogsSending_SecretName": "EnableAuditLogsSending", - "enable_audit_logs_sending_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('EnableAuditLogsSending_SecretName'))]", - "IssuesQueryFilter_SecretName": "IssuesQueryFilter", - "issues_query_filter_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('IssuesQueryFilter_SecretName'))]", - "VulnerabilitiesQueryFilter_SecretName": "VulnerabilitiesQueryFilter", - "vulnerabilities_query_filter_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('VulnerabilitiesQueryFilter_SecretName'))]", - "AuditLogsQueryFilter_SecretName": "AuditLogsQueryFilter", - "audit_logs_query_filter_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('AuditLogsQueryFilter_SecretName'))]", - "StorageSuffix": "[environment().suffixes.storage]" - }, - "resources": [ - { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2022-11-01", - "name": "[parameters('KeyVaultName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.Web/sites', parameters('FunctionName'))]" - ], - "properties": { - "tenantId": "[subscription().tenantId]", - "sku": { - "family": "A", - "name": "Standard" - }, - "accessPolicies": [ - { - "tenantId": "[subscription().tenantId]", - "objectId": "[reference(resourceId('Microsoft.Web/sites', parameters('FunctionName')), '2022-03-01', 'Full').identity.principalId]", - "permissions": { - "certificates": [], - "keys": [], - "secrets": [ - "Get", - "List" - ] - } - } - ], - "enablePurgeProtection": true - }, - "resources": [ - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('WizClientSecret_SecretName')]", - "properties": { - "value": "[parameters('WizClientSecret')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('WizClientId_SecretName')]", - "properties": { - "value": "[parameters('WizClientId')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('WizAuthUrl_SecretName')]", - "properties": { - "value": "[parameters('WizAuthUrl')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('WizApiEndpointUrl_SecretName')]", - "properties": { - "value": "[parameters('WizEndpointUrl')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('AzureLogAnalyticsWorkspaceSharedKey_SecretName')]", - "properties": { - "value": "[parameters('AzureLogAnalyticsWorkspaceSharedKey')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('AzureLogAnalyticsWorkspaceId_SecretName')]", - "properties": { - "value": "[parameters('AzureLogsAnalyticsWorkspaceId')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('EnableIssuesSending_SecretName')]", - "properties": { - "value": "[parameters('EnableIssuesSending')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('EnableVulnerabilitiesSending_SecretName')]", - "properties": { - "value": "[parameters('EnableVulnerbilitiesSending')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('EnableAuditLogsSending_SecretName')]", - "properties": { - "value": "[parameters('EnableAuditLogsSending')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('IssuesQueryFilter_SecretName')]", - "properties": { - "value": "[parameters('IssuesQueryFilter')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('VulnerabilitiesQueryFilter_SecretName')]", - "properties": { - "value": "[parameters('VulnerbailitiesQueryFilter')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('AuditLogsQueryFilter_SecretName')]", - "properties": { - "value": "[parameters('AuditLogsQueryFilter')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - } - ] - }, - { - "type": "Microsoft.Insights/components", - "apiVersion": "2020-02-02", - "name": "[parameters('FunctionName')]", - "location": "[resourceGroup().location]", - "kind": "web", - "properties": { - "Application_Type": "web", - "ApplicationId": "[parameters('FunctionName')]", - "WorkspaceResourceId": "[parameters('AppInsightsWorkspaceResourceID')]" - } - }, - { - "type": "Microsoft.Web/sites", - "apiVersion": "2022-03-01", - "name": "[parameters('FunctionName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.Insights/components', parameters('FunctionName'))]" - ], - "kind": "functionapp,linux", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "name": "[parameters('FunctionName')]", - "httpsOnly": true, - "clientAffinityEnabled": true, - "alwaysOn": true, - "reserved": true, - "siteConfig": { - "linuxFxVersion": "PYTHON|3.11", - "alwaysOn": false - } - }, - "resources": [ - { - "apiVersion": "2018-11-01", - "type": "config", - "name": "appsettings", - "dependsOn": [ - "[resourceId('Microsoft.Web/sites/', parameters('FunctionName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('WizClientSecret_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('WizClientId_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('WizAuthUrl_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('WizApiEndpointUrl_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('AzureLogAnalyticsWorkspaceId_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('AzureLogAnalyticsWorkspaceSharedKey_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('EnableIssuesSending_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('EnableVulnerabilitiesSending_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('EnableAuditLogsSending_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('IssuesQueryFilter_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('VulnerabilitiesQueryFilter_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('AuditLogsQueryFilter_SecretName'))]" - ], - "properties": { - "FUNCTIONS_EXTENSION_VERSION": "~4", - "FUNCTIONS_WORKER_RUNTIME": "python", - "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', parameters('FunctionName')), '2020-02-02').InstrumentationKey]", - "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('Microsoft.insights/components', parameters('FunctionName')), '2020-02-02').ConnectionString]", - "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2022-09-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", - "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2022-09-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", - "WEBSITE_CONTENTSHARE": "[toLower(parameters('FunctionName'))]", - "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-wiz-website-run-from-package", - "wiz_api_endpoint": "[variables('wiz_api_endpoint_url_referance')]", - "wiz_auth_url": "[variables('wiz_auth_url_referance')]", - "wiz_client_id": "[variables('wiz_client_id_referance')]", - "wiz_secret_key": "[variables('wiz_secret_key_referance')]", - "workspace_customer_id": "[variables('logspace_workspace_id_referance')]", - "workspace_shared_key": "[variables('logspace_workspace_shared_key_referance')]", - "enable_issues_sending": "[variables('enable_issues_sending_key_referance')]", - "enable_vulnerabilities_sending": "[variables('enable_vulns_sending_key_referance')]", - "enable_audit_logs_sending": "[variables('enable_audit_logs_sending_key_referance')]", - "issues_query_filter": "[variables('issues_query_filter_key_referance')]", - "vulnerabilities_query_filter": "[variables('vulnerabilities_query_filter_key_referance')]", - "audit_logs_query_filter": "[variables('audit_logs_query_filter_key_referance')]", - "debug_level": 