From a19d41b143a2825c8c08c011f6b81990e131ed3e Mon Sep 17 00:00:00 2001 From: Marek Kuczynski Date: Mon, 15 Jun 2026 19:38:33 +0200 Subject: [PATCH 1/3] Wiz solution v4.0.0: replace legacy Azure Function connector with DCR push integration Migrate the Wiz Microsoft Sentinel solution from the legacy Azure Function (REST API pull, shared-key / HTTP Data Collector API) connector to the new Microsoft Sentinel push integration, where Wiz pushes to a Data Collection Rule/Endpoint using its service principal and the customer only grants RBAC. - Remove the v2 connector + its Function App/Key Vault ARM template (template_WIZ.json, azuredeploy_Connector_Wiz_API_AzureFunction.json). - Add the v3 push connector (WizSentinel.json, title "Wiz for Microsoft Sentinel") and the RBAC deployment template (azuredeploy_WizSentinelIntegration.json); the connector Deploy button points at the in-repo template via its raw master URL. - Data is now pushed to WizIssuesV3_CL, WizDetectionsV3_CL, WizAuditLogsV3_CL and WizVulnerabilitiesV3_CL (Issues, Detections, Audit Logs, Vulnerability Findings) -- a lossless superset of v2 plus Detections. - Rewrite the WizFindings workbook to the V3 tables/columns and update the central Workbooks/WorkbooksMetadata.json dependencies + connector id. - Regenerate the package (createSolutionV3) to 4.0.0; drop stale 2.0.0/3.0.0 zips. Passes the repo ARM-TTK gate (run-arm-ttk.ps1): Pass=48 Fail=0. DRAFT -- local only, not for push yet. Open items before submission: confirm the dynamic sub-fields (entitySnapshot.cloudPlatform/.type, vulnerableAsset.type) in-portal, and coordinate the offer update with the Partner Center owner. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../Wiz/Data Connectors/WizSentinel.json | 123 +++++ ...eploy_Connector_Wiz_API_AzureFunction.json | 489 ------------------ .../azuredeploy_WizSentinelIntegration.json | 147 ++++++ .../Wiz/Data Connectors/template_WIZ.json | 133 ----- Solutions/Wiz/Data/Solution_Wiz.json | 48 +- Solutions/Wiz/Package/2.0.0.zip | Bin 7141 -> 0 bytes Solutions/Wiz/Package/3.0.0.zip | Bin 7999 -> 0 bytes Solutions/Wiz/Package/4.0.0.zip | Bin 0 -> 8058 bytes Solutions/Wiz/Package/createUiDefinition.json | 6 +- Solutions/Wiz/Package/mainTemplate.json | 266 +++++----- Solutions/Wiz/ReleaseNotes.md | 1 + Solutions/Wiz/Workbooks/WizFindings.json | 91 ++-- Workbooks/WorkbooksMetadata.json | 16 +- 13 files changed, 483 insertions(+), 837 deletions(-) create mode 100644 Solutions/Wiz/Data Connectors/WizSentinel.json delete mode 100644 Solutions/Wiz/Data Connectors/azuredeploy_Connector_Wiz_API_AzureFunction.json create mode 100644 Solutions/Wiz/Data Connectors/azuredeploy_WizSentinelIntegration.json delete mode 100644 Solutions/Wiz/Data Connectors/template_WIZ.json delete mode 100644 Solutions/Wiz/Package/2.0.0.zip delete mode 100644 Solutions/Wiz/Package/3.0.0.zip create mode 100644 Solutions/Wiz/Package/4.0.0.zip diff --git a/Solutions/Wiz/Data Connectors/WizSentinel.json b/Solutions/Wiz/Data Connectors/WizSentinel.json new file mode 100644 index 00000000000..b07229fbe7b --- /dev/null +++ b/Solutions/Wiz/Data Connectors/WizSentinel.json @@ -0,0 +1,123 @@ +{ + "id": "WizSentinel", + "title": "Wiz for Microsoft Sentinel", + "publisher": "Wiz", + "descriptionMarkdown": "The Wiz integration pushes Wiz **Issues**, **Detections**, **Audit Logs**, and **Vulnerability Findings** into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint using the Wiz service principal, so there is no Azure Function to host and no shared keys to manage. This connector grants that service principal the least-privilege RBAC it needs; Wiz then creates the data collection rule and tables and begins pushing once you configure the integration in the Wiz portal.", + "logo": "Wiz.svg", + "graphQueries": [ + { + "metricName": "Total Issues received", + "legend": "WizIssuesV3_CL", + "baseQuery": "WizIssuesV3_CL" + }, + { + "metricName": "Total Detections received", + "legend": "WizDetectionsV3_CL", + "baseQuery": "WizDetectionsV3_CL" + }, + { + "metricName": "Total Audit Logs received", + "legend": "WizAuditLogsV3_CL", + "baseQuery": "WizAuditLogsV3_CL" + }, + { + "metricName": "Total Vulnerability Findings received", + "legend": "WizVulnerabilitiesV3_CL", + "baseQuery": "WizVulnerabilitiesV3_CL" + } + ], + "sampleQueries": [ + { + "description": "All Wiz Issues", + "query": "WizIssuesV3_CL\n | sort by TimeGenerated desc" + }, + { + "description": "All Wiz Detections", + "query": "WizDetectionsV3_CL\n | sort by TimeGenerated desc" + }, + { + "description": "All Wiz Vulnerability Findings", + "query": "WizVulnerabilitiesV3_CL\n | sort by TimeGenerated desc" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "union isfuzzy=true (WizIssuesV3_CL), (WizDetectionsV3_CL), (WizAuditLogsV3_CL), (WizVulnerabilitiesV3_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "dataTypes": [ + { + "name": "WizIssuesV3_CL", + "lastDataReceivedQuery": "WizIssuesV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "WizDetectionsV3_CL", + "lastDataReceivedQuery": "WizDetectionsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "WizAuditLogsV3_CL", + "lastDataReceivedQuery": "WizAuditLogsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "WizVulnerabilitiesV3_CL", + "lastDataReceivedQuery": "WizVulnerabilitiesV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required to grant the Wiz service principal access to the workspace.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Subscription permissions", + "description": "**Owner** or **User Access Administrator** at the subscription is required to create the custom role definition (Microsoft.Authorization/roleDefinitions/write)." + }, + { + "name": "Microsoft Entra permissions", + "description": "Permission to read (and, if the Wiz enterprise application is not yet consented, create) the Wiz service principal in Microsoft Entra ID." + } + ] + }, + "instructionSteps": [ + { + "title": "STEP 1 - Get the Wiz service principal object ID", + "description": "ARM cannot resolve a Microsoft Entra object, so you supply the Wiz service principal **object ID**. In Azure Cloud Shell (no install or login needed) run the line below — it prints the object ID, creating the service principal first if it does not yet exist in your tenant:\n\n```bash\naz ad sp show --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv 2>/dev/null \\\n || az ad sp create --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv\n```" + }, + { + "title": "STEP 2 - Grant Wiz the RBAC", + "description": "Deploy the custom role and assignment into the resource group that hosts this workspace. Paste the object ID from Step 1 (and, optionally, a Data Collection Endpoint resource ID).\n\n1. Click **Deploy to Azure**: \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FWiz%2FData%20Connectors%2Fazuredeploy_WizSentinelIntegration.json) \n2. Select the **Subscription** and the **Resource group** that hosts this workspace. \n3. Enter **wizPrincipalObjectId** (from Step 1); optionally **dataCollectionEndpointId**. \n4. **Review + create**.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceResourceId" + ], + "label": "Workspace Resource ID" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "STEP 3 - Configure the integration in Wiz", + "description": "In Wiz, go to **Settings > Integrations > Add > Microsoft Sentinel**. Paste your **Tenant ID**, **Workspace Resource ID**, and **Data Collection Endpoint Resource ID**, tick *Deployment completed*, and save. Wiz then creates the data collection rule and tables and begins pushing Issues, Detections, Audit Logs, and Vulnerability Findings into this workspace." + } + ] +} diff --git a/Solutions/Wiz/Data Connectors/azuredeploy_Connector_Wiz_API_AzureFunction.json b/Solutions/Wiz/Data Connectors/azuredeploy_Connector_Wiz_API_AzureFunction.json deleted file mode 100644 index 4753ea23e89..00000000000 --- a/Solutions/Wiz/Data Connectors/azuredeploy_Connector_Wiz_API_AzureFunction.json +++ /dev/null @@ -1,489 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "KeyVaultName": { - "defaultValue": "Wiz-SentinelVault", - "type": "string", - "metadata": { - "description": "Specifies The KeyVault name that stores all the integration credentials" - } - }, - "FunctionName": { - "defaultValue": "WizToSentinel", - "type": "string", - "metadata": { - "description": "Specifies The Function App name that executes the integration flow." - } - }, - "WizAuthUrl": { - "defaultValue": "https://auth.app.wiz.io/oauth/token", - "type": "string", - "metadata": { - "description": "URL to obtain Wiz token." - } - }, - "WizEndpointUrl": { - "type": "string", - "metadata": { - "description": "URL to fetch Wiz data." - } - }, - "WizClientId": { - "type": "string", - "metadata": { - "description": "Wiz Service Account Client ID." - } - }, - "WizClientSecret": { - "type": "securestring", - "metadata": { - "description": "Wiz Service Account Client Secret." - } - }, - "AzureLogsAnalyticsWorkspaceId": { - "type": "string", - "metadata": { - "description": "Azure Logs Analytics Workspace Id." - } - }, - "AzureLogAnalyticsWorkspaceSharedKey": { - "type": "securestring", - "metadata": { - "description": "Azure Logs Analytics Workspace shared key." - } - }, - "EnableIssuesSending": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Specifies whether to enable sending Wiz Issues to Microsoft Sentinel." - } - }, - "EnableVulnerbilitiesSending": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Specifies whether to enable sending Wiz Vulnerability Findings to Microsoft Sentinel." - } - }, - "EnableAuditLogsSending": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Specifies whether to enable sending Wiz Audit Logs to Microsoft Sentinel." - } - }, - "IssuesQueryFilter": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Copy the Wiz filters in a JSON format you would like to apply on the pull Issues query. Leave empty to not use any filters. i.e - {\"severity\": \"HIGH\"}" - } - }, - "VulnerbailitiesQueryFilter": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Copy the Wiz filters in a JSON format you would like to apply on the pull Vulnerabilities query. Leave empty to not use any filters. i.e - {\"severity\": \"HIGH\"}" - } - }, - "AuditLogsQueryFilter": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Copy the Wiz filters in a JSON format you would like to apply on the pull Audit Logs query. Leave empty to not use any filters. i.e - {\"status\": \"FAILED\"}" - } - }, - "AppInsightsWorkspaceResourceID": { - "type": "string", - "metadata": { - "description": "Migrate Classic Application Insights to Log Analytic Workspace which is retiring by 29 Febraury 2024. Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'" - } - } - }, - "functions": [], - "variables": { - "WizAuthUrl_SecretName": "WizAuthUrl", - "wiz_auth_url_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('WizAuthUrl_SecretName'))]", - "WizApiEndpointUrl_SecretName": "WizApiEndpointUrl", - "wiz_api_endpoint_url_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('WizApiEndpointUrl_SecretName'))]", - "WizClientId_SecretName": "WizClientId", - "wiz_client_id_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('WizClientId_SecretName'))]", - "WizClientSecret_SecretName": "WizClientSecret", - "wiz_secret_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('WizClientSecret_SecretName'))]", - "AzureLogAnalyticsWorkspaceId_SecretName": "AzureLogAnalyticsWorkspaceId", - "logspace_workspace_id_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('AzureLogAnalyticsWorkspaceId_SecretName'))]", - "AzureLogAnalyticsWorkspaceSharedKey_SecretName": "AzureLogAnalyticsWorkspaceSharedKey", - "logspace_workspace_shared_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('AzureLogAnalyticsWorkspaceSharedKey_SecretName'))]", - "EnableIssuesSending_SecretName": "EnableIssuesSending", - "enable_issues_sending_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('EnableIssuesSending_SecretName'))]", - "EnableVulnerabilitiesSending_SecretName": "EnableVulnerabilitiesSending", - "enable_vulns_sending_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('EnableVulnerabilitiesSending_SecretName'))]", - "EnableAuditLogsSending_SecretName": "EnableAuditLogsSending", - "enable_audit_logs_sending_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('EnableAuditLogsSending_SecretName'))]", - "IssuesQueryFilter_SecretName": "IssuesQueryFilter", - "issues_query_filter_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('IssuesQueryFilter_SecretName'))]", - "VulnerabilitiesQueryFilter_SecretName": "VulnerabilitiesQueryFilter", - "vulnerabilities_query_filter_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('VulnerabilitiesQueryFilter_SecretName'))]", - "AuditLogsQueryFilter_SecretName": "AuditLogsQueryFilter", - "audit_logs_query_filter_key_referance": "[format('@Microsoft.KeyVault(VaultName={0};SecretName={1})', parameters('keyVaultName'), variables('AuditLogsQueryFilter_SecretName'))]", - "StorageSuffix": "[environment().suffixes.storage]" - }, - "resources": [ - { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2022-11-01", - "name": "[parameters('KeyVaultName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.Web/sites', parameters('FunctionName'))]" - ], - "properties": { - "tenantId": "[subscription().tenantId]", - "sku": { - "family": "A", - "name": "Standard" - }, - "accessPolicies": [ - { - "tenantId": "[subscription().tenantId]", - "objectId": "[reference(resourceId('Microsoft.Web/sites', parameters('FunctionName')), '2022-03-01', 'Full').identity.principalId]", - "permissions": { - "certificates": [], - "keys": [], - "secrets": [ - "Get", - "List" - ] - } - } - ], - "enablePurgeProtection": true - }, - "resources": [ - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('WizClientSecret_SecretName')]", - "properties": { - "value": "[parameters('WizClientSecret')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('WizClientId_SecretName')]", - "properties": { - "value": "[parameters('WizClientId')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('WizAuthUrl_SecretName')]", - "properties": { - "value": "[parameters('WizAuthUrl')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('WizApiEndpointUrl_SecretName')]", - "properties": { - "value": "[parameters('WizEndpointUrl')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('AzureLogAnalyticsWorkspaceSharedKey_SecretName')]", - "properties": { - "value": "[parameters('AzureLogAnalyticsWorkspaceSharedKey')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('AzureLogAnalyticsWorkspaceId_SecretName')]", - "properties": { - "value": "[parameters('AzureLogsAnalyticsWorkspaceId')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('EnableIssuesSending_SecretName')]", - "properties": { - "value": "[parameters('EnableIssuesSending')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('EnableVulnerabilitiesSending_SecretName')]", - "properties": { - "value": "[parameters('EnableVulnerbilitiesSending')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('EnableAuditLogsSending_SecretName')]", - "properties": { - "value": "[parameters('EnableAuditLogsSending')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('IssuesQueryFilter_SecretName')]", - "properties": { - "value": "[parameters('IssuesQueryFilter')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('VulnerabilitiesQueryFilter_SecretName')]", - "properties": { - "value": "[parameters('VulnerbailitiesQueryFilter')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - }, - { - "type": "secrets", - "apiVersion": "2022-11-01", - "name": "[variables('AuditLogsQueryFilter_SecretName')]", - "properties": { - "value": "[parameters('AuditLogsQueryFilter')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" - ] - } - ] - }, - { - "type": "Microsoft.Insights/components", - "apiVersion": "2020-02-02", - "name": "[parameters('FunctionName')]", - "location": "[resourceGroup().location]", - "kind": "web", - "properties": { - "Application_Type": "web", - "ApplicationId": "[parameters('FunctionName')]", - "WorkspaceResourceId": "[parameters('AppInsightsWorkspaceResourceID')]" - } - }, - { - "type": "Microsoft.Web/sites", - "apiVersion": "2022-03-01", - "name": "[parameters('FunctionName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.Insights/components', parameters('FunctionName'))]" - ], - "kind": "functionapp,linux", - "identity": { - "type": "SystemAssigned" - }, - "properties": { - "name": "[parameters('FunctionName')]", - "httpsOnly": true, - "clientAffinityEnabled": true, - "alwaysOn": true, - "reserved": true, - "siteConfig": { - "linuxFxVersion": "PYTHON|3.11", - "alwaysOn": false - } - }, - "resources": [ - { - "apiVersion": "2018-11-01", - "type": "config", - "name": "appsettings", - "dependsOn": [ - "[resourceId('Microsoft.Web/sites/', parameters('FunctionName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('WizClientSecret_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('WizClientId_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('WizAuthUrl_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('WizApiEndpointUrl_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('AzureLogAnalyticsWorkspaceId_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('AzureLogAnalyticsWorkspaceSharedKey_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('EnableIssuesSending_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('EnableVulnerabilitiesSending_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('EnableAuditLogsSending_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('IssuesQueryFilter_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('VulnerabilitiesQueryFilter_SecretName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), variables('AuditLogsQueryFilter_SecretName'))]" - ], - "properties": { - "FUNCTIONS_EXTENSION_VERSION": "~4", - "FUNCTIONS_WORKER_RUNTIME": "python", - "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', parameters('FunctionName')), '2020-02-02').InstrumentationKey]", - "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('Microsoft.insights/components', parameters('FunctionName')), '2020-02-02').ConnectionString]", - "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2022-09-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", - "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2022-09-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", - "WEBSITE_CONTENTSHARE": "[toLower(parameters('FunctionName'))]", - "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-wiz-website-run-from-package", - "wiz_api_endpoint": "[variables('wiz_api_endpoint_url_referance')]", - "wiz_auth_url": "[variables('wiz_auth_url_referance')]", - "wiz_client_id": "[variables('wiz_client_id_referance')]", - "wiz_secret_key": "[variables('wiz_secret_key_referance')]", - "workspace_customer_id": "[variables('logspace_workspace_id_referance')]", - "workspace_shared_key": "[variables('logspace_workspace_shared_key_referance')]", - "enable_issues_sending": "[variables('enable_issues_sending_key_referance')]", - "enable_vulnerabilities_sending": "[variables('enable_vulns_sending_key_referance')]", - "enable_audit_logs_sending": "[variables('enable_audit_logs_sending_key_referance')]", - "issues_query_filter": "[variables('issues_query_filter_key_referance')]", - "vulnerabilities_query_filter": "[variables('vulnerabilities_query_filter_key_referance')]", - "audit_logs_query_filter": "[variables('audit_logs_query_filter_key_referance')]", - "debug_level": 20 - } - } - ] - }, - { - "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2022-09-01", - "name": "[tolower(parameters('FunctionName'))]", - "location": "[resourceGroup().location]", - "sku": { - "name": "Standard_LRS", - "tier": "Standard" - }, - "kind": "StorageV2", - "properties": { - "minimumTlsVersion": "TLS1_2", - "networkAcls": { - "bypass": "AzureServices", - "virtualNetworkRules": [], - "ipRules": [], - "defaultAction": "Allow" - }, - "supportsHttpsTrafficOnly": true, - "encryption": { - "services": { - "file": { - "keyType": "Account", - "enabled": true - }, - "blob": { - "keyType": "Account", - "enabled": true - } - }, - "keySource": "Microsoft.Storage" - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2022-09-01", - "name": "[concat(parameters('FunctionName'), '/default')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]" - ], - "sku": { - "name": "Standard_LRS", - "tier": "Standard" - }, - "properties": { - "cors": { - "corsRules": [] - }, - "deleteRetentionPolicy": { - "enabled": false - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/fileServices", - "apiVersion": "2022-09-01", - "name": "[concat(parameters('FunctionName'), '/default')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts', tolower(parameters('FunctionName')))]" - ], - "sku": { - "name": "Standard_LRS", - "tier": "Standard" - }, - "properties": { - "cors": { - "corsRules": [] - } - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2022-09-01", - "name": "[concat(parameters('FunctionName'), '/default/azure-webjobs-hosts')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('FunctionName'), 'default')]", - "[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]" - ], - "properties": { - "publicAccess": "None" - } - }, - { - "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2022-09-01", - "name": "[concat(parameters('FunctionName'), '/default/azure-webjobs-secrets')]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('FunctionName'), 'default')]", - "[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]" - ], - "properties": { - "publicAccess": "None" - } - }, - { - "type": "Microsoft.Storage/storageAccounts/fileServices/shares", - "apiVersion": "2022-09-01", - "name": "[concat(parameters('FunctionName'), '/default/', tolower(parameters('FunctionName')))]", - "dependsOn": [ - "[resourceId('Microsoft.Storage/storageAccounts/fileServices', parameters('FunctionName'), 'default')]", - "[resourceId('Microsoft.Storage/storageAccounts', parameters('FunctionName'))]" - ], - "properties": { - "shareQuota": 5120 - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/Solutions/Wiz/Data Connectors/azuredeploy_WizSentinelIntegration.json b/Solutions/Wiz/Data Connectors/azuredeploy_WizSentinelIntegration.json new file mode 100644 index 00000000000..83e9297b4e2 --- /dev/null +++ b/Solutions/Wiz/Data Connectors/azuredeploy_WizSentinelIntegration.json @@ -0,0 +1,147 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "description": "Provisions the RBAC required by the Wiz Azure Sentinel integration (ARM port of wiz-azure-sentinel-integration.sh). Deploy this INTO the resource group that hosts the Log Analytics workspace. It creates a custom role definition (assignable at the subscription) and assigns it to the Wiz service principal at that resource group, plus optionally at an existing Data Collection Endpoint in any resource group. Resource-group scoped so it can be deployed via a Deploy to Azure button, the Azure portal Build your own template editor (paste/upload), or az deployment group create. ARM cannot create the Entra service principal, so its object ID is supplied via the wizPrincipalObjectId parameter." + }, + "parameters": { + "wizPrincipalObjectId": { + "type": "string", + "metadata": { + "description": "Object ID of the Wiz service principal (the enterprise application object ID, NOT the application or client ID). Find it under Microsoft Entra ID, Enterprise applications, or run: az ad sp show --id WIZ_APP_ID --query id -o tsv" + } + }, + "customRoleName": { + "type": "string", + "defaultValue": "WizSentinelIntegrationCustomRole", + "metadata": { + "description": "Name of the custom role definition to create." + } + }, + "dataCollectionEndpointId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Full resource ID of an existing Data Collection Endpoint to also assign the role at (may live in any resource group). Leave empty to skip. Format: /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Insights/dataCollectionEndpoints/{name}" + } + } + }, + "variables": { + "roleDefName": "[guid(subscription().id, parameters('customRoleName'))]", + "roleDefId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefName'))]", + "roleDescription": "Wiz Custom Role For Azure Sentinel Integration", + "actions": [ + "Microsoft.Insights/DataCollectionRules/Read", + "Microsoft.Insights/DataCollectionRules/Write", + "Microsoft.Insights/DataCollectionRules/Delete", + "Microsoft.OperationalInsights/workspaces/tables/read", + "Microsoft.OperationalInsights/workspaces/tables/write", + "Microsoft.OperationalInsights/workspaces/read", + "Microsoft.OperationalInsights/workspaces/sharedKeys/action", + "Microsoft.Insights/DataCollectionEndpoints/Read", + "Microsoft.Insights/DataCollectionEndpoints/Write" + ], + "dataActions": [ + "Microsoft.Insights/Telemetry/Write" + ], + "dceResourceGroup": "[if(empty(parameters('dataCollectionEndpointId')), '', split(parameters('dataCollectionEndpointId'), '/')[4])]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2022-04-01", + "name": "[variables('roleDefName')]", + "properties": { + "roleName": "[parameters('customRoleName')]", + "description": "[variables('roleDescription')]", + "type": "CustomRole", + "permissions": [ + { + "actions": "[variables('actions')]", + "notActions": [], + "dataActions": "[variables('dataActions')]", + "notDataActions": [] + } + ], + "assignableScopes": [ + "[subscription().id]", + "[resourceGroup().id]" + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceGroup().id, parameters('wizPrincipalObjectId'), variables('roleDefName'))]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefName'))]" + ], + "properties": { + "roleDefinitionId": "[variables('roleDefId')]", + "principalId": "[parameters('wizPrincipalObjectId')]", + "principalType": "ServicePrincipal" + } + }, + { + "condition": "[not(empty(parameters('dataCollectionEndpointId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "wiz-sentinel-dce-role-assignment", + "resourceGroup": "[variables('dceResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefName'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleDefId": { + "value": "[variables('roleDefId')]" + }, + "wizPrincipalObjectId": { + "value": "[parameters('wizPrincipalObjectId')]" + }, + "dataCollectionEndpointId": { + "value": "[parameters('dataCollectionEndpointId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleDefId": { + "type": "string" + }, + "wizPrincipalObjectId": { + "type": "string" + }, + "dataCollectionEndpointId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[parameters('dataCollectionEndpointId')]", + "name": "[guid(parameters('dataCollectionEndpointId'), parameters('wizPrincipalObjectId'), parameters('roleDefId'))]", + "properties": { + "roleDefinitionId": "[parameters('roleDefId')]", + "principalId": "[parameters('wizPrincipalObjectId')]", + "principalType": "ServicePrincipal" + } + } + ] + } + } + } + ], + "outputs": { + "customRoleDefinitionId": { + "type": "string", + "value": "[variables('roleDefId')]" + } + } +} diff --git a/Solutions/Wiz/Data Connectors/template_WIZ.json b/Solutions/Wiz/Data Connectors/template_WIZ.json deleted file mode 100644 index 9d7cc19db27..00000000000 --- a/Solutions/Wiz/Data Connectors/template_WIZ.