20 - } - } - ] - }, - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2022-09-01", - "name": "[tolower(parameters('FunctionName'))]", - "location": "[resourceGroup().location]", - "sku": { - "name": "Standard_LRS", - "tier": "Standard" - }, - "kind": "StorageV2", - "properties": { - "minimumTlsVersion": "TLS1_2", - "networkAcls": { - "bypass": "AzureServices", - "virtualNetworkRules": [], - "ipRules": [], - "defaultAction": "Allow" - }, - "supportsHttpsTrafficOnly": true, - "encryption": { - "services": { - "file": { - "keyType": "Account", - "enabled": true - }, - "blob": { - "keyType": "Account", - "enabled": true - } - }, - "keySource": "Microsoft.Storage" - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2022-09-01", - "name": "[concat(parameters('FunctionName'), '/default')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]" - ], - "sku": { - "name": "Standard_LRS", - "tier": "Standard" - }, - "properties": { - "cors": { - "corsRules": [] - }, - "deleteRetentionPolicy": { - "enabled": false - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/fileServices", - "apiVersion": "2022-09-01", - "name": "[concat(parameters('FunctionName'), '/default')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]" - ], - "sku": { - "name": "Standard_LRS", - "tier": "Standard" - }, - "properties": { - "cors": { - "corsRules": [] - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2022-09-01", - "name": "[concat(parameters('FunctionName'), '/default/azure-webjobs-hosts')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('FunctionName'), 'default')]", - "[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]" - ], - "properties": { - "publicAccess": "None" - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2022-09-01", - "name": "[concat(parameters('FunctionName'), '/default/azure-webjobs-secrets')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('FunctionName'), 'default')]", - "[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]" - ], - "properties": { - "publicAccess": "None" - } - }, - { - "type": "Microsoft.Storage/storageAccounts/fileServices/shares", - "apiVersion": "2022-09-01", - "name": "[concat(parameters('FunctionName'), '/default/', tolower(parameters('FunctionName')))]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('FunctionName'), 'default')]", - "[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]" - ], - "properties": { - "shareQuota": 5120 - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/Solutions/Wiz/Data Connectors/azuredeploy_WizSentinelIntegration.json b/Solutions/Wiz/Data Connectors/azuredeploy_WizSentinelIntegration.json new file mode 100644 index 00000000000..a58def64d84 --- /dev/null +++ b/Solutions/Wiz/Data Connectors/azuredeploy_WizSentinelIntegration.json @@ -0,0 +1,147 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "description": "Provisions the RBAC required by the Wiz Microsoft Sentinel integration (ARM port of wiz-azure-sentinel-integration.sh). Deploy this INTO the resource group that hosts the Log Analytics workspace. It creates a custom role definition (assignable at the subscription) and assigns it to the Wiz service principal at that resource group, plus optionally at an existing Data Collection Endpoint in any resource group. Resource-group scoped so it can be deployed via a Deploy to Azure button, the Azure portal Build your own template editor (paste/upload), or az deployment group create. ARM cannot create the Entra service principal, so its object ID is supplied via the wizPrincipalObjectId parameter." + }, + "parameters": { + "wizPrincipalObjectId": { + "type": "string", + "metadata": { + "description": "Object ID of the Wiz service principal (the enterprise application object ID, NOT the application or client ID). Find it under Microsoft Entra ID, Enterprise applications, or run: az ad sp show --id WIZ_APP_ID --query id -o tsv" + } + }, + "customRoleName": { + "type": "string", + "defaultValue": "WizSentinelIntegrationCustomRole", + "metadata": { + "description": "Name of the custom role definition to create." + } + }, + "dataCollectionEndpointId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Full resource ID of an existing Data Collection Endpoint to also assign the role at (may live in any resource group). Leave empty to skip. Format: /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Insights/dataCollectionEndpoints/{name}" + } + } + }, + "variables": { + "roleDefName": "[guid(subscription().id, parameters('customRoleName'))]", + "roleDefId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefName'))]", + "roleDescription": "Wiz Custom Role For Microsoft Sentinel Integration", + "actions": [ + "Microsoft.Insights/DataCollectionRules/Read", + "Microsoft.Insights/DataCollectionRules/Write", + "Microsoft.Insights/DataCollectionRules/Delete", + "Microsoft.OperationalInsights/workspaces/tables/read", + "Microsoft.OperationalInsights/workspaces/tables/write", + "Microsoft.OperationalInsights/workspaces/read", + "Microsoft.OperationalInsights/workspaces/sharedKeys/action", + "Microsoft.Insights/DataCollectionEndpoints/Read", + "Microsoft.Insights/DataCollectionEndpoints/Write" + ], + "dataActions": [ + "Microsoft.Insights/Telemetry/Write" + ], + "dceResourceGroup": "[if(empty(parameters('dataCollectionEndpointId')), '', split(parameters('dataCollectionEndpointId'), '/')[4])]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2022-04-01", + "name": "[variables('roleDefName')]", + "properties": { + "roleName": "[parameters('customRoleName')]", + "description": "[variables('roleDescription')]", + "type": "CustomRole", + "permissions": [ + { + "actions": "[variables('actions')]", + "notActions": [], + "dataActions": "[variables('dataActions')]", + "notDataActions": [] + } + ], + "assignableScopes": [ + "[subscription().id]", + "[resourceGroup().id]" + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, parameters('wizPrincipalObjectId'), variables('roleDefName'))]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefName'))]" + ], + "properties": { + "roleDefinitionId": "[variables('roleDefId')]", + "principalId": "[parameters('wizPrincipalObjectId')]", + "principalType": "ServicePrincipal" + } + }, + { + "condition": "[not(empty(parameters('dataCollectionEndpointId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "wiz-sentinel-dce-role-assignment", + "resourceGroup": "[variables('dceResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefName'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleDefId": { + "value": "[variables('roleDefId')]" + }, + "wizPrincipalObjectId": { + "value": "[parameters('wizPrincipalObjectId')]" + }, + "dataCollectionEndpointId": { + "value": "[parameters('dataCollectionEndpointId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleDefId": { + "type": "string" + }, + "wizPrincipalObjectId": { + "type": "string" + }, + "dataCollectionEndpointId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[parameters('dataCollectionEndpointId')]", + "name": "[guid(parameters('dataCollectionEndpointId'), parameters('wizPrincipalObjectId'), parameters('roleDefId'))]", + "properties": { + "roleDefinitionId": "[parameters('roleDefId')]", + "principalId": "[parameters('wizPrincipalObjectId')]", + "principalType": "ServicePrincipal" + } + } + ] + } + } + } + ], + "outputs": { + "customRoleDefinitionId": { + "type": "string", + "value": "[variables('roleDefId')]" + } + } +} diff --git a/Solutions/Wiz/Data Connectors/template_WIZ.json b/Solutions/Wiz/Data Connectors/template_WIZ.json deleted file mode 100644 index 9d7cc19db27..00000000000 --- a/Solutions/Wiz/Data Connectors/template_WIZ.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "id": "Wiz", - "title": "Wiz", - "publisher": "Wiz", - "descriptionMarkdown": "The Wiz connector allows you to easily send Wiz Issues, Vulnerability Findings, and Audit logs to Microsoft Sentinel.", - "logo": "Wiz.svg", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "WizIssues", - "baseQuery": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)" - }, - { - "metricName": "Total data received", - "legend": "WizVulnerabilities", - "baseQuery": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)" - }, - { - "metricName": "Total data received", - "legend": "WizAuditLogs", - "baseQuery": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)" - } - ], - "sampleQueries": [ - { - "description": "Summary by Issues's severity", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize Count=count() by severity_s" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "dataTypes": [ - { - "name": "WizIssues", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "WizVulnerabilities", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "WizAuditLogs", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 2, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "Wiz Service Account credentials", - "description": "Ensure you have your Wiz service account client ID and client secret, API endpoint URL, and auth URL. Instructions can be found on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz)." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector: Uses Azure Functions to connect to Wiz API to pull Wiz Issues, Vulnerability Findings, and Audit Logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\nCreates an Azure Key Vault with all the required parameters stored as secrets." - }, - { - "description": "\nFollow the instructions on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz) to get the erquired credentials.", - "title": "STEP 1 - Get your Wiz credentials" - }, - { - "description": "\n>**IMPORTANT:** Before deploying the Wiz Connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Wiz credentials from the previous step.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ], - "title": "STEP 2 - Deploy the connector and the associated Azure Function" - }, - { - "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-wiz-azuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following parameters: \n> - Choose **KeyVaultName** and **FunctionName** for the new resources \n >- Enter the following Wiz credentials from step 1: **WizAuthUrl**, **WizEndpointUrl**, **WizClientId**, and **WizClientSecret** \n>- Enter the Workspace credentials **AzureLogsAnalyticsWorkspaceId** and **AzureLogAnalyticsWorkspaceSharedKey**\n>- Choose the Wiz data types you want to send to Microsoft Sentinel, choose at least one from **Wiz Issues**, **Vulnerability Findings**, and **Audit Logs**.\n \n>- (optional) follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#optional-create-a-filter-for-wiz-queries) to add **IssuesQueryFilter**, **VulnerbailitiesQueryFilter**, and **AuditLogsQueryFilter**.\n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n", - "title": "Option 1: Deploy using the Azure Resource Manager (ARM) Template" - }, - { - "description": ">Follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#manual-deployment) to deploy the connector manually.", - "title": "Option 2: Manual Deployment of the Azure Function" - } - ] -} \ No newline at end of file diff --git a/Solutions/Wiz/Data/Solution_Wiz.json b/Solutions/Wiz/Data/Solution_Wiz.json index b7f25734adc..9cb743d6fad 100644 --- a/Solutions/Wiz/Data/Solution_Wiz.json +++ b/Solutions/Wiz/Data/Solution_Wiz.json @@ -1,25 +1,25 @@ { - "Name": "Wiz", - "Author": "Wiz - support@wiz.io", - "Logo": "", - "Description": "The [Wiz](https://wiz.io/) solution for Microsoft Sentinel enables you to ingest [Wiz Issues](https://docs.wiz.io/wiz-docs/docs/issues), [Wiz Vulnerability Findings](https://docs.wiz.io/wiz-docs/docs/vulnerability-findings), and [Wiz Audit Logs](https://docs.wiz.io/wiz-docs/docs/audit-log-settings) into Microsoft Sentinel using the Wiz REST API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\na. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\nb. [Azure Key Vault](https://azure.microsoft.com/services/key-vault/#overview) ", - "WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.", - "AnalyticalRuleBladeDescription": "", - "HuntingQueryBladeDescription": "", - "PlaybooksBladeDescription": "", - "Data Connectors": [ - "Solutions/Wiz/Data Connectors/template_WIZ.json" - ], - "Parsers": [], - "Hunting Queries": [], - "Analytic Rules": [], - "Workbooks": [ - "Solutions/Wiz/Workbooks/WizFindings.json" - ], - "Playbooks": [], - "BasePath": "C://Azure-Sentinel", - "Version": "3.0.0", - "Metadata": "SolutionMetadata.json", - "TemplateSpec": true, - "Is1PConnector": false - } \ No newline at end of file + "Name": "Wiz", + "Author": "Wiz - support@wiz.io", + "Logo": "", + "Description": "The [Wiz](https://wiz.io/) solution for Microsoft Sentinel lets Wiz push [Wiz Issues](https://docs.wiz.io/wiz-docs/docs/issues), Wiz Detections, and [Wiz Audit Logs](https://docs.wiz.io/wiz-docs/docs/audit-log-settings) into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint (DCE) using the Wiz service principal; this solution grants that service principal the least-privilege RBAC it needs, and Wiz then creates the data collection rule and tables. There is no Azure Function to host and no workspace shared keys to manage.