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "id": "Wiz", - "title": "Wiz", - "publisher": "Wiz", - "descriptionMarkdown": "The Wiz connector allows you to easily send Wiz Issues, Vulnerability Findings, and Audit logs to Microsoft Sentinel.", - "logo": "Wiz.svg", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "WizIssues", - "baseQuery": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)" - }, - { - "metricName": "Total data received", - "legend": "WizVulnerabilities", - "baseQuery": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)" - }, - { - "metricName": "Total data received", - "legend": "WizAuditLogs", - "baseQuery": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)" - } - ], - "sampleQueries": [ - { - "description": "Summary by Issues's severity", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize Count=count() by severity_s" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "dataTypes": [ - { - "name": "WizIssues", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "WizVulnerabilities", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "WizAuditLogs", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 2, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "Wiz Service Account credentials", - "description": "Ensure you have your Wiz service account client ID and client secret, API endpoint URL, and auth URL. Instructions can be found on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz)." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector: Uses Azure Functions to connect to Wiz API to pull Wiz Issues, Vulnerability Findings, and Audit Logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\nCreates an Azure Key Vault with all the required parameters stored as secrets." - }, - { - "description": "\nFollow the instructions on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz) to get the erquired credentials.", - "title": "STEP 1 - Get your Wiz credentials" - }, - { - "description": "\n>**IMPORTANT:** Before deploying the Wiz Connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Wiz credentials from the previous step.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ], - "title": "STEP 2 - Deploy the connector and the associated Azure Function" - }, - { - "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-wiz-azuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following parameters: \n> - Choose **KeyVaultName** and **FunctionName** for the new resources \n >- Enter the following Wiz credentials from step 1: **WizAuthUrl**, **WizEndpointUrl**, **WizClientId**, and **WizClientSecret** \n>- Enter the Workspace credentials **AzureLogsAnalyticsWorkspaceId** and **AzureLogAnalyticsWorkspaceSharedKey**\n>- Choose the Wiz data types you want to send to Microsoft Sentinel, choose at least one from **Wiz Issues**, **Vulnerability Findings**, and **Audit Logs**.\n \n>- (optional) follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#optional-create-a-filter-for-wiz-queries) to add **IssuesQueryFilter**, **VulnerbailitiesQueryFilter**, and **AuditLogsQueryFilter**.\n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n", - "title": "Option 1: Deploy using the Azure Resource Manager (ARM) Template" - }, - { - "description": ">Follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#manual-deployment) to deploy the connector manually.", - "title": "Option 2: Manual Deployment of the Azure Function" - } - ] -} \ No newline at end of file diff --git a/Solutions/Wiz/Data/Solution_Wiz.json b/Solutions/Wiz/Data/Solution_Wiz.json index b7f25734adc..633b728033d 100644 --- a/Solutions/Wiz/Data/Solution_Wiz.json +++ b/Solutions/Wiz/Data/Solution_Wiz.json @@ -1,25 +1,25 @@ { - "Name": "Wiz", - "Author": "Wiz - support@wiz.io", - "Logo": "", - "Description": "The [Wiz](https://wiz.io/) solution for Microsoft Sentinel enables you to ingest [Wiz Issues](https://docs.wiz.io/wiz-docs/docs/issues), [Wiz Vulnerability Findings](https://docs.wiz.io/wiz-docs/docs/vulnerability-findings), and [Wiz Audit Logs](https://docs.wiz.io/wiz-docs/docs/audit-log-settings) into Microsoft Sentinel using the Wiz REST API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\na. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\nb. [Azure Key Vault](https://azure.microsoft.com/services/key-vault/#overview) ", - "WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.", - "AnalyticalRuleBladeDescription": "", - "HuntingQueryBladeDescription": "", - "PlaybooksBladeDescription": "", - "Data Connectors": [ - "Solutions/Wiz/Data Connectors/template_WIZ.json" - ], - "Parsers": [], - "Hunting Queries": [], - "Analytic Rules": [], - "Workbooks": [ - "Solutions/Wiz/Workbooks/WizFindings.json" - ], - "Playbooks": [], - "BasePath": "C://Azure-Sentinel", - "Version": "3.0.0", - "Metadata": "SolutionMetadata.json", - "TemplateSpec": true, - "Is1PConnector": false - } \ No newline at end of file + "Name": "Wiz", + "Author": "Wiz - support@wiz.io", + "Logo": "", + "Description": "The [Wiz](https://wiz.io/) solution for Microsoft Sentinel lets Wiz push [Wiz Issues](https://docs.wiz.io/wiz-docs/docs/issues), Wiz Detections, [Wiz Vulnerability Findings](https://docs.wiz.io/wiz-docs/docs/vulnerability-findings), and [Wiz Audit Logs](https://docs.wiz.io/wiz-docs/docs/audit-log-settings) into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint (DCE) using the Wiz service principal; this solution grants that service principal the least-privilege RBAC it needs, and Wiz then creates the data collection rule and tables. There is no Azure Function to host and no workspace shared keys to manage.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\na. [Data Collection Rules and the Logs Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/logs-ingestion-api-overview) ", + "WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.", + "AnalyticalRuleBladeDescription": "", + "HuntingQueryBladeDescription": "", + "PlaybooksBladeDescription": "", + "Data Connectors": [ + "Solutions/Wiz/Data Connectors/WizSentinel.json" + ], + "Parsers": [], + "Hunting Queries": [], + "Analytic Rules": [], + "Workbooks": [ + "Solutions/Wiz/Workbooks/WizFindings.json" + ], + "Playbooks": [], + "BasePath": "C:\\GitHub\\Azure-Sentinel", + "Version": "4.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false +} diff --git a/Solutions/Wiz/Package/2.0.0.zip b/Solutions/Wiz/Package/2.0.0.zip deleted file mode 100644 index 56d5b9d88ac44e19e10a64333caa7a8d60831035..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7141 zcmZ{pWlSAVv#y~~+`quQ8H08W?snfDfjSG96nw?iwx!gw1kB{HeoCJu>pD-lsk z@}Xf(x3D*HKCpPOwD!tADO_nB)qkT7AWR7decqy(Mzx6xe7s5eD~U+g6m6vpP+Yk8Kh3ybfCynVCTVf$Pg7L*<4t&yxT;&JmLI*TJdI9E*(j zrvcDuq5gCMR>7n)X{M1*O5eOji?P91D+P$IYfYDy>Dqx2IH!}nQCP?2U$PS`^OYhRV*hSOnDo7 zNeUlIlQXU@5wCy)t`Ff@O?qM&I@3KrzJI8x^=Jb4T-ExzQi*b%l4YenNkyTisCO-c z%)n+Q9oz)03UFev<6EfQp>=DK?(?bXz~5%q?L)B=QQiX#g0MGjIw>W*tciY;R&(Mi z(p7U(eB0DX^**y~sDN`NI^a%avgg%s%n<>pj#%hD zwS?3%rMz%{gr==K$c#BAwcd>4`zZbJ3)%@c=;r{n)C*=jg?ND z;P9$R*{zr#(n!h;O`rE%U9WEHuF{qFa2d={2LfB`Q)eC=0`F^)el2KP62=)+lYs4g$$ zB9L18kYG1Ga>cfNvSvUrHDgpCfZ*XDk9}B8J2hO3K=s%9=NZNefRrww)Jc9q{0#Uy zMi>9Gy$Get^))GeMNN0%^5o*-1Ovw(%S(pmfXN4Ss9-Ifc^I!RaI zxQ`uaES82G?`jCBpn>LkNtYY^Ima~j*E|byx12#PXBbT!N*mq5PNbFZm^=>HW_aKr zaZXJGQqyeFHd1du*6tPtG?k7DO?-H%1a4`fy~&_lR-CnC0W>Ss^53Rrkn zC=(uF+Qu17Mnqo@Bk!3#qLX;P+zAWpe%(WK>5R3!u1qA@V>ba}e6KfHoqg|Q;%6Ly zM=%HOo?E_cmgq>e@PssTq$>M9f$8VGA3lcTqryeQlc#zJ+F_*nrJcF|V*O>f=ad{z z)ko*+7M_(0CJ8$rTnb%^hBKfiW4LAvB%0`*`HV{^8`dh(e>@kZ^Vvd5q~NrQh=mI< z&qwQfCDr<#+gsnz9c8)uMw49eUM^+lD&nH&3g>GchJNo!X`)gh&FUqK9vS_|*)T2} z+BS7NQu=`}C|mS^6d~YmavYAT1Q8Cb2dq}lT&`F}izcN>GaGX}y zaktfd{$WIL`sIU4tluKz9Vrfv64bY*{~AuGU;S(hdJdZKmR!m;mmUh49bJuBkuNTr zq~7D&|+3H^L)Vs2P-S}%9 zx?h)pQyS~&BU&Ow-(&B0K$|aAAb);@Yi8Qz>(0T>sw; zvGRRufQRL0vU|Vi46>IPrK>P}@x;7(L9Ea;u`i z4s;Y3+#9AQXTDn!rOCT>a;Q3IDT&Exm4n-1nP?L-C7^nU`YHoQ9an;)BiDQ?uK_3h zs1*E1{RWB7k~g@l-`gc}`kna;*&9FheVnGULMq%-e6m&JVsp3C!NR__dho8yckWDv z3_%cr6kyOCJ(e>ZD@KZ#Qg&vd4CncH!Sd`=yBgr-G{tT}C_RB0O{DzfJ+3S8)s_IG z{6UwjfGVail=Cbio5=z@2GUM>{5j_t`k^U3u%Jo-M;R!s9yx!6l_{(?s+G{QD(f8< zm-<@ucBPH3kzy_Mo{9^uYme)_%I{rF@$_Ow`A%+I5ou>QYblioFB=ZlcJAMKpYM}& ziGhLGmhiP^F5PWV zBn` zy0>__tX( zxuuGVJiBn&P&!jgQl-hbm^XZyjq!~v%2!OAM6=Z(vSzlWW*h|pL`r4f z9&8d54;+7i9K24iJijKCkM=u`<2n+i#v%zA{QXmD1QO-S!p#ul{nSODDQzD4Q`qir zVk6-%7IX0Lt}$hXcc87y^4YGRM&=JbCB#rlyq$)G1HfjsBzPB?zfxEgsd97IN^V4; zPTv_&lx%92q&rfQMAqc2ls>SnVbI&qQs8F;jeT5=qT|ErL!z&I`5vr-m}Hb4dgsXL zX|H|}84}0A9NtI!P9$)3OhU+`5gvww9cm_UUnGsJ9%(aT?@>#D)EY_7$8+F1sEzV05>Uq^|Z-N`~Qizbd{Oq8GWK8e&vof z$3&A*oHuYc;1q7{`M4NeM3q&V)p5Pt~GryuY951NV z&K?q;dBye41!o#r%wfL^tp@a<@b##B*btw<#nLp6FU zgmrPLwunVyek#qRS3aoWUc5|yf5QlUd7VT8dF{l8fq^B*z*dT{OvDrR-kD~A=!oVO6RBW=M5JG&E(0W8 zh5?NPvF%Ik{szmr)WNXjw-j6PFUSe@Q4eb|k(E?0a9Yfh&Zr>j#o1`~0gfr}c82P3 zR#N_ztrl~XBUo9^H*C|b5n1K&Af8OCXx1S69W7N-H9Tc_5;8My2yqhmo-gywK5pB< zA2n=l8u5#G`5_d%?AznY&8gtbCNVLlF(MFFc<(fzlllQ^Ll0$B96#w-z$ zY2I`s@>zX%QujsuD0tF$W@uF-b)$R&WVR5HKL@d9nSuN!4fD=TRF^H~$&l$fKG}D0 zYLWBe&fiX7XsR~gNl6vDT(3uVu+K7t^U0u*R4b&1Qi78dW0P5H1c(utj_D|&Ht{aG z8CyaPd3Id)js(p@iv_~Vt)dNR#CnSEuQ9OSvJ~#)BOYw*X9;0{X!s?x5mi3DW(E>N z`!=;Qg-iPv5oB76GISshjKt}S z{F}IXd&90q_8N{FxsifMC&^c*StKuR@i)}e(Iio@C6wXAk)v0XQXbWkNH8hMpB0iz z$rp;yi4Q5`8U27r__A^+FcLxJqBmH1jE!ZiYx;h+hJ^b+_i1*rY9y0K?s6{AS=U{M z(h+-|E8VR^b2E=Uy1)55KUt8WCPqM@RK0(5!2HQM#$C6$yoaoLMy!F*!07LB)7}GV zf2G#{q_0Az(20CFS)*@+ebv>SP3rPwE$rj6<|~n$6R4zVH!qB07`Pjj_GI0|dY85X zHwtGzyh&WrB{`k^ymZQp<`qwL&+cs_Pz{c$MdNp$=&^!oGvRRSy(OpwpA_EznZ*g(<0z`*`M(Iddad|z8_)nW@vK| zcV0>Ps(v9eq>tyt!gkF-BQd}yr^t0^9F|L={LQ7fwB1P;x$H(SQo1OHqi+vxAW~FN zVH;ftGF(q7tQ9&W?6vb)rj_HsMY-FtU#~+k)-Rfe4O{Z71@7G8&KxaXCV+fzQb5%k zc zc}Fp%v-P-^`iN^4n1s?kjs1Slr9J}NI8G6&dt=D-vuv}rEdSZ}Cmhf1eZ*%B8O@Ha@a1-+hCnn|;=tL2iu|x^NlUvBrfcHTL*|F#zm*VU z1=o|?8|ZsLN4bMN+_V&09r0T(R8 z)!$t1(_A^1^B+K;w_ez(IFIy`q|8N1Ta|+FA20za>GOA!$L?_ytO_S=d@xhZFnyv* z`P{*B)%ci{TL`_GHX2Hwb#*+f2$nFbDnag(k> zsomm~!8HA*d{ggqJ5->%{n-)Urf07W-v$A{vsef?O3LeDO<>dgTZ5av&+@QBIS1Eg z_qd-12D-+pKe_g6;j9tGF!d&m4r@u91!awrJA4u=czj!N2i0ABE1H78tIHLC01A0Z z@hwyg?L%CDcx|Zxq^o4k#x(R87;%%E)sJ6PoQ=T}x<2+{*=VQGUs_?KHJf#j^i)74 z5l`MXj5)pQ+e7oncX;qkHPtJ@Zn5N?2?o?8g>>i;>qyDvPb!ozOVK}b647uvR1$|# zzWn$ufE)iZl7d`hYSGl;lk9kYD zm;Su?XK->HUwmqdyqg7M`Qn?f8_eRVzJ9^sc%kP8!95vU4fIydtPd=t)S@oJO_zyt?X{GKI$Ph9;50%96XIB!6xUg4DeV zi4D$@UN5Wy2&cty@POdj_SCw|-MbKh-}gb{S6i0*0WcOl?e2P?t~UrXwg?lqI{U!& z>5f4iKd8=og17JG*JLp62H&c1PEQkW76UdA0D+#7Pwk@NPW!&if#(SqkH|Zl4zb9T zE0+u*{sjTNPt*QV<;wu)8MLU2O)@*#++~U>!__;!UMXEzIpnqd$K=KwYkzFS@lUDS z+TR}Z;)y+}hE5ZAWiD&v!doRn4O^d5pePrkf^*6#Uv{sxnMMzwMOCb2`*TDfAsy(goFl8fF2 zl(fzzZTnaA^-BXwqJt`9p5yp$RrWd0>w{r6JV-s)#x)1_V3N|e-)wHxt2>Y2;pUU( zMc+vlH*Mokk55qA8`l2JHu=!%Hwb-_W>P*P4AMWdn;@~N4c<;gx4yt}ltTx&?Nqv)O$EA75hYhg1PI{z-eDDb zolWR1MHI*z!KFk>XZP>1NIJR0=T`*_Qe2`x>3z?2+vGQly%IY3FcAbZQNuU{^aav} z5gH@ko@zuCaC6)bv+}G07Vxy=S79w38AFt{;5AT2-HF?9q;Y`#``LEG8_JMz8R6?Nw}4O4FY@{Gx-Au*~5 zLdX_LVXsL0KrxIE99!`LDL_KQ0=l(XTjc#71rzy7S_B8d=R}YVwH@so5lXlaJ3w;{ z22s@`>ay{H23Vp0nsgyiA%_3#akrJ8uw{nBihD@_(v04~tjK1P(pHBi*?b*YAb)`& zpvn%V7AYS!WifsuXDs**pE%u;_yLL6j0E82eh@YyA{wGC)YODoHN*31ETZ{|gfYI! z>wvypgcZ655Vw%*C98Mg(i#ATeub!l>f@+*M`bPKc(!bb9j3q3!$}+)%c)&H%=OaK z7WFQap_JJX@opvI5Y>?9e2YJE?Y`%0G9}&fYi;$W619PL-Q!4P8{h8%H#aEgGJh2X z@0+Nv$2q?59(Q$*Nyk^dRtJhS@%8i+H`%<_vSr@qJ-uYO{LXLHX?9S1_ATAF#{ z7-M+7bA7`Byyg1$pl+AZ2L^+5vyZl^p-6;<+Th?b9=771eA$M}l9-1#d1flFx3XR= zmA_51xQ~_OqP}jct0hK;Oe0w&87cdV-=g*R%+hQ=t_)~(Ty2zLc*-TArb(`{m%Xg= zMNA)hg=OIy!8IM-v$0IG#`MEG@~BXJEs!G9&M~Ov93lJYyp$0EUF=N1n&2Tol=3FP z@t&x1f6BAxmsaW@7GXH91IsP<9_&s*3TdB&LgZC&J2W@TOszd>fgRH#k-FVsHA62O*($T z#fn3#7pD>w^pznM%y!11TUCoPKu_VZ!n%wku{Q<+BX~}xiw;>1{*2%X-}GX}DxrQO zf6lg6-j#(w_?})rfJ)GxaG?HoGwq)u2L%m9{-5;k{4dtp|KH?)()9lG^}m{Q|MTho Yo5BZF`V9A94VV%yHdC$_QQ-5-m)wcTCS)m>fv z`>FR;l81uE1ONcv0XKn9TJyIpTu|Qu08Bgp0Ovnj6DLz67gKdh2~#smJ4+W!dpjm8 zXM4LTtuwogQLImc{417O>^e%BVxs)jev1}|{d2DJ1tc5$!2a7fG~VP=Vy8BCaXL9J zk-U<)Wg4)1C{67O1326DT9X|EzM48-%izZ z58hN)HRp^m72=u~BSld)@R!3s*H#X-egY!~%mjxKtp~p2(6WBf@8~3!a8U`<=74edo8#rp8_dJ~Qc_1X4ex(4YSKC9?j)0l23q^%I$Y}+s#xky zXvLEWNMv9B_y$R4z+sVVJFs=l)7y%-p|4I^u^Q{*b#gZOzHPh<60eBWEZ2B`+9fbH zfbW^tBksV--O7QwebF+(MnLvfY=${GaP_2y4IR2IbW(=vFFKuqCymO$LLT$tvpl~q z*v?1rS=Vp(mBPiJrRN`Q$PI|s9%|FymBZXr>F)l8q=?lr%k0BxoB#fFW85_zcXvqN z68!Cz#cF9g$2CC$;3rrgSGXvBm@l~wKJ4c~PFK!PMzGYr=#M`9P%HUBggL+>Gn?9md6Gnv9|82yfcGf{HN7}n`*~{-(8wnP zBrscs3D(+uJ)I|*w!3b@IY7U0W241b%12#$$);(JCiw#tEKI1~L(5<SE8Uq{vKfHXGCg7dhl;1L7hP$xIQlV!H%d;j1 zAw|m(OM}P)SUK)4RdYlOA%dOmXkm!xAzP6gAQFWvlj;%eO-@_$BVWlsegVK%t1q$6 z_os&?8IHJ)-@xwtjXX-=Q+U6ag#ZtZfV$cHIY#P@(txI9+O+6y#&~4gsqIlB2gR6s zC*E7W%${xmOy!>4J*!PkUKUdVbmcNx0Q1`tr|JkN(^LL&r)nG1l2ac|>u`Y5I(3D( z(%6EhKF3*JnQzJ+;pX;%e$Gw4E3$fO(Q0|~u}0se!aV7h*o&DXfTLZgYO|KFdnA0T z7XrR@;AI<`wA((cO4aC_rh-fc7*#Bsfw1u_%i^(X;2H#uTj~Tt8K?)v#14$gl*v_%x)hNdo>bhNS9EFF zqU`o{-bwT2;=+Bs4JvYkc{!H@uTc`mZlPI{Xr|lTFI*(Ax7%)s0JA}|Y`XQxQ@=_- ztD!&mb0S4kG;Hyhkp!&zdR^9HmVXZ2+HuxM99DR%fU zD#8)#5AE_;qg7hx(`-TVWIz+3=he&E_2>G9(S=9Ar*gTy!sGvZK&CABjO6XhSgFc8t5fhm{ac~ zZ-t;P(plRHi|g{ab|k9DX?1kYl8GGZC~Z;U!C+T%w=M7^qNuEWDa$1c$!E2ZJ-*Q%)c%M$SK5`*Jm&0I>u$?q7=2YuLa5Xn=z$Y zdi9>If2NIl{aD?k8<2a+=9sab3X2pLOg;Y?_*fW`ii>oG75(BY-BG8Svu$k)$zOtG zdL-j`fp7YvU4iEGN%%44%<8B1( zM=eb}wL|_GM-Q#5#XFo+0aDE%R)qu5ybFrlcCi#jFn&xQ?TrxFm!7Y*cR%=0JP(pUHedTXY*FVR;nuRUgl&T#nz zx<0UsT{MNG`N`i1FvbwIDw+L-%AP~={2-M6FK%!OQdbqi1^|k)0RXiBaD%OprJb6o zt%J>f=;417!-b%=^Cnl~POH@y6tMk=tm@q?#oGCgdaGvN-|F=yIaC`YlxYKaV(h;h z!{J2bQoCz9cASJSe8*h(MFS~CoQM;tavF3aLTxzkV=kqN=8$|}?()8CzbOi3&Q`Rx zNH0^%vhDu~3h za;ME0fS5L8m;WCWh8 zY<|!vNoRPHO#%@?7FB;Ftb$IcVur_{x9yJOe7r78jBck9ROc=^O0!FD!ava)U0Ukb zR=T}e9Mz?29Bz~eCoz9o_tpm&XTR#PDPW*0pQ`3jMo$V%N8l*_k#&M7I)Z!oC^;>5 z7cjCsdCIrEB58V3WPX%J%>3AmOMYt|Ge7C`U%EdxRxy1CHVM zjzN%(Q1x$-UCuzT@Hw#HtD(B+2DmK2- zdG=|c_bz$>h&=>gBAYwU-Dk)~4bEHbHVCiWpZ2BU79-`2W#vHHb4W;HG@JU?+M2hA z9A)cS!~YH3r9!KH)J3)Xc+CnwTB-wbR43zLE=;Sca@z7l2H`9ov{dwiEvtRJc7}zt zY4tb1Gfvs?-ToTnVM6ebcQ&b9K7f7G< z3AxE0XVvU(XgOOq#BQ7bczX*eozMRrMZ%fNf(hMdXl!nzfAa0tR*>J$zQx$0SCd>q zN};tISq4^<=UmW6BK1v_CCnH|^Xd-X*nK@# zG|q$ogtosq@htU|DoHaAbd9gO6HtnG-Q~`ZXdLLP;P6!J`v zA~yta6a6#?vmo-=49Wk=M^7(UtnGU4H`ffTpsDK}5^~;p?2p%Tbed8@bW)0gC4=S# zeS>ckpYE#$C%RjHM|=ns{hpY1G0-^()fTjff*$S(>LFxN+lTUjjhGFr5WRmnT!r9_ z?Or?RRZ0JuB?tDaTA)}Df({@(>Ar`P?^4QaO^>AwEk6H{g9qc{7FZ-#l?M=eWs?`I ztO7K=SP~$F6@~qJd=m%hsLbc2LXY+r(z5jK`Z|fclh-cxge5VYD~q^jgtYpu<)0CS zlD9Y2L%&;wfmUy;Mp^I_Mst@?b{=^QP7#_MP*UYOf+15jgZ5qc9`>x+x-^E3h>HAn zG5n3njmAhO=!Uh6Q9lU!pJha@GZM=fViIX6-k*l4(Tl;)qnaQdQ}Q5rk!Q?0NHcq~ zZ>KPK@s-VSuPQv7n;mM(iqZyGv5vX%Pm#jFiqre0|+WPal)n`(;_w=qKKxvBeA^jgK4S`R#?b zCAnt@HSK6t>k1vYdeIKl%qzA-ag&JI>^0KY+3ZhJ5pzV$`y>Xmb$EQy4f?ssvD@bE zYI6Ypc01#RyOV$^YXoA^rDYbQrgx`q8ZHuidHQWe-pCvxE1pLUz6Yf zIJ61A!(*Z7s31Iz?MK|{pMNU!!s)8D~Zv zKuhd&2rYvR@Dz%eDCvY5{xT36yDcieJ)?-tVnNgIe!J667X|s91(8Jwb`d1MDoNE% zA5J6!`p3_uK&rDk0mUD%1C?j>qfzDFIp~$)~PK9dBJ?Hf%`;Dr?}cQZ2uQW zuY2;)_$?P1mJl;3t3iFDbpG)=X2UJOCdK&Ivjub_qQCxQGU23Ix=KTQRVtqaW7ToT z5FpsT`LXYsij?x3C4IgOEJeNbP~RIaRZxmOF|}|U4>E>{8^)E&J6Xe`Ar!;SAACPt zfS1#=few%UItWSwP!xG|ct&MOGSHW|+3~bEP84E&#VO1K$%3&p1{Ao(1%- z>Zo8iEgiAK_F@Y70{^qWQDW7l$q?Z}wW$@oBa=Zg5|X&x3J*zVTM}nORVXQhnd3b( zvcp=9n{ib=P|D}sj3gy_bQCkM49_@s=j-hj^6Xgw$0xysyJ7omQP}gIWd3BN{Qen{ zJ>1@J)6Ic+96eDe4%hDWI9f$%9yx(=)F|46<&QoS7HSMmBx4hSlinzIq8P^5rctDE zaUtWlZBlqeEVRL$$_;3qp%NoL!(37n?XN&)fF>is{Xwh2{LtlxEr>-8nN3oMRLIZr za6n`hHkL&9-3Yw{iI{*-vsj(eh>;7eXK~UF*jI?$Ja}9XWTTfy*c^FA3=fMAS=>X zDCJcLLz$m$EsH5`$^tW8IHoXnu+omCVi~kRf^kql9BR7d-(zE70R~SF3|U7Zsr9wN zRuSuGR}2ro2^~C1&JycNa^kCnLHCBygp3fS!_5!s0kMW`xHRQ1o|xw)ISj1~U@ zc+5j&CVt}5aV>FNiK;9Ckf7k_C(1e80h9jg^tmNWO=+{Ziw-1K*;StY2w&HtMKx6#o8$QWu4*&E`oE=Jfmet^L+u%ACcN z{1}2nrlBEhq#qVAZpcCn*DlM}dF3*AUjUn8+DGt>m7qEFFC@{Kt#28Hm)hn+W!QC% z(%iwzTMBF}&*lEj{nlxn>zIu3^)85L`V`}uQEe&!x8xRqivGOEXgXz67#h!C77f#m zg^W)>9GLE4Za3~aNAz%jTzC8ca_SGh7qJSS+)p4Ij1GB&WTI1IkftfDWQMNdoh>K} zoGf`7Hgv2CX?0rNd4fBVk*N%-xrp~6@6Ux#;R_az$92zF5D^)mdoA1*V>PUBxnY@) zuse#^Q>joEw%C{h69#N5?#kdoQ&&<1qVDUV_oC% zxU)+7t*yoV8}G?rv&un4P7A&;!Q9&xpNeN_Ni;BY<%9RRy)o=P&@8fg70T%Nn?Y78 zwsl?CYaOJfmr`yxbEQJ-xRrsKsBOUHwuA^hrT_ zCBLE_juInwSeWv%GH&MhpDOIrHr6#XFl9$SrZyRK+E~3B4`pW#om(bu&i4x$4E91B zPV^!p!m+-krWcf!<=4@^bxZ@kbx!!aHK~fb z`q3b_l(%Y$8_qz3tb5-nW+LjA34OiBR3#p8RdP!5So80#=`ch6#=~-JJ=tyv*984? z;2tv5_@z#ym)i1aNC*O7wkZnA42IS=Do4%xMAdU_N{>;9JG0SU?McW|e^20w%Zk?! zlgqwVf%R*JUcyH8pmP<-fFNe0^@mDE5zirYqzX1SFQ+7}o%5oWOM}RqjClPh5fi#4 z?OVBB63*zAz2>$flqu0v)@OkHLxu^5@w&X1mI-g%*F7Iw$9TMvw zCLKPi9X{H-)~RzxF0WF(hpaxIm!&h@SLP&6neThx8-(kNf|9;g8NXKM8Qb}K-4df# z8GHBC?Pf)D_eH$spLH#qy_P*3r6t^rC3HwW+BIsAb3e!18}4u0)t^{n-v3v%%#YeL z_;}k*xC_q@YNiqE<22dy&^zT8NAr7%*WM9dj!bxJy7SsUq9OWxJp^^+wtCS&wYF!p z{xw+QKRt`2T-V?6#Yo#3w{Xt-iy~A0O0SRuv-r7%nWjY?Kj9zL9ZW$i{KkWzqi|Qr zSf?TQ1x=2wssM)$GX6+X7RO`3_VS=YC;nYme z^XnYe9`r9;G=BD=j+5!h2LBpsZ0=@%|3sJM2)g)OUekH9LF%tpMXm)xpoSoQZibA= z@$YKF_0{?Xhs{!2GXswY2{vwiJ$To6iG(Q~tz|p@(B!$JEEKMniu|NRW}Tvh5V^^O z`o;+@igyG8T`@jaKL7>!bSI#+84MZ&Pcx}dt^3do3wixj9DkL$&$eY3Qrd!fWH);^BXUO)X)e$k zP+$A2f^?pI{#z%wq^*KPsHmJ~;>6%?l=t7{+n1M-W~L@;`A-1~38OXTS)>pS_NCIw zZ!FZXPvc_`jt5iE!BiyDWbz*rt`G)O$#6V{_NSf9s+y&*qCm3PGP5JfrZ$Pa9tGWi z1O8*Os%vj@TYShq-$d9^XbywHk7kteGfw#2LZW%G!LPPJ!oFA%S5`p9i8^g5gc zdD#h*qB#^8#ZAZZpz(S2@I$xl7TDy!So2m#U?Kh`o}(ipk+=i$l}v)W+nBsy-wGb( zda`q>gnE93$TYNyj*TICEp&A2a77ghXZvbsJ`o!_fXPQ5k0V>nLzYAoiu#E{D$Twq z`;!m2wQvmO&4Re*0GRU%xA+V4!5+jW^CG=sXfcp6#r6&YEp6_qR1dUxXDng~!>ohT z$DD%B2^OCYFN=u;$U3JwlkO)w>@8S?Iy(B@1E7$$%olLxRoQ+S){!J{+ze_b?iyp9sqtUCeZBngXsk^buV|57 zJ<^e**&UdU%k`$_VzOS?G11Y#HIR%4v3Tu3E(Lj*osp3BgyJ}RI0?e_unc}faj|e3 zq^*!Zjto5>=_(dyokJsG3Jm+Pzbd8Z83pdREhilNG#ZEM%sqkoECp4sPK+=0LvHvR~V|@GuaZ5~g(a^b9X3 z$663pw92&>n+8EY@cP%1|3*8;(>Yg)($b>Iq$gg0O3hom6kUUMNQ+IFp_Aw_Tf!8@ z6SB@i1eI0%3(J_=a!%bntDJk)Xzf;mAnqG13~=r{+#^D2QhOT6SFH@7u(2iKwm@Bf6A7?A2$B^( zazb>cR@&7%Y|?T4xqgdmO*kR>sKX3)eP%U@XRJvn2@$+b0*}4R?{ZHyWLr^+BWR&o z90GK>VF2|y-xgT^-HaN_pX)sw&coo>+QYil8e2g?i4P9$g%nIQayo^;0{kCFNX+tf zkAn+^OnaYn^#@OTuGX-kD=lw53jTidhlSKARQI~M#v-UkU1sx-s*(Kq3-?1Eg->UD zwYN|an!(%8Ek*QUz!5eyEl!xZ!8FsP$d`CffHx5+JPAMLF6aloz;s7md#n&x5KF#; zH51GbVrh&>nW>u{Q8{cVjZ41f2a>x3g=rf{f&~I3zX@?ehic|nVy_y-3U6rZ{2ff? zfBvxH8n4h3ixBUnh|N$>9I=65{`w{s$&3Rh|F< diff --git a/Solutions/Wiz/Package/4.0.0.zip b/Solutions/Wiz/Package/4.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..98c255a714f5a934c247a1cced0c8325d1846b23 GIT binary patch literal 8058 zcmZ{pRZtvIm#rZLm*B3!B@o=*-QCi-1aI8k-5YmzZ8W$$X`J8?++A+|xlc1wbM~oP zwNIT|Py6AkwN>O{K4U{cK_Ng@=gt_2(8aMkB0xd?CV+y%`}b<tUG?G0oxW^xCKBeSYS-eB!Z7cpRjo`p`+FbUxl^ zo;g=*%qBc)x}AHb8e+P@%;EV9`$n0yce;LSL27H zpsT^4!8BK2-iA$JcefgPnCluYD%&Y)D$7`U7Rk_i&>w+9LP(U|S4IgHKt6AyD0_o~ zp3q$)4cOU2fr#m4L&&uH)fP$bE=-ye3)VHoK16gsK_u$ZWA$T}!w|vEIyktB#i^!C z_3B-y`xmD$4AMyZ0$7lOOyd)YwWn`_VQ$GxFw1JE^Gg$3ZM|b;Y0$+ovd5sqi!_@G znq*4@o;Ohihj5I7K3=&Db`5!3oS7krqnZEzhpyhqKWN>m3U79AM8b zJIzN3SFHepF=@~35~d4kc!jTOIO5LUyC1saNi<(MRKO(p#Tf{ z{%wM|OrR)5pK4eE_hezzx50iywBP{w_X{z3T@bQ1!!##7e9=U76)SeD()xA%ib_ZV zks8Ln*n3Zm3s(9d!ah^GM!UGlOxVq@DQ9t_qzv+|kN4M4qk&>Ec7L(b_S7`cJ(mG) zIyS^DULdi;GB*?IxiC%AWZ05EZP-_p@+640Op9x-f%Wpg33kDtSk}Og*(P;Qi>+Yk|)H@ED6$7veWhsnjpLz8~dN-4k4-;#~FswrNo)rY2I5JGN z@`=ydmNqTtn#;;CORD41)9Z9GUbU(hl9o5Ywfl0@T^kT_r)MDW){%P+JCryOi%k=Q zCY{ZBx6zveW1zpFtcvlaQSB_dqx6lXMa&hzdTd%5NhV{ zSg&^LiRM6Pba=7ZtR;gjb*8)hjnUsSQ){m|Q$9!MgWWa-6q#+|H6RdSI-%nBZ3EY`2(8U?q=CWnLHIC4nl`u9O;LeMLnBbI`p$4WJee z^AWx<>v0O{S9j#p*+oJHidG?GZSxm#W2c|F%~1r{(|)*+e1B=pBtD2;jvGCkMtqXe zokrt#U>Kdg(YrU0;g}A8_OuX06M~vqFggkOs@$IDWgCpPVR-YQKBB26Z8EAzz}I)# z@Q^D_8fAJ5Go(CNj=~vD{}Tff7^7fY)P&gq{3M15cEMi3mF$ReUEHRRWU8Tpz)a`Q zyQ27Wbc{Z5;>F-snzGL~8BFrYBX?k;_O^lT8|b5i}5?lo!8oZw~03 z)h*TZum<{7v{lM84Ixphf3Xl@mJF##a{?p!T#7=^$v(_T2yyYndj_m0rI7PN^v0A3 zfsMcX3<-5CKhs;n%YWXD7sDMT3znq0R?Q45YQ&csc?%IH4JV?>6O-f)Tlxd-fD)8K z!s}bpW>x7xF|qWWy&55FOF~b_$dkU+<_=>F1m5g~E)CV%mX2(@2bB_(Z8=lWn zU@UpH>3^YmmBd3w++Rb8Z&n55O#9$nNz3#p;RSmusIyRH*O7n@(?;nh4AuJ=nB%p} zJ@A<=uLWDQI;Sr)v9XbHo>UvN;a0a(N6PBg7W52O<(u)OtZ8I7^4_(J1~K6_-Cgc} ze6PYbbNA3r4eb_=_n-+aIERffo(i*A^vcN6?y{Wp&|=@*eYx$5j=w+5X5kEZldX)u zf;YBn=%_{T(g6{@(oqfFVdEHZtPJUL3pBxkTWkGK)vBg7Zf}{GP#7Lu17?qIg~NgZ z3k4;@rNHQf>IH-(BER%@U|=|l2Bmc3iG^^gzJ+V_XB8yy%m0oW1zhSk{OO1MppyfL zx1wXBTsK+*W9z8h#Csl8EC%cuXjw(7;&r$I@EWdGY$_g--cEFl!H@WH#&GnQrIyfO1L>``<{_bzh!@i9gE>JQD0c=MZkcQQ?v>)^nl^6!%o7-`60e**WT8yNlP zipCG0ho{^HB7E2F>q2hdwye?WCJ*>%PJ$DuKRhAGI5$VHHNlVA{`4WucZkBWOFKla zo|Wf{r+&w^c1KF<8$_W$RE1+Yu+Q`csbCr_@8Y_jfVaR~7M1@7Dd~kzmngVUP%ep3 zP#FIp#SUO?uVHTI`12pC{1={_8J;*3aX0?MlcNDaW?2DZHN25XbNLp%vGK+oD!w$# zx9^5rJTQqmsDWcp;+f6{Engax9ZBu-_B3FEx7T@#t)$0SE25?d3hY`yBCWNh8 z5B}X^*rnK#Lgu)h1Qf>|+-vs3MEWY*jfO%Ao2?e_mH+v(gdF+ypz1Lpb}G_lZ&at_ z^vKt1!9&`D>|WKw3#wa#ZPg23yse~9yK1UCfU5jq?9D$BmwIr6C2`c(g6lDv{BSgV zMHE?TUuwlz=Z1_)MAe|dQT{@IdpZ4~^@i?2mz*td%3RJgcLUt()&+K}OLNNw*j7)q+fbXe?+e~k@B zJTkHdQ7XM=n$(75v7*wyj;^c7IF)Q=I}h>PIf+qgs;UTv6`(KiqqTO97Z>E_vYoRE zC6SkMWV3lS$+(0529nT^=TmcV$4HEnQJI+?Eu=&(AOdWbOyT;Xn(oUSDgc0f0uzVw9G*)Ms9$r( zq9-9x1{Clw7=VtSvatVR@Z-Kl#XfH;DLi`i3>hQ>lPk08bA--id9#>4la~)Vdpc@s4ZMry))EAv8kuj$Bf*336R&l zp<##?yjo4RIyX`#h+5ICyx&62w34v1mA2$ncQAu6PUnv|sR|yfE3F+F<1l39=r@X8 zQB!&AE_hmscIUJ$f{?Od<>w!~B3 zrdXf@kW0W_`~wE%=`ifIJ$C%K<5(7iyC7Et$a=3lfW!$-klNnPXRpY+4CB&S6}F6~ zLw+7G=(MI*$xBJsdnmO=Z6Zk#a3d-M!#Y1 zG*Ba_n?Rj7lt5jnzLA>YKrn2CnN@xq%n4`b$VOS9)6~nV&2%n z0knuS&^;PpHS$+OveaaixR5iwNKxq?_GSbC5q_^D-rkIUgWWWg8%n9@lkO-E$pF{_ z1gml#n^3)uSdOL39zF{7%7l0Sq*ly{3(8Y3_uSo&&K7ezF_!v*d# zK}Yqa8CirY9+xlSc$CI8^4^hRzcEo@MS+cB-ZbaVbCHnp-0qA7dS+lk08inSZ_mYU@ z0nxfVxPHXYf$8hWpLg;7O?-;EH%s++%$Y;U&DPDKulUJfdr;|z@!A6@n@JoAofhIS zzvHS|_k*E$X(;ZtK+{w`Y+Pl?c&0S!ZuZ!iwN&M-szaol--M{uctuA`C(9_2>OS0n zD3gPudoGHVgz9MaGIM|b@-?t3hT%&I{RYy16MN1R=QA-lUg-lMpQ~j=B3O5tP!bcg zrsT>DV;%gk3VhsfUb!5S8SGz3T~PHbP?ZU~`jFxPPM3j-)$Mz;&UZp zAL*XDvk2AVf$RHErBUd6&oEQ@TTDuthpWd+zM) zR3sE5bgDYW-t{(l{dPpT2}0+mGrUs+t^Dx9KWfEBLD5-q871>`$MvV~78K3ifQ1Di zQcJMPYj6jWT30}@n0&a1l!=SO+8RTiSU{V5ww^)0!DNsoQ{=`d$K8fdB2v1K8xY5@ z3p6u2CpF1AqN?B=NTkiVFw_PqnyXOdzCU-RWYH^uXL~Mv@3p^N;Ub-0PS?j-bjt4s z`KtaO%t6-}pD&(~vAbt154JW+cj(SWIvf<&a2?)cYVRcjO$($K9 znckt3i2W!B*{+(1@#5rk0Xz9Q`yc0+(mEsHdv z>X3cQ^lkl?teVpO?Ww(M6@&{1t^;H30J!vuAygr_oeyKu$!YF=!E*Xyl*GNLURJ zetMR6L>wt7BDpWamH~*EMA#aW3=fFleKmX4MO9w4Q-^t`J#)i*7KnQ!dHH(1<)h$B z#s!|0Vc&V7JLth@B^_95C67@UoV3jDPk7#edw-kp2VA1@&jEx9)nVU~JwQKE8f9j1 zkW0h}ejo{m9Rg#o&WwPDi`jyxoUc zRkTUNLa1pTc!>|rK?+^EY3 z%A-BrG^d%`jBIC)Tl`V)_vTvTu4x6QPDAc7n4Trc1&KMq&H6QV#unid-V5(DuAikA zz9*hG!vz~$Wd?3NXFyZVpD(i7$-&4*k9j(*YiGxtx~p_c-$;*NfAF5SH=g3$yvdgW zl74p&nX|~N(6qQRq)E#L3lXRZBeN^g)QuZ3>5!ZCD~^24*tVWv+?biS?P)_*++qfa zbPL5R2i-!?SvI)&#`yw&P|X@OuN`U>v?Vzr(C75!Nt41QMwPkHWezu6EC04PwlXdu zVakO{QyO~xUO(TzFUM%N7V|WZyNrY1rL`EHm1IUphE}_KG%1nDS25~H>-r1eRn3DN zVJJS#%;D@YwZ{MLJXx+{!lOjPqS{k2YMr6A@*05B)S zX2)n?$7E2NuyEV{9c}=~yE;K(n_TScL^P!FsxhzGE@G1hnMg8zN9Z7{+#kTLfJ(w) zO?8lGSmV*NR`k&|vMVSqsT`E^uDx=mH(4M*bG2%#`55@LZ|@04H^KU)UWKi#FKY^I zlTDer(eU2rR&i>yz(?K;yVQvUynhF;%K6y&ic?2GG@*MmWtN3=9D17|EZ6()m)rY2 zotu{0d}SrRz*VA@=e^@v(DN1$Z(pdbBc6|JZM2Q+p(4*_YKbgF!#+;s9c6Sc^-PWv z6Fk4iBu2`DN>Uq+;vb6i?;aNP-yQuCV*=nbJGi7cxBxE-Ge#=uHuq;cCkouO3&4nc z?(`bxYF6u-bVj(You5|SU{mZYv@=>FQy<&LqxqwYAN{u1aTRwkJzBjZO!ZBG(Hy&* z+ly)V`t04{GM;9e{hwj{wJ{zng9J-k(I4tgLk>hrif`XS`cs(PPkwxBL&dF_xo$&( zxMls2oG08Q)VZ(=w81Es4Av?Xv7O6Xk#BLenxUbaX~fFD%jdfw0lDB{Te9CCV3tpX zT1`pPO~D>bK9BmJXZOJQ>VCyz%>PElH{R$dpfQlPKb!IePBIfKUrxLkofKg@Xp|j^S%5pgayG zhvM8-WRNt$*{*$e*|U@xHBVyZoDjOtY3f#I(gl@(<T; z2DDuzIEL)NSnbs)ag`d&yV)WxzU>hF$#3c1AfP(N6DDjv;8h)3*KH_lnn%^=T^Ito zc4-{N$(F;_DCY!f^&oW!xkCCn4ECOCPvvu>|M26cEwqwyrAZE7j89Z+g5|2-x_3@Y z_?8BCPwAHp!L}$(Ea#Nc6W01)@N9olBT8Q&g$I#X*_N_ZFFjO(ng6B~t}$?zKYcPz zn1GgNU-|rtC9`b!`D`<{HjTTP!0Uql@b0e;=bytmvQJBkemif`5=;_{cF3Dxj(M+N?hht5y+Vu(*cfW!glr%Yn6Eand zJZiz({5W{Db$#ETC={hY$1Dw76*;Iun!c=+Sty0pbw;@6(d%ovbY+jClOh$n({YCs zJQvPUz3ao3o5?H}_|CpU#1|^^k1!eWgW<0-zjZvK%cv`$l09R?IRuBG1p=()AUzB1 zczL99xx* zKsS}^#FoRO=^^?X*JEg=D>SmLaI#$S%7$QgH?3>pBz`{H=WCvQ=AwTPLW7e7MAg}! z(pUfKSJc$=lZp8a(NBKty1Lk)+6$hqq~B$h>pDM3!F%rs^eoXpFGy*Vol94-nb1(r|?<8Tddl%8{1=^LW5Nw@dC3vn~y7K^Gn9s`cEBP=VeZnU<(Oo zZ&Ws9wuC(CJj^N6?k~1q}41Af7QFuVPFxFq?s?lUwn)Lp`%n%wqE~ zX51TlFwEH!i*_GeEk8gdiV^mwzT(%c1KrN3m1ef5{-2fc$*U$6lKX#tOT1j+^=%_p zi1kT_M_jG=&qe$95%}$(U6dPcBesIw+^Btw*SC;-W$Hc~9dOFFCZ8@}p+6Yk1`R;_ zV-UZ;%wT!(z$QaA6pifG?U!WG<>>m=<2 zw4uF2zIcy`91@A1HY9iAt?5?IS$o|a>6FW^%RWud1EaD=%=zZ$yhrdTrHB7I?kXL4 zYfSadTy~F7CGV!|NB8JGts}^=`MSSu6$54&GF`3~(iMAiGM9&=>a1wyZNH7PtQQps ziz`if`iO3@;$}LVnQw+TQS&~ zbYu5fC5#NE1vem7mok_(H=L2ParxBPONa!c7w-jI+P_{TI3eaf2m<2STq_%@9~#qxa6v9 z3bk}6Y5Y?!J4QA=#{K1>^v8^>m%GfbY|mde-&ywSD82tcuhhBB-C~W$Pd^Vso>8n% z5QQ1hoJ_gslCL@WN$NwB(5;{E3>qt|TSzlGSArqij3m~ed|%G((!!(@@DmA$Gt&cF zx!rtul;Z^8oT3tOGjE$y3b;t11U@&SD5o8~?dP-?o;Od7( zq#nU}1?r7PxI2<1#?-u89WC;GCA}GPOa+OoIr;tc+$K(|x8eZOb0@E*#jdkS?c1P! zYuU8D#YOVztFud0=)LL~HJ5jQ=2!9DUsX~=6I|cCCxh|+PNs+K!1Lx7BOApy6~I~+ zM5GT`lNL+aarX~ZS-bOxk5dIH>htmwEjJy=%S$jsq=5Zzj~0qP;8opC\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Wiz/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Wiz](https://wiz.io/) solution for Microsoft Sentinel enables you to ingest [Wiz Issues](https://docs.wiz.io/wiz-docs/docs/issues), [Wiz Vulnerability Findings](https://docs.wiz.io/wiz-docs/docs/vulnerability-findings), and [Wiz Audit Logs](https://docs.wiz.io/wiz-docs/docs/audit-log-settings) into Microsoft Sentinel using the Wiz REST API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\na. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\r\n\nb. [Azure Key Vault](https://azure.microsoft.com/services/key-vault/#overview) \n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Wiz/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Wiz](https://wiz.io/) solution for Microsoft Sentinel lets Wiz push [Wiz Issues](https://docs.wiz.io/wiz-docs/docs/issues), Wiz Detections, [Wiz Vulnerability Findings](https://docs.wiz.io/wiz-docs/docs/vulnerability-findings), and [Wiz Audit Logs](https://docs.wiz.io/wiz-docs/docs/audit-log-settings) into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint (DCE) using the Wiz service principal; this solution grants that service principal the least-privilege RBAC it needs, and Wiz then creates the data collection rule and tables. There is no Azure Function to host and no workspace shared keys to manage.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\na. [Data Collection Rules and the Logs Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/logs-ingestion-api-overview) \n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -64,7 +64,7 @@ } }, { - "name": "dataconnectors-link2", + "name": "dataconnectors-link1", "type": "Microsoft.Common.TextBlock", "options": { "link": { @@ -110,7 +110,7 @@ "name": "workbook1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "A visualized overview of Wiz Findings.\nExplore, analize and learn about your security posture using Wiz Findings Overview" + "text": "A visualized overview of Wiz Issues, Detections, Vulnerability Findings and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview" } } ] diff --git a/Solutions/Wiz/Package/mainTemplate.json b/Solutions/Wiz/Package/mainTemplate.json index a2f78d17249..8c4039c91de 100644 --- a/Solutions/Wiz/Package/mainTemplate.json +++ b/Solutions/Wiz/Package/mainTemplate.json @@ -41,19 +41,19 @@ "email": "support@wiz.io", "_email": "[variables('email')]", "_solutionName": "Wiz", - "_solutionVersion": "3.0.0", + "_solutionVersion": "4.0.0", "solutionId": "wizinc1627338511749.wizinc1627338511749_wiz_mss-sentinel", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "Wiz", + "uiConfigId1": "WizSentinel", "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "Wiz", + "dataConnectorContentId1": "WizSentinel", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "workbookVersion1": "2.0.0", + "workbookVersion1": "3.0.0", "workbookContentId1": "WizFindingsWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", @@ -72,7 +72,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Wiz data connector with template version 3.0.0", + "description": "Wiz data connector with template version 4.