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\na. [Data Collection Rules and the Logs Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/logs-ingestion-api-overview) ", + "WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.", + "AnalyticalRuleBladeDescription": "", + "HuntingQueryBladeDescription": "", + "PlaybooksBladeDescription": "", + "Data Connectors": [ + "Solutions/Wiz/Data Connectors/WizSentinel.json" + ], + "Parsers": [], + "Hunting Queries": [], + "Analytic Rules": [], + "Workbooks": [ + "Solutions/Wiz/Workbooks/WizFindings.json" + ], + "Playbooks": [], + "BasePath": "C:\\GitHub\\Azure-Sentinel", + "Version": "4.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false +} diff --git a/Solutions/Wiz/Package/2.0.0.zip b/Solutions/Wiz/Package/2.0.0.zip deleted file mode 100644 index 56d5b9d88ac..00000000000 Binary files a/Solutions/Wiz/Package/2.0.0.zip and /dev/null differ diff --git a/Solutions/Wiz/Package/3.0.0.zip b/Solutions/Wiz/Package/3.0.0.zip deleted file mode 100644 index 6ee7973dfcf..00000000000 Binary files a/Solutions/Wiz/Package/3.0.0.zip and /dev/null differ diff --git a/Solutions/Wiz/Package/4.0.0.zip b/Solutions/Wiz/Package/4.0.0.zip new file mode 100644 index 00000000000..be9692bdaa0 Binary files /dev/null and b/Solutions/Wiz/Package/4.0.0.zip differ diff --git a/Solutions/Wiz/Package/createUiDefinition.json b/Solutions/Wiz/Package/createUiDefinition.json index 178acf47717..f75ebfb728d 100644 --- a/Solutions/Wiz/Package/createUiDefinition.json +++ b/Solutions/Wiz/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Wiz/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Wiz](https://wiz.io/) solution for Microsoft Sentinel enables you to ingest [Wiz Issues](https://docs.wiz.io/wiz-docs/docs/issues), [Wiz Vulnerability Findings](https://docs.wiz.io/wiz-docs/docs/vulnerability-findings), and [Wiz Audit Logs](https://docs.wiz.io/wiz-docs/docs/audit-log-settings) into Microsoft Sentinel using the Wiz REST API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\na. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\nb. [Azure Key Vault](https://azure.microsoft.com/services/key-vault/#overview) \n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Wiz/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Wiz](https://wiz.io/) solution for Microsoft Sentinel lets Wiz push [Wiz Issues](https://docs.wiz.io/wiz-docs/docs/issues), Wiz Detections, and [Wiz Audit Logs](https://docs.wiz.io/wiz-docs/docs/audit-log-settings) into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint (DCE) using the Wiz service principal; this solution grants that service principal the least-privilege RBAC it needs, and Wiz then creates the data collection rule and tables. There is no Azure Function to host and no workspace shared keys to manage.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\na. [Data Collection Rules and the Logs Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/logs-ingestion-api-overview) \n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -64,7 +64,7 @@ } }, { - "name": "dataconnectors-link2", + "name": "dataconnectors-link1", "type": "Microsoft.Common.TextBlock", "options": { "link": { @@ -110,7 +110,7 @@ "name": "workbook1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "A visualized overview of Wiz Findings.\nExplore, analize and learn about your security posture using Wiz Findings Overview" + "text": "A visualized overview of Wiz Issues, Detections and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview" } } ] diff --git a/Solutions/Wiz/Package/mainTemplate.json b/Solutions/Wiz/Package/mainTemplate.json index a2f78d17249..d1b7d8aad93 100644 --- a/Solutions/Wiz/Package/mainTemplate.json +++ b/Solutions/Wiz/Package/mainTemplate.json @@ -41,19 +41,19 @@ "email": "support@wiz.io", "_email": "[variables('email')]", "_solutionName": "Wiz", - "_solutionVersion": "3.0.0", + "_solutionVersion": "4.0.0", "solutionId": "wizinc1627338511749.wizinc1627338511749_wiz_mss-sentinel", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "Wiz", + "uiConfigId1": "WizSentinel", "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "Wiz", + "dataConnectorContentId1": "WizSentinel", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "workbookVersion1": "2.0.0", + "workbookVersion1": "3.0.0", "workbookContentId1": "WizFindingsWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", @@ -72,7 +72,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Wiz data connector with template version 3.0.0", + "description": "Wiz data connector with template version 4.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -88,59 +88,61 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Wiz (using Azure Functions)", + "title": "Wiz for Microsoft Sentinel", "publisher": "Wiz", - "descriptionMarkdown": "The Wiz connector allows you to easily send Wiz Issues, Vulnerability Findings, and Audit logs to Microsoft Sentinel.", + "descriptionMarkdown": "The Wiz integration pushes Wiz **Issues**, **Detections**, and **Audit Logs** into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint using the Wiz service principal, so there is no Azure Function to host and no shared keys to manage. This connector grants that service principal the least-privilege RBAC it needs; Wiz then creates the data collection rule and tables and begins pushing once you configure the integration in the Wiz portal.", "logo": "Wiz.svg", "graphQueries": [ { - "metricName": "Total data received", - "legend": "WizIssues", - "baseQuery": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)" + "metricName": "Total Issues received", + "legend": "WizIssuesV3_CL", + "baseQuery": "WizIssuesV3_CL" }, { - "metricName": "Total data received", - "legend": "WizVulnerabilities", - "baseQuery": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)" + "metricName": "Total Detections received", + "legend": "WizDetectionsV3_CL", + "baseQuery": "WizDetectionsV3_CL" }, { - "metricName": "Total data received", - "legend": "WizAuditLogs", - "baseQuery": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)" + "metricName": "Total Audit Logs received", + "legend": "WizAuditLogsV3_CL", + "baseQuery": "WizAuditLogsV3_CL" } ], "sampleQueries": [ { - "description": "Summary by Issues's severity", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize Count=count() by severity_s" + "description": "All Wiz Issues", + "query": "WizIssuesV3_CL\n | sort by TimeGenerated desc" + }, + { + "description": "All Wiz Detections", + "query": "WizDetectionsV3_CL\n | sort by TimeGenerated desc" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + "union isfuzzy=true (WizIssuesV3_CL), (WizDetectionsV3_CL), (WizAuditLogsV3_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" ] } ], "dataTypes": [ { - "name": "WizIssues", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "WizIssuesV3_CL", + "lastDataReceivedQuery": "WizIssuesV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, { - "name": "WizVulnerabilities", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "WizDetectionsV3_CL", + "lastDataReceivedQuery": "WizDetectionsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, { - "name": "WizAuditLogs", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "WizAuditLogsV3_CL", + "lastDataReceivedQuery": "WizAuditLogsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "availability": { - "status": 2, + "status": 1, "isPreview": false }, "permissions": { @@ -168,54 +170,38 @@ ], "customs": [ { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + "name": "Subscription permissions", + "description": "**Owner** or **User Access Administrator** at the subscription is required to create the custom role definition (Microsoft.Authorization/roleDefinitions/write)." }, { - "name": "Wiz Service Account credentials", - "description": "Ensure you have your Wiz service account client ID and client secret, API endpoint URL, and auth URL. Instructions can be found on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz)." + "name": "Microsoft Entra permissions", + "description": "Permission to read (and, if the Wiz enterprise application is not yet consented, create) the Wiz service principal in Microsoft Entra ID." } ] }, "instructionSteps": [ { - "description": ">**NOTE:** This connector: Uses Azure Functions to connect to Wiz API to pull Wiz Issues, Vulnerability Findings, and Audit Logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\nCreates an Azure Key Vault with all the required parameters stored as secrets." + "description": "ARM cannot resolve a Microsoft Entra object, so you supply the Wiz service principal **object ID**. In Azure Cloud Shell (no local install required; creating the service principal needs permission to register enterprise applications in Microsoft Entra ID) run the line below — it prints the object ID, creating the service principal first if it does not yet exist in your tenant:\n\n```bash\naz ad sp show --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv 2>/dev/null \\\n || az ad sp create --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv\n```", + "title": "STEP 1 - Get the Wiz service principal object ID" }, { - "description": "\nFollow the instructions on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz) to get the erquired credentials.", - "title": "STEP 1 - Get your Wiz credentials" - }, - { - "description": "\n>**IMPORTANT:** Before deploying the Wiz Connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Wiz credentials from the previous step.", + "description": "Deploy the custom role and assignment into the resource group that hosts this workspace. Paste the object ID from Step 1 (and, optionally, a Data Collection Endpoint resource ID).\n\n1. Click **Deploy the Wiz RBAC role**: \n\n\t[![Deploy the Wiz RBAC role](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FWiz%2FData%20Connectors%2Fazuredeploy_WizSentinelIntegration.json) \n2. Select the **Subscription** and the **Resource group** that hosts this workspace. \n3. Enter **wizPrincipalObjectId** (from Step 1); optionally **dataCollectionEndpointId**. \n4. **Review + create**.", "instructions": [ { "parameters": { "fillWith": [ - "WorkspaceId" + "WorkspaceResourceId" ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" + "label": "Workspace Resource ID" }, "type": "CopyableLabel" } ], - "title": "STEP 2 - Deploy the connector and the associated Azure Function" - }, - { - "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-wiz-azuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following parameters: \n> - Choose **KeyVaultName** and **FunctionName** for the new resources \n >- Enter the following Wiz credentials from step 1: **WizAuthUrl**, **WizEndpointUrl**, **WizClientId**, and **WizClientSecret** \n>- Enter the Workspace credentials **AzureLogsAnalyticsWorkspaceId** and **AzureLogAnalyticsWorkspaceSharedKey**\n>- Choose the Wiz data types you want to send to Microsoft Sentinel, choose at least one from **Wiz Issues**, **Vulnerability Findings**, and **Audit Logs**.\n \n>- (optional) follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#optional-create-a-filter-for-wiz-queries) to add **IssuesQueryFilter**, **VulnerbailitiesQueryFilter**, and **AuditLogsQueryFilter**.\n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n", - "title": "Option 1: Deploy using the Azure Resource Manager (ARM) Template" + "title": "STEP 2 - Grant Wiz the RBAC" }, { - "description": ">Follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#manual-deployment) to deploy the connector manually.", - "title": "Option 2: Manual Deployment of the Azure Function" + "description": "In Wiz, go to **Settings > Integrations > Add > Microsoft Sentinel**. Paste your **Tenant ID**, **Workspace Resource ID**, and **Data Collection Endpoint Resource ID**, tick *Deployment completed*, and save. Wiz then creates the data collection rule and tables and begins pushing Issues, Detections, and Audit Logs into this workspace.", + "title": "STEP 3 - Configure the integration in Wiz" } ] } @@ -256,7 +242,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId1')]", "contentKind": "DataConnector", - "displayName": "Wiz (using Azure Functions)", + "displayName": "Wiz for Microsoft Sentinel", "contentProductId": "[variables('_dataConnectorcontentProductId1')]", "id": "[variables('_dataConnectorcontentProductId1')]", "version": "[variables('dataConnectorVersion1')]" @@ -300,58 +286,60 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Wiz (using Azure Functions)", + "title": "Wiz for Microsoft Sentinel", "publisher": "Wiz", - "descriptionMarkdown": "The Wiz connector allows you to easily send Wiz Issues, Vulnerability Findings, and Audit logs to Microsoft Sentinel.", + "descriptionMarkdown": "The Wiz integration pushes Wiz **Issues**, **Detections**, and **Audit Logs** into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint using the Wiz service principal, so there is no Azure Function to host and no shared keys to manage. This connector grants that service principal the least-privilege RBAC it needs; Wiz then creates the data collection rule and tables and begins pushing once you configure the integration in the Wiz portal.", "graphQueries": [ { - "metricName": "Total data received", - "legend": "WizIssues", - "baseQuery": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)" + "metricName": "Total Issues received", + "legend": "WizIssuesV3_CL", + "baseQuery": "WizIssuesV3_CL" }, { - "metricName": "Total data received", - "legend": "WizVulnerabilities", - "baseQuery": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)" + "metricName": "Total Detections received", + "legend": "WizDetectionsV3_CL", + "baseQuery": "WizDetectionsV3_CL" }, { - "metricName": "Total data received", - "legend": "WizAuditLogs", - "baseQuery": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)" + "metricName": "Total