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -88,66 +88,81 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Wiz (using Azure Functions)", + "title": "Wiz for Microsoft Sentinel", "publisher": "Wiz", - "descriptionMarkdown": "The Wiz connector allows you to easily send Wiz Issues, Vulnerability Findings, and Audit logs to Microsoft Sentinel.", + "descriptionMarkdown": "The Wiz integration pushes Wiz **Issues**, **Detections**, **Audit Logs**, and **Vulnerability Findings** into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint using the Wiz service principal, so there is no Azure Function to host and no shared keys to manage. This connector grants that service principal the least-privilege RBAC it needs; Wiz then creates the data collection rule and tables and begins pushing once you configure the integration in the Wiz portal.", "logo": "Wiz.svg", "graphQueries": [ { - "metricName": "Total data received", - "legend": "WizIssues", - "baseQuery": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)" + "metricName": "Total Issues received", + "legend": "WizIssuesV3_CL", + "baseQuery": "WizIssuesV3_CL" }, { - "metricName": "Total data received", - "legend": "WizVulnerabilities", - "baseQuery": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)" + "metricName": "Total Detections received", + "legend": "WizDetectionsV3_CL", + "baseQuery": "WizDetectionsV3_CL" }, { - "metricName": "Total data received", - "legend": "WizAuditLogs", - "baseQuery": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)" + "metricName": "Total Audit Logs received", + "legend": "WizAuditLogsV3_CL", + "baseQuery": "WizAuditLogsV3_CL" + }, + { + "metricName": "Total Vulnerability Findings received", + "legend": "WizVulnerabilitiesV3_CL", + "baseQuery": "WizVulnerabilitiesV3_CL" } ], "sampleQueries": [ { - "description": "Summary by Issues's severity", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize Count=count() by severity_s" + "description": "All Wiz Issues", + "query": "WizIssuesV3_CL\n | sort by TimeGenerated desc" + }, + { + "description": "All Wiz Detections", + "query": "WizDetectionsV3_CL\n | sort by TimeGenerated desc" + }, + { + "description": "All Wiz Vulnerability Findings", + "query": "WizVulnerabilitiesV3_CL\n | sort by TimeGenerated desc" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + "union isfuzzy=true (WizIssuesV3_CL), (WizDetectionsV3_CL), (WizAuditLogsV3_CL), (WizVulnerabilitiesV3_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" ] } ], "dataTypes": [ { - "name": "WizIssues", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "WizIssuesV3_CL", + "lastDataReceivedQuery": "WizIssuesV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "WizDetectionsV3_CL", + "lastDataReceivedQuery": "WizDetectionsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, { - "name": "WizVulnerabilities", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "WizAuditLogsV3_CL", + "lastDataReceivedQuery": "WizAuditLogsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, { - "name": "WizAuditLogs", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "WizVulnerabilitiesV3_CL", + "lastDataReceivedQuery": "WizVulnerabilitiesV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "availability": { - "status": 2, + "status": 1, "isPreview": false }, "permissions": { "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", + "permissionsDisplayText": "read and write permissions are required to grant the Wiz service principal access to the workspace.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { @@ -155,67 +170,42 @@ "read": true, "delete": true } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } } ], "customs": [ { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + "name": "Subscription permissions", + "description": "**Owner** or **User Access Administrator** at the subscription is required to create the custom role definition (Microsoft.Authorization/roleDefinitions/write)." }, { - "name": "Wiz Service Account credentials", - "description": "Ensure you have your Wiz service account client ID and client secret, API endpoint URL, and auth URL. Instructions can be found on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz)." + "name": "Microsoft Entra permissions", + "description": "Permission to read (and, if the Wiz enterprise application is not yet consented, create) the Wiz service principal in Microsoft Entra ID." } ] }, "instructionSteps": [ { - "description": ">**NOTE:** This connector: Uses Azure Functions to connect to Wiz API to pull Wiz Issues, Vulnerability Findings, and Audit Logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\nCreates an Azure Key Vault with all the required parameters stored as secrets." + "description": "ARM cannot resolve a Microsoft Entra object, so you supply the Wiz service principal **object ID**. In Azure Cloud Shell (no install or login needed) run the line below — it prints the object ID, creating the service principal first if it does not yet exist in your tenant:\n\n```bash\naz ad sp show --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv 2>/dev/null \\\n || az ad sp create --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv\n```", + "title": "STEP 1 - Get the Wiz service principal object ID" }, { - "description": "\nFollow the instructions on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz) to get the erquired credentials.", - "title": "STEP 1 - Get your Wiz credentials" - }, - { - "description": "\n>**IMPORTANT:** Before deploying the Wiz Connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Wiz credentials from the previous step.", + "description": "Deploy the custom role and assignment into the resource group that hosts this workspace. Paste the object ID from Step 1 (and, optionally, a Data Collection Endpoint resource ID).\n\n1. Click **Deploy to Azure**: \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FWiz%2FData%20Connectors%2Fazuredeploy_WizSentinelIntegration.json) \n2. Select the **Subscription** and the **Resource group** that hosts this workspace. \n3. Enter **wizPrincipalObjectId** (from Step 1); optionally **dataCollectionEndpointId**. \n4. **Review + create**.", "instructions": [ { "parameters": { "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" + "WorkspaceResourceId" ], - "label": "Primary Key" + "label": "Workspace Resource ID" }, "type": "CopyableLabel" } ], - "title": "STEP 2 - Deploy the connector and the associated Azure Function" + "title": "STEP 2 - Grant Wiz the RBAC" }, { - "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-wiz-azuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following parameters: \n> - Choose **KeyVaultName** and **FunctionName** for the new resources \n >- Enter the following Wiz credentials from step 1: **WizAuthUrl**, **WizEndpointUrl**, **WizClientId**, and **WizClientSecret** \n>- Enter the Workspace credentials **AzureLogsAnalyticsWorkspaceId** and **AzureLogAnalyticsWorkspaceSharedKey**\n>- Choose the Wiz data types you want to send to Microsoft Sentinel, choose at least one from **Wiz Issues**, **Vulnerability Findings**, and **Audit Logs**.\n \n>- (optional) follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#optional-create-a-filter-for-wiz-queries) to add **IssuesQueryFilter**, **VulnerbailitiesQueryFilter**, and **AuditLogsQueryFilter**.\n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n", - "title": "Option 1: Deploy using the Azure Resource Manager (ARM) Template" - }, - { - "description": ">Follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#manual-deployment) to deploy the connector manually.", - "title": "Option 2: Manual Deployment of the Azure Function" + "description": "In Wiz, go to **Settings > Integrations > Add > Microsoft Sentinel**. Paste your **Tenant ID**, **Workspace Resource ID**, and **Data Collection Endpoint Resource ID**, tick *Deployment completed*, and save. Wiz then creates the data collection rule and tables and begins pushing Issues, Detections, Audit Logs, and Vulnerability Findings into this workspace.", + "title": "STEP 3 - Configure the integration in Wiz" } ] } @@ -256,7 +246,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId1')]", "contentKind": "DataConnector", - "displayName": "Wiz (using Azure Functions)", + "displayName": "Wiz for Microsoft Sentinel", "contentProductId": "[variables('_dataConnectorcontentProductId1')]", "id": "[variables('_dataConnectorcontentProductId1')]", "version": "[variables('dataConnectorVersion1')]" @@ -300,65 +290,80 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Wiz (using Azure Functions)", + "title": "Wiz for Microsoft Sentinel", "publisher": "Wiz", - "descriptionMarkdown": "The Wiz connector allows you to easily send Wiz Issues, Vulnerability Findings, and Audit logs to Microsoft Sentinel.", + "descriptionMarkdown": "The Wiz integration pushes Wiz **Issues**, **Detections**, **Audit Logs**, and **Vulnerability Findings** into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint using the Wiz service principal, so there is no Azure Function to host and no shared keys to manage. This connector grants that service principal the least-privilege RBAC it needs; Wiz then creates the data collection rule and tables and begins pushing once you configure the integration in the Wiz portal.", "graphQueries": [ { - "metricName": "Total data received", - "legend": "WizIssues", - "baseQuery": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)" + "metricName": "Total Issues received", + "legend": "WizIssuesV3_CL", + "baseQuery": "WizIssuesV3_CL" + }, + { + "metricName": "Total Detections received", + "legend": "WizDetectionsV3_CL", + "baseQuery": "WizDetectionsV3_CL" }, { - "metricName": "Total data received", - "legend": "WizVulnerabilities", - "baseQuery": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)" + "metricName": "Total Audit Logs received", + "legend": "WizAuditLogsV3_CL", + "baseQuery": "WizAuditLogsV3_CL" }, { - "metricName": "Total data received", - "legend": "WizAuditLogs", - "baseQuery": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)" + "metricName": "Total Vulnerability Findings received", + "legend": "WizVulnerabilitiesV3_CL", + "baseQuery": "WizVulnerabilitiesV3_CL" } ], "dataTypes": [ { - "name": "WizIssues", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "WizIssuesV3_CL", + "lastDataReceivedQuery": "WizIssuesV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "WizDetectionsV3_CL", + "lastDataReceivedQuery": "WizDetectionsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, { - "name": "WizVulnerabilities", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "WizAuditLogsV3_CL", + "lastDataReceivedQuery": "WizAuditLogsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, { - "name": "WizAuditLogs", - "lastDataReceivedQuery": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "WizVulnerabilitiesV3_CL", + "lastDataReceivedQuery": "WizVulnerabilitiesV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + "union isfuzzy=true (WizIssuesV3_CL), (WizDetectionsV3_CL), (WizAuditLogsV3_CL), (WizVulnerabilitiesV3_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" ] } ], "sampleQueries": [ { - "description": "Summary by Issues's severity", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL)\n | summarize Count=count() by severity_s" + "description": "All Wiz Issues", + "query": "WizIssuesV3_CL\n | sort by TimeGenerated desc" + }, + { + "description": "All Wiz Detections", + "query": "WizDetectionsV3_CL\n | sort by TimeGenerated desc" + }, + { + "description": "All Wiz Vulnerability Findings", + "query": "WizVulnerabilitiesV3_CL\n | sort by TimeGenerated desc" } ], "availability": { - "status": 2, + "status": 1, "isPreview": false }, "permissions": { "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", + "permissionsDisplayText": "read and write permissions are required to grant the Wiz service principal access to the workspace.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { @@ -366,67 +371,42 @@ "read": true, "delete": true } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } } ], "customs": [ { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + "name": "Subscription permissions", + "description": "**Owner** or **User Access Administrator** at the subscription is required to create the custom role definition (Microsoft.Authorization/roleDefinitions/write)." }, { - "name": "Wiz Service Account credentials", - "description": "Ensure you have your Wiz service account client ID and client secret, API endpoint URL, and auth URL. Instructions can be found on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz)." + "name": "Microsoft Entra permissions", + "description": "Permission to read (and, if the Wiz enterprise application is not yet consented, create) the Wiz service principal in Microsoft Entra ID." } ] }, "instructionSteps": [ { - "description": ">**NOTE:** This connector: Uses Azure Functions to connect to Wiz API to pull Wiz Issues, Vulnerability Findings, and Audit Logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\nCreates an Azure Key Vault with all the required parameters stored as secrets." - }, - { - "description": "\nFollow the instructions on [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#collect-authentication-info-from-wiz) to get the erquired credentials.", - "title": "STEP 1 - Get your Wiz credentials" + "description": "ARM cannot resolve a Microsoft Entra object, so you supply the Wiz service principal **object ID**. In Azure Cloud Shell (no install or login needed) run the line below — it prints the object ID, creating the service principal first if it does not yet exist in your tenant:\n\n```bash\naz ad sp show --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv 2>/dev/null \\\n || az ad sp create --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv\n```", + "title": "STEP 1 - Get the Wiz service principal object ID" }, { - "description": "\n>**IMPORTANT:** Before deploying the Wiz Connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Wiz credentials from the previous step.", + "description": "Deploy the custom role and assignment into the resource group that hosts this workspace. Paste the object ID from Step 1 (and, optionally, a Data Collection Endpoint resource ID).\n\n1. Click **Deploy to Azure**: \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FWiz%2FData%20Connectors%2Fazuredeploy_WizSentinelIntegration.json) \n2. Select the **Subscription** and the **Resource group** that hosts this workspace. \n3. Enter **wizPrincipalObjectId** (from Step 1); optionally **dataCollectionEndpointId**. \n4. **Review + create**.", "instructions": [ { "parameters": { "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" + "WorkspaceResourceId" ], - "label": "Primary Key" + "label": "Workspace Resource ID" }, "type": "CopyableLabel" } ], - "title": "STEP 2 - Deploy the connector and the associated Azure Function" - }, - { - "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-wiz-azuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following parameters: \n> - Choose **KeyVaultName** and **FunctionName** for the new resources \n >- Enter the following Wiz credentials from step 1: **WizAuthUrl**, **WizEndpointUrl**, **WizClientId**, and **WizClientSecret** \n>- Enter the Workspace credentials **AzureLogsAnalyticsWorkspaceId** and **AzureLogAnalyticsWorkspaceSharedKey**\n>- Choose the Wiz data types you want to send to Microsoft Sentinel, choose at least one from **Wiz Issues**, **Vulnerability Findings**, and **Audit Logs**.\n \n>- (optional) follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#optional-create-a-filter-for-wiz-queries) to add **IssuesQueryFilter**, **VulnerbailitiesQueryFilter**, and **AuditLogsQueryFilter**.\n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n", - "title": "Option 1: Deploy using the Azure Resource Manager (ARM) Template" + "title": "STEP 2 - Grant Wiz the RBAC" }, { - "description": ">Follow [Wiz documentation](https://docs.wiz.io/wiz-docs/docs/azure-sentinel-native-integration#manual-deployment) to deploy the connector manually.", - "title": "Option 2: Manual Deployment of the Azure Function" + "description": "In Wiz, go to **Settings > Integrations > Add > Microsoft Sentinel**. Paste your **Tenant ID**, **Workspace Resource ID**, and **Data Collection Endpoint Resource ID**, tick *Deployment completed*, and save. Wiz then creates the data collection rule and tables and begins pushing Issues, Detections, Audit Logs, and Vulnerability Findings into this workspace.", + "title": "STEP 3 - Configure the integration in Wiz" } ], "id": "[variables('_uiConfigId1')]" @@ -442,7 +422,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WizFindings Workbook with template version 3.0.0", + "description": "WizFindings Workbook with template version 4.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -456,11 +436,11 @@ "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "A visualized overview of Wiz Findings.\nExplore, analize and learn about your security posture using Wiz Findings Overview" + "description": "A visualized overview of Wiz Issues, Detections, Vulnerability Findings and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview" }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizIssues_CL),\\n(WizIssuesV2_CL) \\n| summarize count() by TimeGenerated \",\"title\":\"Issues over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Issues over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizVulnerabilities_CL),\\n(WizVulnerabilitiesV2_CL) \\n| summarize count() by TimeGenerated \",\"title\":\"Vulnerabilities over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Vulnerabilities over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizAuditLogs_CL),\\n(WizAuditLogsV2_CL) \\n| summarize count() by TimeGenerated \",\"title\":\"Audit Logs over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Audit Logs over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizIssues_CL),\\n(WizIssuesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by severity_s\",\"title\":\"Issues by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizIssues_CL),\\n(WizIssuesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by status_s\",\"title\":\"Issues by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizIssues_CL),\\n(WizIssuesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by entitySnapshot_cloudPlatform_s\",\"title\":\"Issues by cloud platform\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by cloud platform\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizIssues_CL),\\n(WizIssuesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by entitySnapshot_type_s\",\"title\":\"Issues by entity type\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by entity type\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizAuditLogs_CL),\\n(WizAuditLogsV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by status_s\",\"title\":\"Audit Logs by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit Logs by status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizAuditLogs_CL),\\n(WizAuditLogsV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by action_s\",\"title\":\"Audit Logs by actions\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit Logs by actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizVulnerabilities_CL),\\n(WizVulnerabilitiesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by vulnerableAsset_type_s\",\"title\":\"Vulnerabilities by Asset Type\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Vulnerabilities by Asset Type\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizVulnerabilities_CL),\\n(WizVulnerabilitiesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by vendorSeverity_s\",\"title\":\"Vulnerabilities by Vendor Severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Vulnerabilities by Vendor Severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true \\n(WizVulnerabilities_CL),\\n(WizVulnerabilitiesV2_CL) \\n| summarize arg_max(TimeGenerated, *) by id_g\\n| summarize count() by detectionMethod_s\",\"title\":\"Vulnerabilities by Detection Method\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Vulnerabilities by Detection Method\"}],\"fromTemplateId\":\"sentinel-Alerts overview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Issues over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Issues over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Detections over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Detections over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizVulnerabilitiesV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Vulnerability findings over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Vulnerability findings over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Audit logs over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Audit logs over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by severity\",\"title\":\"Issues by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by status\",\"title\":\"Issues by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by tostring(entitySnapshot.cloudPlatform)\",\"title\":\"Issues by cloud platform\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by cloud platform\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize arg_max(TimeGenerated, *) by detectionId\\n| summarize count() by severity\",\"title\":\"Detections by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Detections by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize arg_max(TimeGenerated, *) by detectionId\\n| summarize count() by tdrSource\",\"title\":\"Detections by TDR source\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Detections by TDR source\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize arg_max(TimeGenerated, *) by auditlogId\\n| summarize count() by action\",\"title\":\"Audit logs by action\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit logs by action\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize arg_max(TimeGenerated, *) by auditlogId\\n| summarize count() by status\",\"title\":\"Audit logs by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit logs by status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizVulnerabilitiesV3_CL \\n| summarize arg_max(TimeGenerated, *) by id\\n| summarize count() by severity\",\"title\":\"Vulnerabilities by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Vulnerabilities by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizVulnerabilitiesV3_CL \\n| summarize arg_max(TimeGenerated, *) by id\\n| summarize count() by detectionMethod\",\"title\":\"Vulnerabilities by detection method\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Vulnerabilities by detection method\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizVulnerabilitiesV3_CL \\n| summarize arg_max(TimeGenerated, *) by id\\n| summarize count() by tostring(vulnerableAsset.type)\",\"title\":\"Vulnerabilities by asset type\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Vulnerabilities by asset type\"}],\"fromTemplateId\":\"sentinel-Alerts overview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -471,7 +451,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "@{workbookKey=WizFindingsWorkbook; logoFileName=Wiz_logo.svg; description=A visualized overview of Wiz Findings.\nExplore, analize and learn about your security posture using Wiz Findings Overview; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.0.0; title=Wiz Findings overview; templateRelativePath=WizFindings.json; subtitle=; provider=Wiz}.description", + "description": "@{workbookKey=WizFindingsWorkbook; logoFileName=Wiz_logo.svg; description=A visualized overview of Wiz Issues, Detections, Vulnerability Findings and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=3.0.0; title=Wiz Findings overview; templateRelativePath=WizFindings.json; subtitle=; provider=Wiz}.description", "parentId": "[variables('workbookId1')]", "contentId": "[variables('_workbookContentId1')]", "kind": "Workbook", @@ -495,31 +475,23 @@ "operator": "AND", "criteria": [ { - "contentId": "WizIssues_CL", - "kind": "DataType" - }, - { - "contentId": "WizVulnerabilities_CL", - "kind": "DataType" - }, - { - "contentId": "WizAuditLogs_CL", + "contentId": "WizIssuesV3_CL", "kind": "DataType" }, { - "contentId": "WizIssuesV2_CL", + "contentId": "WizDetectionsV3_CL", "kind": "DataType" }, { - "contentId": "WizVulnerabilitiesV2_CL", + "contentId": "WizAuditLogsV3_CL", "kind": "DataType" }, { - "contentId": "WizAuditLogs_CL", + "contentId": "WizVulnerabilitiesV3_CL", "kind": "DataType" }, { - "contentId": "Wiz", + "contentId": "WizSentinel", "kind": "DataConnector" } ] @@ -546,12 +518,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "4.0.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Wiz", "publisherDisplayName": "Wiz", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Wiz solution for Microsoft Sentinel enables you to ingest Wiz Issues, Wiz Vulnerability Findings, and Wiz Audit Logs into Microsoft Sentinel using the Wiz REST API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Functions

    \n
    2. \n

  2. Azure Key Vault

    \n
    3. \n
\n

Data Connectors: 1, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Wiz solution for Microsoft Sentinel lets Wiz push Wiz Issues, Wiz Detections, Wiz Vulnerability Findings, and Wiz Audit Logs into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint (DCE) using the Wiz service principal; this solution grants that service principal the least-privilege RBAC it needs, and Wiz then creates the data collection rule and tables. There is no Azure Function to host and no workspace shared keys to manage.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Data Collection Rules and the Logs Ingestion API
    2. \n
\n