Audit Logs received", + "legend": "WizAuditLogsV3_CL", + "baseQuery": "WizAuditLogsV3_CL" } ], "dataTypes": [ { - "name": "WizIssues", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "WizIssuesV3_CL", + "lastDataReceivedQuery": "WizIssuesV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, { - "name": "WizVulnerabilities", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "WizDetectionsV3_CL", + "lastDataReceivedQuery": "WizDetectionsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, { - "name": "WizAuditLogs", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "WizAuditLogsV3_CL", + "lastDataReceivedQuery": "WizAuditLogsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + "union isfuzzy=true (WizIssuesV3_CL), (WizDetectionsV3_CL), (WizAuditLogsV3_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" ] } ], "sampleQueries": [ { - "description": "Summary by Issues's severity", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize Count=count() by severity_s" + "description": "All Wiz Issues", + "query": "WizIssuesV3_CL\n | sort by TimeGenerated desc" + }, + { + "description": "All Wiz Detections", + "query": "WizDetectionsV3_CL\n | sort by TimeGenerated desc" } ], "availability": { - "status": 2, + "status": 1, "isPreview": false }, "permissions": { @@ -379,54 +367,38 @@ ], "customs": [ { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + "name": "Subscription permissions", + "description": "**Owner** or **User Access Administrator** at the subscription is required to create the custom role definition (Microsoft.Authorization/roleDefinitions/write)." }, { - "name": "Wiz Service Account credentials", - "description": "Ensure you have your Wiz service account client ID and client secret, API endpoint URL, and auth URL. Instructions can be found on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz)." + "name": "Microsoft Entra permissions", + "description": "Permission to read (and, if the Wiz enterprise application is not yet consented, create) the Wiz service principal in Microsoft Entra ID." } ] }, "instructionSteps": [ { - "description": ">**NOTE:** This connector: Uses Azure Functions to connect to Wiz API to pull Wiz Issues, Vulnerability Findings, and Audit Logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\nCreates an Azure Key Vault with all the required parameters stored as secrets." - }, - { - "description": "\nFollow the instructions on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz) to get the erquired credentials.", - "title": "STEP 1 - Get your Wiz credentials" + "description": "ARM cannot resolve a Microsoft Entra object, so you supply the Wiz service principal **object ID**. In Azure Cloud Shell (no local install required; creating the service principal needs permission to register enterprise applications in Microsoft Entra ID) run the line below — it prints the object ID, creating the service principal first if it does not yet exist in your tenant:\n\n```bash\naz ad sp show --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv 2>/dev/null \\\n || az ad sp create --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv\n```", + "title": "STEP 1 - Get the Wiz service principal object ID" }, { - "description": "\n>**IMPORTANT:** Before deploying the Wiz Connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Wiz credentials from the previous step.", + "description": "Deploy the custom role and assignment into the resource group that hosts this workspace. Paste the object ID from Step 1 (and, optionally, a Data Collection Endpoint resource ID).\n\n1. Click **Deploy the Wiz RBAC role**: \n\n\t[![Deploy the Wiz RBAC role](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FWiz%2FData%20Connectors%2Fazuredeploy_WizSentinelIntegration.json) \n2. Select the **Subscription** and the **Resource group** that hosts this workspace. \n3. Enter **wizPrincipalObjectId** (from Step 1); optionally **dataCollectionEndpointId**. \n4. **Review + create**.", "instructions": [ { "parameters": { "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" + "WorkspaceResourceId" ], - "label": "Primary Key" + "label": "Workspace Resource ID" }, "type": "CopyableLabel" } ], - "title": "STEP 2 - Deploy the connector and the associated Azure Function" - }, - { - "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-wiz-azuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following parameters: \n> - Choose **KeyVaultName** and **FunctionName** for the new resources \n >- Enter the following Wiz credentials from step 1: **WizAuthUrl**, **WizEndpointUrl**, **WizClientId**, and **WizClientSecret** \n>- Enter the Workspace credentials **AzureLogsAnalyticsWorkspaceId** and **AzureLogAnalyticsWorkspaceSharedKey**\n>- Choose the Wiz data types you want to send to Microsoft Sentinel, choose at least one from **Wiz Issues**, **Vulnerability Findings**, and **Audit Logs**.\n \n>- (optional) follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#optional-create-a-filter-for-wiz-queries) to add **IssuesQueryFilter**, **VulnerbailitiesQueryFilter**, and **AuditLogsQueryFilter**.\n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n", - "title": "Option 1: Deploy using the Azure Resource Manager (ARM) Template" + "title": "STEP 2 - Grant Wiz the RBAC" }, { - "description": ">Follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#manual-deployment) to deploy the connector manually.", - "title": "Option 2: Manual Deployment of the Azure Function" + "description": "In Wiz, go to **Settings > Integrations > Add > Microsoft Sentinel**. Paste your **Tenant ID**, **Workspace Resource ID**, and **Data Collection Endpoint Resource ID**, tick *Deployment completed*, and save. Wiz then creates the data collection rule and tables and begins pushing Issues, Detections, and Audit Logs into this workspace.", + "title": "STEP 3 - Configure the integration in Wiz" } ], "id": "[variables('_uiConfigId1')]" @@ -442,7 +414,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WizFindings Workbook with template version 3.0.0", + "description": "WizFindings Workbook with template version 4.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -456,11 +428,11 @@ "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "A visualized overview of Wiz Findings.