Data Connectors: 1, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/Wiz/ReleaseNotes.md b/Solutions/Wiz/ReleaseNotes.md index 3d1d0e21642..8902aaaf358 100644 --- a/Solutions/Wiz/ReleaseNotes.md +++ b/Solutions/Wiz/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 4.0.0 | 15-06-2026 | Replaced the legacy Azure Function (REST API pull) **Connector** with the Microsoft Sentinel push integration (DCR + RBAC grant). Data is now pushed by Wiz to `WizIssuesV3_CL`, `WizDetectionsV3_CL`, `WizAuditLogsV3_CL`, and `WizVulnerabilitiesV3_CL` (Issues, Detections, Audit Logs, Vulnerability Findings). **Workbook** rewritten to the new tables and columns. | | 3.0.0 | 15-07-2024 | Updated the queries on the **Workbook** and **Connector** to match with the new table names we offer | | 2.0.0 | 07-09-2023 | Updated **Workbook** query in Maintemplate | diff --git a/Solutions/Wiz/Workbooks/WizFindings.json b/Solutions/Wiz/Workbooks/WizFindings.json index 78c18d3e1aa..50fb87524e4 100644 --- a/Solutions/Wiz/Workbooks/WizFindings.json +++ b/Solutions/Wiz/Workbooks/WizFindings.json @@ -5,8 +5,8 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL) \n| summarize count() by TimeGenerated ", - "title" : "Issues over time", + "query": "WizIssuesV3_CL \n| summarize count() by bin(TimeGenerated, 1h)", + "title": "Issues over time", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -18,34 +18,47 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL) \n| summarize count() by TimeGenerated ", - "title" : "Vulnerabilities over time", + "query": "WizDetectionsV3_CL \n| summarize count() by bin(TimeGenerated, 1h)", + "title": "Detections over time", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "linechart" }, - "name": "Vulnerabilities over time" + "name": "Detections over time" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL) \n| summarize count() by TimeGenerated ", - "title" : "Audit Logs over time", + "query": "WizVulnerabilitiesV3_CL \n| summarize count() by bin(TimeGenerated, 1h)", + "title": "Vulnerability findings over time", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "linechart" }, - "name": "Audit Logs over time" + "name": "Vulnerability findings over time" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by severity_s", - "title" : "Issues by severity", + "query": "WizAuditLogsV3_CL \n| summarize count() by bin(TimeGenerated, 1h)", + "title": "Audit logs over time", + "size": 3, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "linechart" + }, + "name": "Audit logs over time" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "WizIssuesV3_CL \n| summarize arg_max(TimeGenerated, *) by issueId\n| summarize count() by severity", + "title": "Issues by severity", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -58,8 +71,8 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by status_s", - "title" : "Issues by status", + "query": "WizIssuesV3_CL \n| summarize arg_max(TimeGenerated, *) by issueId\n| summarize count() by status", + "title": "Issues by status", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -72,8 +85,8 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by entitySnapshot_cloudPlatform_s", - "title" : "Issues by cloud platform", + "query": "WizIssuesV3_CL \n| summarize arg_max(TimeGenerated, *) by issueId\n| summarize count() by tostring(entitySnapshot.cloudPlatform)", + "title": "Issues by cloud platform", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -86,85 +99,99 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizIssues_CL),\n(WizIssuesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by entitySnapshot_type_s", - "title" : "Issues by entity type", + "query": "WizDetectionsV3_CL \n| summarize arg_max(TimeGenerated, *) by detectionId\n| summarize count() by severity", + "title": "Detections by severity", + "size": 3, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "name": "Detections by severity" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "WizDetectionsV3_CL \n| summarize arg_max(TimeGenerated, *) by detectionId\n| summarize count() by tdrSource", + "title": "Detections by TDR source", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart" }, "customWidth": "33", - "name": "Issues by entity type" + "name": "Detections by TDR source" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by status_s", - "title" : "Audit Logs by status", + "query": "WizAuditLogsV3_CL \n| summarize arg_max(TimeGenerated, *) by auditlogId\n| summarize count() by action", + "title": "Audit logs by action", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart" }, "customWidth": "33", - "name": "Audit Logs by status" + "name": "Audit logs by action" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizAuditLogs_CL),\n(WizAuditLogsV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by action_s", - "title" : "Audit Logs by actions", + "query": "WizAuditLogsV3_CL \n| summarize arg_max(TimeGenerated, *) by auditlogId\n| summarize count() by status", + "title": "Audit logs by status", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart" }, "customWidth": "33", - "name": "Audit Logs by actions" + "name": "Audit logs by status" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by vulnerableAsset_type_s", - "title" : "Vulnerabilities by Asset Type", + "query": "WizVulnerabilitiesV3_CL \n| summarize arg_max(TimeGenerated, *) by id\n| summarize count() by severity", + "title": "Vulnerabilities by severity", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart" }, "customWidth": "33", - "name": "Vulnerabilities by Asset Type" + "name": "Vulnerabilities by severity" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by vendorSeverity_s", - "title" : "Vulnerabilities by Vendor Severity", + "query": "WizVulnerabilitiesV3_CL \n| summarize arg_max(TimeGenerated, *) by id\n| summarize count() by detectionMethod", + "title": "Vulnerabilities by detection method", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart" }, "customWidth": "33", - "name": "Vulnerabilities by Vendor Severity" + "name": "Vulnerabilities by detection method" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union isfuzzy=true \n(WizVulnerabilities_CL),\n(WizVulnerabilitiesV2_CL) \n| summarize arg_max(TimeGenerated, *) by id_g\n| summarize count() by detectionMethod_s", - "title" : "Vulnerabilities by Detection Method", + "query": "WizVulnerabilitiesV3_CL \n| summarize arg_max(TimeGenerated, *) by id\n| summarize count() by tostring(vulnerableAsset.type)", + "title": "Vulnerabilities by asset type", "size": 3, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "piechart" }, "customWidth": "33", - "name": "Vulnerabilities by Detection Method" + "name": "Vulnerabilities by asset type" } ], "fromTemplateId": "sentinel-Alerts overview", diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 143ab9dc8e7..ba45a96474c 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -8268,17 +8268,15 @@ { "workbookKey": "WizFindingsWorkbook", "logoFileName": "Wiz_logo.svg", - "description": "A visualized overview of Wiz Findings.\nExplore, analize and learn about your security posture using Wiz Findings Overview", + "description": "A visualized overview of Wiz Issues, Detections, Vulnerability Findings and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview", "dataTypesDependencies": [ - "WizIssues_CL", - "WizVulnerabilities_CL", - "WizAuditLogs_CL", - "WizIssuesV2_CL", - "WizVulnerabilitiesV2_CL", - "WizAuditLogs_CL" + "WizIssuesV3_CL", + "WizDetectionsV3_CL", + "WizAuditLogsV3_CL", + "WizVulnerabilitiesV3_CL" ], "dataConnectorsDependencies": [ - "Wiz" + "WizSentinel" ], "previewImagesFileNames": [ "WizFindingsBlack1.png", @@ -8288,7 +8286,7 @@ "WizFindingsWhite2.png", "WizFindingsWhite3.png" ], - "version": "2.0.0", + "version": "3.0.0", "title": "Wiz Findings overview", "templateRelativePath": "WizFindings.json", "subtitle": "", From a1817a506f92140ea113a8f970ee8aed67b6306e Mon Sep 17 00:00:00 2001 From: Marek Kuczynski Date: Tue, 16 Jun 2026 18:12:22 +0200 Subject: [PATCH 2/3] Wiz v4.0.0: fix CI (KQL custom tables + connector permissions) and drop Vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CI fixes for the v4.0.0 push-integration PR: - Register KQL custom-table schemas (WizIssuesV3_CL, WizDetectionsV3_CL, WizAuditLogsV3_CL) under .script/tests/KqlvalidationsTests/CustomTables/ so KqlValidations recognizes the DCR-created tables. - The data-connector validator classifies any _CL connector whose instructions contain the literal "[Deploy To Azure]" as an Azure Function connector and then requires the Function-App permission set. Relabel the deploy badge ("Deploy the Wiz RBAC role") so it classifies as RestAPI, and set permissions.resourceProvider to the RestAPI template (workspace read/write/delete + sharedKeys action) — which the Wiz custom role genuinely grants (workspaces/read, tables/write, sharedKeys/action). Drop Vulnerabilities from the solution: although the integration provisions a WizVulnerabilitiesV3_CL stream, the push model is automation-rule driven and there is no automation-rule trigger for vulnerability findings, so the table is never populated. The solution now advertises only Issues, Detections, and Audit Logs (WizIssuesV3_CL, WizDetectionsV3_CL, WizAuditLogsV3_CL) across the connector, workbook, workbook metadata, and KQL custom tables. Package regenerated. Note: the remaining WorkbooksValidations failure is unrelated to Wiz — a pre-existing missing-logo entry (akamai-guardicore.svg) in the shared Workbooks/WorkbooksMetadata.json, surfaced because this PR edits that file. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../CustomTables/WizAuditLogsV3_CL.json | 21 +++++ .../CustomTables/WizDetectionsV3_CL.json | 21 +++++ .../CustomTables/WizIssuesV3_CL.json | 25 ++++++ .../Wiz/Data Connectors/WizSentinel.json | 32 ++++---- Solutions/Wiz/Data/Solution_Wiz.json | 2 +- Solutions/Wiz/Package/4.0.0.zip | Bin 8058 -> 7925 bytes Solutions/Wiz/Package/createUiDefinition.json | 4 +- Solutions/Wiz/Package/mainTemplate.json | 76 ++++++++---------- Solutions/Wiz/ReleaseNotes.md | 2 +- Solutions/Wiz/Workbooks/WizFindings.json | 55 ------------- Workbooks/WorkbooksMetadata.json | 5 +- 11 files changed, 119 insertions(+), 124 deletions(-) create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/WizAuditLogsV3_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/WizDetectionsV3_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/WizIssuesV3_CL.json diff --git a/.script/tests/KqlvalidationsTests/CustomTables/WizAuditLogsV3_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/WizAuditLogsV3_CL.json new file mode 100644 index 00000000000..d669d3541e5 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/WizAuditLogsV3_CL.json @@ -0,0 +1,21 @@ +{ + "Name": "WizAuditLogsV3_CL", + "Properties": [ + { + "name": "auditlogId", + "type": "string" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + } + ] +} diff --git a/.script/tests/KqlvalidationsTests/CustomTables/WizDetectionsV3_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/WizDetectionsV3_CL.json new file mode 100644 index 00000000000..bfd2b0a5e02 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/WizDetectionsV3_CL.json @@ -0,0 +1,21 @@ +{ + "Name": "WizDetectionsV3_CL", + "Properties": [ + { + "name": "detectionId", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "tdrSource", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + } + ] +} diff --git a/.script/tests/KqlvalidationsTests/CustomTables/WizIssuesV3_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/WizIssuesV3_CL.json new file mode 100644 index 00000000000..4660087aafb --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/WizIssuesV3_CL.json @@ -0,0 +1,25 @@ +{ + "Name": "WizIssuesV3_CL", + "Properties": [ + { + "name": "issueId", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "entitySnapshot", + "type": "dynamic" + }, + { + "name": "TimeGenerated", + "type": "datetime" + } + ] +} diff --git a/Solutions/Wiz/Data Connectors/WizSentinel.json b/Solutions/Wiz/Data Connectors/WizSentinel.json index b07229fbe7b..25b7d313be7 100644 --- a/Solutions/Wiz/Data Connectors/WizSentinel.json +++ b/Solutions/Wiz/Data Connectors/WizSentinel.json @@ -2,7 +2,7 @@ "id": "WizSentinel", "title": "Wiz for Microsoft Sentinel", "publisher": "Wiz", - "descriptionMarkdown": "The Wiz integration pushes Wiz **Issues**, **Detections**, **Audit Logs**, and **Vulnerability Findings** into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint using the Wiz service principal, so there is no Azure Function to host and no shared keys to manage. This connector grants that service principal the least-privilege RBAC it needs; Wiz then creates the data collection rule and tables and begins pushing once you configure the integration in the Wiz portal.", + "descriptionMarkdown": "The Wiz integration pushes Wiz **Issues**, **Detections**, and **Audit Logs** into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint using the Wiz service principal, so there is no Azure Function to host and no shared keys to manage. This connector grants that service principal the least-privilege RBAC it needs; Wiz then creates the data collection rule and tables and begins pushing once you configure the integration in the Wiz portal.", "logo": "Wiz.svg", "graphQueries": [ { @@ -19,11 +19,6 @@ "metricName": "Total Audit Logs received", "legend": "WizAuditLogsV3_CL", "baseQuery": "WizAuditLogsV3_CL" - }, - { - "metricName": "Total Vulnerability Findings received", - "legend": "WizVulnerabilitiesV3_CL", - "baseQuery": "WizVulnerabilitiesV3_CL" } ], "sampleQueries": [ @@ -34,17 +29,13 @@ { "description": "All Wiz Detections", "query": "WizDetectionsV3_CL\n | sort by TimeGenerated desc" - }, - { - "description": "All Wiz Vulnerability Findings", - "query": "WizVulnerabilitiesV3_CL\n | sort by TimeGenerated desc" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "union isfuzzy=true (WizIssuesV3_CL), (WizDetectionsV3_CL), (WizAuditLogsV3_CL), (WizVulnerabilitiesV3_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + "union isfuzzy=true (WizIssuesV3_CL), (WizDetectionsV3_CL), (WizAuditLogsV3_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" ] } ], @@ -60,10 +51,6 @@ { "name": "WizAuditLogsV3_CL", "lastDataReceivedQuery": "WizAuditLogsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "WizVulnerabilitiesV3_CL", - "lastDataReceivedQuery": "WizVulnerabilitiesV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "availability": { @@ -74,7 +61,7 @@ "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required to grant the Wiz service principal access to the workspace.", + "permissionsDisplayText": "read and write permissions are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { @@ -82,6 +69,15 @@ "read": true, "delete": true } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } } ], "customs": [ @@ -102,7 +98,7 @@ }, { "title": "STEP 2 - Grant Wiz the RBAC", - "description": "Deploy the custom role and assignment into the resource group that hosts this workspace. Paste the object ID from Step 1 (and, optionally, a Data Collection Endpoint resource ID).\n\n1. Click **Deploy to Azure**: \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FWiz%2FData%20Connectors%2Fazuredeploy_WizSentinelIntegration.json) \n2. Select the **Subscription** and the **Resource group** that hosts this workspace. \n3. Enter **wizPrincipalObjectId** (from Step 1); optionally **dataCollectionEndpointId**. \n4. **Review + create**.", + "description": "Deploy the custom role and assignment into the resource group that hosts this workspace. Paste the object ID from Step 1 (and, optionally, a Data Collection Endpoint resource ID).