\nExplore, analize and learn about your security posture using Wiz Findings Overview" + "description": "A visualized overview of Wiz Issues, Detections and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview" }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizIssues_CL),\\n(WizIssuesV2_CL) \\n| summarize count() by TimeGenerated \",\"title\":\"Issues over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Issues over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizVulnerabilities_CL),\\n(WizVulnerabilitiesV2_CL) \\n| summarize count() by TimeGenerated \",\"title\":\"Vulnerabilities over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Vulnerabilities over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizAuditLogs_CL),\\n(WizAuditLogsV2_CL) \\n| summarize count() by TimeGenerated \",\"title\":\"Audit Logs over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Audit Logs over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizIssues_CL),\\n(WizIssuesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by severity_s\",\"title\":\"Issues by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizIssues_CL),\\n(WizIssuesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by status_s\",\"title\":\"Issues by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizIssues_CL),\\n(WizIssuesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by entitySnapshot_cloudPlatform_s\",\"title\":\"Issues by cloud platform\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by cloud platform\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizIssues_CL),\\n(WizIssuesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by entitySnapshot_type_s\",\"title\":\"Issues by entity type\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by entity type\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizAuditLogs_CL),\\n(WizAuditLogsV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by status_s\",\"title\":\"Audit Logs by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit Logs by status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizAuditLogs_CL),\\n(WizAuditLogsV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by action_s\",\"title\":\"Audit Logs by actions\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit Logs by actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizVulnerabilities_CL),\\n(WizVulnerabilitiesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by vulnerableAsset_type_s\",\"title\":\"Vulnerabilities by Asset Type\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Vulnerabilities by Asset Type\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizVulnerabilities_CL),\\n(WizVulnerabilitiesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by vendorSeverity_s\",\"title\":\"Vulnerabilities by Vendor Severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Vulnerabilities by Vendor Severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizVulnerabilities_CL),\\n(WizVulnerabilitiesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by detectionMethod_s\",\"title\":\"Vulnerabilities by Detection Method\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Vulnerabilities by Detection Method\"}],\"fromTemplateId\":\"sentinel-Alerts overview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Issues over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Issues over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Detections over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Detections over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Audit logs over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Audit logs over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by severity\",\"title\":\"Issues by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by status\",\"title\":\"Issues by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by tostring(entitySnapshot.cloudPlatform)\",\"title\":\"Issues by cloud platform\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by cloud platform\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize arg_max(TimeGenerated, *) by detectionId\\n| summarize count() by severity\",\"title\":\"Detections by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Detections by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize arg_max(TimeGenerated, *) by detectionId\\n| summarize count() by tdrSource\",\"title\":\"Detections by TDR source\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Detections by TDR source\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize arg_max(TimeGenerated, *) by auditlogId\\n| summarize count() by action\",\"title\":\"Audit logs by action\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit logs by action\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize arg_max(TimeGenerated, *) by auditlogId\\n| summarize count() by status\",\"title\":\"Audit logs by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit logs by status\"}],\"fromTemplateId\":\"sentinel-WizFindings\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -471,7 +443,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "@{workbookKey=WizFindingsWorkbook; logoFileName=Wiz_logo.svg; description=A visualized overview of Wiz Findings.\nExplore, analize and learn about your security posture using Wiz Findings Overview; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.0.0; title=Wiz Findings overview; templateRelativePath=WizFindings.json; subtitle=; provider=Wiz}.description", + "description": "@{workbookKey=WizFindingsWorkbook; logoFileName=Wiz_logo.svg; description=A visualized overview of Wiz Issues, Detections and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=3.0.0; title=Wiz Findings overview; templateRelativePath=WizFindings.json; subtitle=; provider=Wiz}.description", "parentId": "[variables('workbookId1')]", "contentId": "[variables('_workbookContentId1')]", "kind": "Workbook", @@ -495,31 +467,19 @@ "operator": "AND", "criteria": [ { - "contentId": "WizIssues_CL", - "kind": "DataType" - }, - { - "contentId": "WizVulnerabilities_CL", - "kind": "DataType" - }, - { - "contentId": "WizAuditLogs_CL", - "kind": "DataType" - }, - { - "contentId": "WizIssuesV2_CL", + "contentId": "WizIssuesV3_CL", "kind": "DataType" }, { - "contentId": "WizVulnerabilitiesV2_CL", + "contentId": "WizDetectionsV3_CL", "kind": "DataType" }, { - "contentId": "WizAuditLogs_CL", + "contentId": "WizAuditLogsV3_CL", "kind": "DataType" }, { - "contentId": "Wiz", + "contentId": "WizSentinel", "kind": "DataConnector" } ] @@ -546,12 +506,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "4.0.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Wiz", "publisherDisplayName": "Wiz", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Wiz solution for Microsoft Sentinel enables you to ingest Wiz Issues, Wiz Vulnerability Findings, and Wiz Audit Logs into Microsoft Sentinel using the Wiz REST API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Functions

    \n
    2. \n

  2. Azure Key Vault

    \n
    3. \n
\n

Data Connectors: 1, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Wiz solution for Microsoft Sentinel lets Wiz push Wiz Issues, Wiz Detections, and Wiz Audit Logs into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint (DCE) using the Wiz service principal; this solution grants that service principal the least-privilege RBAC it needs, and Wiz then creates the data collection rule and tables. There is no Azure Function to host and no workspace shared keys to manage.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Data Collection Rules and the Logs Ingestion API
    2. \n
\n

Data Connectors: 1, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/Wiz/ReleaseNotes.md b/Solutions/Wiz/ReleaseNotes.md index 3d1d0e21642..65dbf7ba4fe 100644 --- a/Solutions/Wiz/ReleaseNotes.md +++ b/Solutions/Wiz/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 4.0.0 | 15-06-2026 | Replaced the legacy Azure Function (REST API pull) **Connector** with the Microsoft Sentinel push integration (DCR + RBAC grant). Data is now pushed by Wiz to `WizIssuesV3_CL`, `WizDetectionsV3_CL`, and `WizAuditLogsV3_CL` (Issues, Detections, Audit Logs). **Workbook** rewritten to the new tables and columns. | | 3.0.0 | 15-07-2024 | Updated the queries on the **Workbook** and **Connector** to match with the new table names we offer | | 2.0.0 | 07-09-2023 | Updated **Workbook** query in Maintemplate | diff --git a/Solutions/Wiz/Workbooks/WizFindings.json b/Solutions/Wiz/Workbooks/WizFindings.json index 78c18d3e1aa..d50527deb9a 100644 --- a/Solutions/Wiz/Workbooks/WizFindings.json +++ b/Solutions/Wiz/Workbooks/WizFindings.json @@ -5,8 +5,8 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL) \n| summarize count() by TimeGenerated ", - "title" : "Issues over time", + "query": "WizIssuesV3_CL \n| summarize count() by bin(TimeGenerated, 1h)", + "title": "Issues over time", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -18,34 +18,34 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL) \n| summarize count() by TimeGenerated ", - "title" : "Vulnerabilities over time", + "query": "WizDetectionsV3_CL \n| summarize count() by bin(TimeGenerated, 1h)", + "title": "Detections over time", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "linechart" }, - "name": "Vulnerabilities over time" + "name": "Detections over time" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL) \n| summarize count() by TimeGenerated ", - "title" : "Audit Logs over time", + "query": "WizAuditLogsV3_CL \n| summarize count() by bin(TimeGenerated, 1h)", + "title": "Audit logs over time", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "linechart" }, - "name": "Audit Logs over time" + "name": "Audit logs over time" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by severity_s", - "title" : "Issues by severity", + "query": "WizIssuesV3_CL \n| summarize arg_max(TimeGenerated, *) by issueId\n| summarize count() by severity", + "title": "Issues by severity", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -58,8 +58,8 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by status_s", - "title" : "Issues by status", + "query": "WizIssuesV3_CL \n| summarize arg_max(TimeGenerated, *) by issueId\n| summarize count() by status", + "title": "Issues by status", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -72,8 +72,8 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by entitySnapshot_cloudPlatform_s", - "title" : "Issues by cloud platform", + "query": "WizIssuesV3_CL \n| summarize arg_max(TimeGenerated, *) by issueId\n| summarize count() by tostring(entitySnapshot.cloudPlatform)", + "title": "Issues by cloud platform", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -86,87 +86,59 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by entitySnapshot_type_s", - "title" : "Issues by entity type", + "query": "WizDetectionsV3_CL \n| summarize arg_max(TimeGenerated, *) by detectionId\n| summarize count() by severity", + "title": "Detections by severity", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart" }, "customWidth": "33", - "name": "Issues by entity type" + "name": "Detections by severity" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by status_s", - "title" : "Audit Logs by status", + "query": "WizDetectionsV3_CL \n| summarize arg_max(TimeGenerated, *) by detectionId\n| summarize count() by tdrSource", + "title": "Detections by TDR source", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart" }, "customWidth": "33", - "name": "Audit Logs by status" + "name": "Detections by TDR source" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by action_s", - "title" : "Audit Logs by actions", + "query": "WizAuditLogsV3_CL \n| summarize arg_max(TimeGenerated, *) by auditlogId\n| summarize count() by action", + "title": "Audit logs by action", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart" }, "customWidth": "33", - "name": "Audit Logs by actions" + "name": "Audit logs by action" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by vulnerableAsset_type_s", - "title" : "Vulnerabilities by Asset Type", + "query": "WizAuditLogsV3_CL \n| summarize arg_max(TimeGenerated, *) by auditlogId\n| summarize count() by status", + "title": "Audit logs by status", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart" }, "customWidth": "33", - "name": "Vulnerabilities by Asset Type" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by vendorSeverity_s", - "title" : "Vulnerabilities by Vendor Severity", - "size": 3, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" - }, - "customWidth": "33", - "name": "Vulnerabilities by Vendor Severity" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by detectionMethod_s", - "title" : "Vulnerabilities by Detection Method", - "size": 3, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" - }, - "customWidth": "33", - "name": "Vulnerabilities by Detection Method" + "name": "Audit logs by status" } ], - "fromTemplateId": "sentinel-Alerts overview", + "fromTemplateId": "sentinel-WizFindings", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" } diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 143ab9dc8e7..07bc9a39c2d 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -8268,17 +8268,14 @@ { "workbookKey": "WizFindingsWorkbook", "logoFileName": "Wiz_logo.svg", - "description": "A visualized overview of Wiz Findings.\nExplore, analize and learn about your security posture using Wiz Findings Overview", + "description": "A visualized overview of Wiz Issues, Detections and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview", "dataTypesDependencies": [ - "WizIssues_CL", - "WizVulnerabilities_CL", - "WizAuditLogs_CL", - "WizIssuesV2_CL", - "WizVulnerabilitiesV2_CL", - "WizAuditLogs_CL" + "WizIssuesV3_CL", + "WizDetectionsV3_CL", + "WizAuditLogsV3_CL" ], "dataConnectorsDependencies": [ - "Wiz" + "WizSentinel" ], "previewImagesFileNames": [ "WizFindingsBlack1.png", @@ -8288,7 +8285,7 @@ "WizFindingsWhite2.png", "WizFindingsWhite3.png" ], - "version": "2.0.0", + "version": "3.0.0", "title": "Wiz Findings overview", "templateRelativePath": "WizFindings.json", "subtitle": "",