\n\n1. Click **Deploy the Wiz RBAC role**: \n\n\t[![Deploy the Wiz RBAC role](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FWiz%2FData%20Connectors%2Fazuredeploy_WizSentinelIntegration.json) \n2. Select the **Subscription** and the **Resource group** that hosts this workspace. \n3. Enter **wizPrincipalObjectId** (from Step 1); optionally **dataCollectionEndpointId**. \n4. **Review + create**.", "instructions": [ { "parameters": { @@ -117,7 +113,7 @@ }, { "title": "STEP 3 - Configure the integration in Wiz", - "description": "In Wiz, go to **Settings > Integrations > Add > Microsoft Sentinel**. Paste your **Tenant ID**, **Workspace Resource ID**, and **Data Collection Endpoint Resource ID**, tick *Deployment completed*, and save. Wiz then creates the data collection rule and tables and begins pushing Issues, Detections, Audit Logs, and Vulnerability Findings into this workspace." + "description": "In Wiz, go to **Settings > Integrations > Add > Microsoft Sentinel**. Paste your **Tenant ID**, **Workspace Resource ID**, and **Data Collection Endpoint Resource ID**, tick *Deployment completed*, and save. Wiz then creates the data collection rule and tables and begins pushing Issues, Detections, and Audit Logs into this workspace." } ] } diff --git a/Solutions/Wiz/Data/Solution_Wiz.json b/Solutions/Wiz/Data/Solution_Wiz.json index 633b728033d..9cb743d6fad 100644 --- a/Solutions/Wiz/Data/Solution_Wiz.json +++ b/Solutions/Wiz/Data/Solution_Wiz.json @@ -2,7 +2,7 @@ "Name": "Wiz", "Author": "Wiz - support@wiz.io", "Logo": "", - "Description": "The [Wiz](https://wiz.io/) solution for Microsoft Sentinel lets Wiz push [Wiz Issues](https://docs.wiz.io/wiz-docs/docs/issues), Wiz Detections, [Wiz Vulnerability Findings](https://docs.wiz.io/wiz-docs/docs/vulnerability-findings), and [Wiz Audit Logs](https://docs.wiz.io/wiz-docs/docs/audit-log-settings) into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint (DCE) using the Wiz service principal; this solution grants that service principal the least-privilege RBAC it needs, and Wiz then creates the data collection rule and tables. There is no Azure Function to host and no workspace shared keys to manage.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\na. [Data Collection Rules and the Logs Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/logs-ingestion-api-overview) ", + "Description": "The [Wiz](https://wiz.io/) solution for Microsoft Sentinel lets Wiz push [Wiz Issues](https://docs.wiz.io/wiz-docs/docs/issues), Wiz Detections, and [Wiz Audit Logs](https://docs.wiz.io/wiz-docs/docs/audit-log-settings) into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint (DCE) using the Wiz service principal; this solution grants that service principal the least-privilege RBAC it needs, and Wiz then creates the data collection rule and tables. There is no Azure Function to host and no workspace shared keys to manage.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\na. [Data Collection Rules and the Logs Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/logs-ingestion-api-overview) ", "WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.", "AnalyticalRuleBladeDescription": "", "HuntingQueryBladeDescription": "", diff --git a/Solutions/Wiz/Package/4.0.0.zip b/Solutions/Wiz/Package/4.0.0.zip index 98c255a714f5a934c247a1cced0c8325d1846b23..39f18307479dfdd91215812f463cf7af21e3ae3e 100644 GIT binary patch delta 7860 zcmZvhRa2b{v}KXt?hxGF-Q70s1a}DT!9M~7Cpf{~-GV#8-Q6MhCiuqhxer~{UDdPJ z%N)O8)f~@a_o4*qO0b`Bp`f4;q1X~j92u3W@EmutqbxmFwpq|^zovs6k}LsM+d-xeB0I1^mP%8rym>`i2hMOuv#2-av~ zyv{4N${^Q>6wkkv+*!0eku|`9r>bQO&#FcYMO-Yi5PeZy{DZKVzZqG%f7thbCC~4R z?%De}YxurC-2gDZtVVINASxxIfeib-LVUf^!xl_>bW3(ai^L!nVUuSFOF5Xa-1=%x z$b!1ju=K2~q_I*Wep$Bc-!&o>1!$Fp@w^tA%ANnN-0^eHfaceTgNJ@8K@eYExIbgZ zAI($ZA|Rg%);3x1mW@@nW&s1-{#py*=HUD+{xRt!8nz}}?G?lLP1r898a6P4Ataqr$aELkU~U*-M3XuRY7s`NqVyxyWl{z;B#T`y)cV z@IG1@QQKV--GE?N9b8tqI-|~FVtkC)MC`YjZaQbFEJEsh(`1EWoG3*sW_O3~e1bJT zek6%x1P)7b-`|(pizcIYCv{fM5*U{3hx1dG0%9%I>1w=kbQpcx_Ag@Y7!z~trs>eT z>663d-p?3bwH^O zTHDqNQ8(a1N(FuNh{dx389Kwl|JrX}1|;LMf90j5ffX&o|AAkcJSZ^WIi1|8(gJ?M z14&RAh3F3P$#Hot^Mu9S26moqS}uou9ARfa$eFYz{KB(yF!saEhaRR=nIv7?8`B3! zYjY5nW(lILd7jsb?d}Z*c4!_xCvVpOjh&S|;t(Z`J6k`q?XME{%%>Q_R*9zj61ur{ zX0fxN9dX$vv0E}KxY@;=mJsl>#fgrK1MoLIu&7Ig$;T({gI}y2PpZkYpG?W+Qx{6? z6oTrS$BA!oorgB@{nVn4$njlP?<;$nb|$=)o~ANU2PTE#E_RJQ8O=qPaE{?vShRVI zq1F`>>r=wuIOn3Ek$1=Rwuy7$YgRuS;qb)>>)emjYrM|92 zdP1#tQ_^&Nj6=E8Mxxz*E>Asc4i58+r_tJ{9fO{-X0n*3T&O#GaNY*2hf4>N_~qn- zve;wp{I6j}uePr%lFkM#EoGphdtk3TPp_qflBDmpQ7>Bq`_r#XJ+`y4E$ed_5R);m04D>X{aVui_d^#%q;?gUFQ9?4!-iMvJpUL<~iD>stGK4D;WrkAKz^ zxi`SS04Rpenop57!V5#bJEN= zl@m-0goqG=^amY!M|%j?Q4`A~tnjQIR~|--CO_dY_O@#PSJ$OOJw)lpGz}JIA_Vhfyol^wdhr2x1yl6&Lp=>BqRIP+5KkU$A|bb z?*#JHWEi;CkmI3IAH~k{i=c}u(7Xn}T=v-vF2#U0y-C$!_+5+yx!j~3*gw>oux65R zku?ZSYqBZwx1OzndGxa0?b5O85?-ZB4^r=t@+F)?) zhvEOugfVUEM%%t0Gn*7R$?x`5yBrfAo_uXhgZbjo&kLRul zWmvj+!w-CUa^?Gz2i5X^Mhw^PAtQF`%!s0ZSgVeiKOL0BS}scXJsRx z*x7bGSmPU%_^61r0oRO@)fJ=QlXd8`LDlYbpMZazIEQOCZNms3-G2|AAJNdeyA2I~ zb8*h5eT(^VY11&IOk6gAOzBVl`h!^^1<6u|!AVnaMmC*l509(<@7Zq8+`SU2ty26$ zyR{38_pcPB4LrXea-*(OW8XFns{IeSs~B|XkhB|ZV2N*-?f^#cOfwqWCGI*w?z~KL zyZ^PRC~br5Zcwl8W8{~E{9@|jO6Ln>G3*rWv}bbAfW3EQQHz!H`blo&zG9V+{MEuO zquBb9U>-4Ir?Nfq!DDWRz1tF^qxsjb*P-(%Ei6nzSCvYYU=G_Dkay6_ZxlXJ-Mc#$ z77|bJIaI;zDFC3tA!K@!lL{SMoJjo$7YYt38AgD%myGg1f^iSibZjBv%5V$^)sgZF z7m`S?Mi1h*d{R`L==`UpQN7p^PwP{}Vuiw-aavXI)ywwb*4`9`>emf0T>3(Hw z+CB@(T1+YU>2?6hfrA~c`2>R%SPWeEz zf`C+wPQ8b6Mja8MZt(i9@f2U(C4x*{t~+mtBMamq-(xS-(AVJt^qwG%V4z*o zwbNcd1D_O2%v;4fE|0xujxUo|yL;a59M`DAjh-6UE!MK)EawgDi`J5=Z$n*ZHpYvk z5_?l!EWAB1AwyfV{6CBjSo2 z%Jbc@14oE9C-6i$1^MvZ%q;h=EG(HbN3-_%kPrFm4&DMJhvdTfO2n;&ToBk0hK+~s zNw;iA5kdbQevq){7GR$vuk$uIoo^g7d(t0^l|SpV^e0R<&QqltrM z(XZrp1%T7-l~zeF%&4bXO8iap~fD}H#IjD@o$ z;^9=te67zdF)JBq(Xc-alblCG(zB=8r6g%8Rzfw3gSE~yFj9hp6_9AMg+Rukg_`{v z1a1V=Pckw+$FEc=w|Zx1`O=uDq#XTWh_ z6Nv+f3~deVewPVX%lLJOk_IoK3UVC!Zg@+OujO2aW*S3cl%!T?)NfqK$8R#_uhdGTVvGbmGQSxyUc~FSpGucA2XlWy|=}{Objc2v{lw**LZVOvNw%DSuOTn zVgnfMk{@^GK}V~))^r0Vu#7=|xHop`b#bHlGjQhQOtU`w!JA*OY_p%|J~oU)ixBlZ z9!F-yEAHFS0Q_DGRc1b3jFT$;tB505S)VbPel}ctsYnapbC!OmUVh9)Sd^9A8e1R9 zY`EuxN0Z(-VXeIMsco8z5qP0499D2_Ar1JP@E^6th^~)|90-ERTS4(?4+J9TlG>v@jX0d%} z%x-`KW!kacl<;Q#Ku&X7I!ju>Vlhd$bZ`Aq(c<#KDkVtFi)2l^_vJ^mjh!xSRpuy~ z@j{Y8F?Lp2obG93oDS1MCwfVGoUSf1vyF9NxrLr0UbMSOI_`$4TLN>e#xryLoHNh3 zB}?km6Yzb2ijvH*(N!_6JSWhn1i{E4?h6OkxBz>Fq#?J0e zTW@z&%=y=ORuimc;o_u_vdn}Xb1xGekbC2o(WP5EiFSJ62ub?x0O)OP-Iw2V;99<1 zM3U^V^vOYGMwFG19^ztN9RDHK31`LCmNvm*3D_rron0mmCA|y2E-!|;2~)STfq}fd zJFV@j6=b!_^V3aYxg+m$a`!9us@K=5MzS^WFRF)dFU~!7?L#J|A4$kyfen8hru4y@>0b&hvDCp?}_f8xgJ{=+!H^~&4A)4uUdU(G`^tb4}ysEF3?M(MFvGn zfmf@#XyWl3zV;3a%(wtL`bGHSN+oL^h%L5>zeQ<=FJ}Q^ILt5}X;ym(MG_9v{eknN z_ITvDb1T9Ym{W%iu>imUOSbwG`YP}7nR<7wMwf4HTPB1;@>f$Hyausr${Hv^P|!y8 z1Bw3*7!Y3jx+OS%a?%Zt_<1;0{@|YkN-)D>J6R}#FpB$HDTfGQ2wWo{pjD}y*EL}1 zq?lA#2q@@jiph)?+W+Vc*WT?}3|I}P#YqpOe&VI9+$<^`DwAQNM_fa@Jxw2&=p`eA z=62(F(oU|VO9>^`^mOb{b>v8<3{OLqC@46b&iTjsIYQ1(9Ae0Yh zwWg1`4ih94qX_Etdk^HqZwS6SnriEq6`<)q1gJkZBBNM;Xd`vkik2{0t&iA`VMjyE z{vb%5X`-&^csraFS=xKvC2eII^j>uf`e~S2%FxIf9OI=jogXS+M;|Ean5}V^@ctsv zYuN9OW7Rpb9w~LO7^02PE!PtT8l%g`LTFbyXcqd)m}6Yb<2+7Y460)Fm*P+3?XgJQ zAvnc|c(H$7`%ASu$qLI6R_FX|8p02?E!Go_6Y7@~TtrnGa;*84r{bkb?M6qD7p(P& z%eYJg)Mp}fFB4q$?OeU&I~4x>R!P;HyS#jDN2W&3dh*>mJEez98&bOkZn}66*M>hn z5vi2XSheDsU`8F84BNxcn1i;R{`weKl7{VHE$So?afq=0_Jp!x;d^Z9t~v9C@d+Gx zk{0*o#L(5?>@0P1*bk(_t3|yyv7ZbS%}Xq*Nq11COFx8pjPu}>MJ4D<7f1uCbYjbSn(7OGyq#BfaXGsT}H_3h?{G%qqM=bXI zkmwn06!#OhCgLeM7D|O)_a`=WV*Z@$blT%$G_MlokcSdhL0i^RfU34|WN8iIPUN2T zyd`R-G+RC}vsvG;9#ngOyFHQ^{(bG&o6PYytk`OS@>dgfe+dWGa*rFBy6K8F1K)u- zjvy;OJoW*6OTbgmTfqMu6rs4g29oEJ<*6gUqVLnbcaZCrTdU^B zngf$KvbdhW8_4yy&YjSMlN?SC3=(M2b|1LEuZSO(>`4qYqAlR{R!t!@{`Va^sa@eY z!JwiMElk3pe+LSKUOw(y|fq5SiB++CXQHh+0~txG;+QHCKe=27Q`DNF>- zr7rL6hPnk7Gn*^$yEm;nLoNa58YRDL57VoH?C8a#Q?LV=S#jm97PzZiV%w~KI$lUF zQ6R5LtoXNmgSb8(?tv8*Y~DDvlI?I6?XhTq)ycsvoSI(`E+g>k%Pak4jw7kY zv};nuuXTgxQo3hF-cokXe0udVBlW=aH*U7y7Mr8Zq1pLYIr#hyUIckvm})39fY&K&4$E6u#{2*h0DNZk`yDZW*sonAxy*GAU@DU!Gp& zbV@eSnGQRN~d1xGe|r8RU&V1LhoSno9i1Rc-E(^rpn!CxYNBG8dF3_ zR>LyW>X*nV<_F^-pn)$=_yQoOT9++mp4=G<<#D+yLRAw0aIOMCZ+P(@QRC0M? zF7Mb{%zjz^ELPrFOr+}xz`%;VRG5f4CVocMCHe{JC~S=L(pmoVYiS7|WKasKZa)5O zpGL_S<6;uwz40v0st*3C7irMikL<-nS@D}EO}zt7bB*+z-Qibd?WY>pKm+&gs(e*( zQ9VNx6({F%7}O3Xz7}+u=b@(uVTU&=(;x(LlgrMmK<^q4gLQdZpj)y;t@f(224mV= z~&#qOq|Ccwcz@3~+u;4Mp{=d!>15$eo%t#&cg$3bP9Y8E_SzG2gRsh4sI(2chc z2^dBbRKuh=VI(+V#2VwS=;J|klKk@$>^o=TX@zcKgR?V69?jffKdO;sO{#t18!c@A zXvXx2p>sg8+N6&JA`LA(V-8P~rMs3;oP;6HPO+YpMy=4LFS3Ikrmcqn_jvc8$0PMi z2gxS(`IsY(a|h|Fm8RcV^ zOAO7x=j&tU8$32)2DiY44l!MuP`PpWo0*j3x+Z+O5s%GNqrrC=6G(Gj0JP+6^ZlpTl0v7GjVdPS*{64lZ?5q00))UCz#B}2GP z6%%7Gd@K@jk>;o9ZGowmq2RO(MR4H)i~>Fc5UOIkj41J5UWDAge=FOYE5EUF!J|u1 z6iYQ_&D3a5$9LJac4JN%N>rtm(x{vnAxI1@zyVVPBBcF%+Ze12Hmhso7N6atYf!zP zHwIN*R?VYTkLsH~&fe4~cIumYSBMRaiM$_B&|dE%fXWk|in>S8vx*oD`XJ>D8CDzB zzP$%Z=rr~4tu3tRYKG(Ka`VDM&Cqe@s9_GgQg7PDGIsgP&|sgrEzrrYyvP#7b5X1p z1IV7G=&v!JhS!LkT673)k9yG4Xb(O=Ybf~#hr)C6^4rR)F zVpaxc_W$7X{&e9%Fh+HRiJh@_j@AZnA6Es`a%(z6tj8ghGs8klbFUebVK)OFQ{BTA zZ300^;bVCVR#p}7gebYgYZUrR1P7&K9A!=S6NLeZYTo#jjPEQq`SWhaBe#MAz?FTp zco!H=*r&tnfUhi<&8au(faIA+`xM`>m1rc!Q<9j2%a`0UfFUXu6@5X=dPGi>gt$E^ zG?85nHu-}Ror%^QpH%F#w-{;_+gBTxjElnoBa|yZI{;K@Lw|)WJ2DX5mgE8-2;W-! zjZ^yt%f)!(w7M5A?MY}nr`CV~2vG-oU5MYKrt|aya*h~5odV`PJw8#i+q!Hw zNdl4AZ$#@T7v%CxHS-v}rDq~Dt>|T#Z?(d<(`^!vsn_(+q{W3Bbj%un3*IiFc7q#a z|4xV_-GBk)P_1@y${zZ%?O{du{3GMrGBc-9#o2P)6bs(uiU&z6L>h()a9r zWa>D)+_LMr$C`;S+&|ZbJX=QQ@!bQdOt9+)rRJm)ZULO$R@nz^ zV4AJU(}Jx*{ye_;_@GsTyQ8u)8!-0t_O(#E`7D#(__c-q#+6#h*kIMwD1C@^>Ki|J zZZ?maUX#pJ{o4SX&31_<5GKltKr}YVg&;1%_+6rrDi?qio60~={mQF~#ZZd-cxf+1 zyS<^Hw;(|jg^OEnt3BiJ21FrHJj@YSVnioxLMxge;N03 zoUa&r?bsQ2UDz8g@Sca*ItsxPbr7X3+T7N77Xb|jft15i{%WXAXu=$W!FRXj$DJ;r z-v-f@8P23{Uh<9I3)ekuy$TARKbtn8{vNejOi?K3#M5|Tk#1kIbXqLpT-P8!V)(JW zag=YQHa?+qJCsVeAds}~bC?sF%Y5-?9SrgEd*yB_6X26L^x?l>U7K=JN>ce^?)-aJ ztlT_!Y2!8%nds(INZ!Q1ou8sh5_Y{$W)iRYeaVjfF-UC9yDYfZAl`}4$?{9G->7N5 z8x0c!b<~zKne3!k6%?BASZ}+7p&tn9O3*O4u>T*?ocu&4K>ok#`Ttsep|JiF(*GyL Q-{X?i$!XvX$^Mu857Veer~m)} literal 8058 zcmZ{pRZtvIm#rZLm*B3!B@o=*-QCi-1aI8k-5YmzZ8W$$X`J8?++A+|xlc1wbM~oP zwNIT|Py6AkwN>O{K4U{cK_Ng@=gt_2(8aMkB0xd?CV+y%`}b<tUG?G0oxW^xCKBeSYS-eB!Z7cpRjo`p`+FbUxl^ zo;g=*%qBc)x}AHb8e+P@%;EV9`$n0yce;LSL27H zpsT^4!8BK2-iA$JcefgPnCluYD%&Y)D$7`U7Rk_i&>w+9LP(U|S4IgHKt6AyD0_o~ zp3q$)4cOU2fr#m4L&&uH)fP$bE=-ye3)VHoK16gsK_u$ZWA$T}!w|vEIyktB#i^!C z_3B-y`xmD$4AMyZ0$7lOOyd)YwWn`_VQ$GxFw1JE^Gg$3ZM|b;Y0$+ovd5sqi!_@G znq*4@o;Ohihj5I7K3=&Db`5!3oS7krqnZEzhpyhqKWN>m3U79AM8b zJIzN3SFHepF=@~35~d4kc!jTOIO5LUyC1saNi<(MRKO(p#Tf{ z{%wM|OrR)5pK4eE_hezzx50iywBP{w_X{z3T@bQ1!!##7e9=U76)SeD()xA%ib_ZV zks8Ln*n3Zm3s(9d!ah^GM!UGlOxVq@DQ9t_qzv+|kN4M4qk&>Ec7L(b_S7`cJ(mG) zIyS^DULdi;GB*?IxiC%AWZ05EZP-_p@+640Op9x-f%Wpg33kDtSk}Og*(P;Qi>+Yk|)H@ED6$7veWhsnjpLz8~dN-4k4-;#~FswrNo)rY2I5JGN z@`=ydmNqTtn#;;CORD41)9Z9GUbU(hl9o5Ywfl0@T^kT_r)MDW){%P+JCryOi%k=Q zCY{ZBx6zveW1zpFtcvlaQSB_dqx6lXMa&hzdTd%5NhV{ zSg&^LiRM6Pba=7ZtR;gjb*8)hjnUsSQ){m|Q$9!MgWWa-6q#+|H6RdSI-%nBZ3EY`2(8U?q=CWnLHIC4nl`u9O;LeMLnBbI`p$4WJee z^AWx<>v0O{S9j#p*+oJHidG?GZSxm#W2c|F%~1r{(|)*+e1B=pBtD2;jvGCkMtqXe zokrt#U>Kdg(YrU0;g}A8_OuX06M~vqFggkOs@$IDWgCpPVR-YQKBB26Z8EAzz}I)# z@Q^D_8fAJ5Go(CNj=~vD{}Tff7^7fY)P&gq{3M15cEMi3mF$ReUEHRRWU8Tpz)a`Q zyQ27Wbc{Z5;>F-snzGL~8BFrYBX?k;_O^lT8|b5i}5?lo!8oZw~03 z)h*TZum<{7v{lM84Ixphf3Xl@mJF##a{?p!T#7=^$v(_T2yyYndj_m0rI7PN^v0A3 zfsMcX3<-5CKhs;n%YWXD7sDMT3znq0R?Q45YQ&csc?%IH4JV?>6O-f)Tlxd-fD)8K z!s}bpW>x7xF|qWWy&55FOF~b_$dkU+<_=>F1m5g~E)CV%mX2(@2bB_(Z8=lWn zU@UpH>3^YmmBd3w++Rb8Z&n55O#9$nNz3#p;RSmusIyRH*O7n@(?;nh4AuJ=nB%p} zJ@A<=uLWDQI;Sr)v9XbHo>UvN;a0a(N6PBg7W52O<(u)OtZ8I7^4_(J1~K6_-Cgc} ze6PYbbNA3r4eb_=_n-+aIERffo(i*A^vcN6?y{Wp&|=@*eYx$5j=w+5X5kEZldX)u zf;YBn=%_{T(g6{@(oqfFVdEHZtPJUL3pBxkTWkGK)vBg7Zf}{GP#7Lu17?qIg~NgZ z3k4;@rNHQf>IH-(BER%@U|=|l2Bmc3iG^^gzJ+V_XB8yy%m0oW1zhSk{OO1MppyfL zx1wXBTsK+*W9z8h#Csl8EC%cuXjw(7;&r$I@EWdGY$_g--cEFl!H@WH#&GnQrIyfO1L>``<{_bzh!@i9gE>JQD0c=MZkcQQ?v>)^nl^6!%o7-`60e**WT8yNlP zipCG0ho{^HB7E2F>q2hdwye?WCJ*>%PJ$DuKRhAGI5$VHHNlVA{`4WucZkBWOFKla zo|Wf{r+&w^c1KF<8$_W$RE1+Yu+Q`csbCr_@8Y_jfVaR~7M1@7Dd~kzmngVUP%ep3 zP#FIp#SUO?uVHTI`12pC{1={_8J;*3aX0?MlcNDaW?2DZHN25XbNLp%vGK+oD!w$# zx9^5rJTQqmsDWcp;+f6{Engax9ZBu-_B3FEx7T@#t)$0SE25?d3hY`yBCWNh8 z5B}X^*rnK#Lgu)h1Qf>|+-vs3MEWY*jfO%Ao2?e_mH+v(gdF+ypz1Lpb}G_lZ&at_ z^vKt1!9&`D>|WKw3#wa#ZPg23yse~9yK1UCfU5jq?9D$BmwIr6C2`c(g6lDv{BSgV zMHE?TUuwlz=Z1_)MAe|dQT{@IdpZ4~^@i?2mz*td%3RJgcLUt()&+K}OLNNw*j7)q+fbXe?+e~k@B zJTkHdQ7XM=n$(75v7*wyj;^c7IF)Q=I}h>PIf+qgs;UTv6`(KiqqTO97Z>E_vYoRE zC6SkMWV3lS$+(0529nT^=TmcV$4HEnQJI+?Eu=&(AOdWbOyT;Xn(oUSDgc0f0uzVw9G*)Ms9$r( zq9-9x1{Clw7=VtSvatVR@Z-Kl#XfH;DLi`i3>hQ>lPk08bA--id9#>4la~)Vdpc@s4ZMry))EAv8kuj$Bf*336R&l zp<##?yjo4RIyX`#h+5ICyx&62w34v1mA2$ncQAu6PUnv|sR|yfE3F+F<1l39=r@X8 zQB!&AE_hmscIUJ$f{?Od<>w!~B3 zrdXf@kW0W_`~wE%=`ifIJ$C%K<5(7iyC7Et$a=3lfW!$-klNnPXRpY+4CB&S6}F6~ zLw+7G=(MI*$xBJsdnmO=Z6Zk#a3d-M!#Y1 zG*Ba_n?Rj7lt5jnzLA>YKrn2CnN@xq%n4`b$VOS9)6~nV&2%n z0knuS&^;PpHS$+OveaaixR5iwNKxq?_GSbC5q_^D-rkIUgWWWg8%n9@lkO-E$pF{_ z1gml#n^3)uSdOL39zF{7%7l0Sq*ly{3(8Y3_uSo&&K7ezF_!v*d# zK}Yqa8CirY9+xlSc$CI8^4^hRzcEo@MS+cB-ZbaVbCHnp-0qA7dS+lk08inSZ_mYU@ z0nxfVxPHXYf$8hWpLg;7O?-;EH%s++%$Y;U&DPDKulUJfdr;|z@!A6@n@JoAofhIS zzvHS|_k*E$X(;ZtK+{w`Y+Pl?c&0S!ZuZ!iwN&M-szaol--M{uctuA`C(9_2>OS0n zD3gPudoGHVgz9MaGIM|b@-?t3hT%&I{RYy16MN1R=QA-lUg-lMpQ~j=B3O5tP!bcg zrsT>DV;%gk3VhsfUb!5S8SGz3T~PHbP?ZU~`jFxPPM3j-)$Mz;&UZp zAL*XDvk2AVf$RHErBUd6&oEQ@TTDuthpWd+zM) zR3sE5bgDYW-t{(l{dPpT2}0+mGrUs+t^Dx9KWfEBLD5-q871>`$MvV~78K3ifQ1Di zQcJMPYj6jWT30}@n0&a1l!=SO+8RTiSU{V5ww^)0!DNsoQ{=`d$K8fdB2v1K8xY5@ z3p6u2CpF1AqN?B=NTkiVFw_PqnyXOdzCU-RWYH^uXL~Mv@3p^N;Ub-0PS?j-bjt4s z`KtaO%t6-}pD&(~vAbt154JW+cj(SWIvf<&a2?)cYVRcjO$($K9 znckt3i2W!B*{+(1@#5rk0Xz9Q`yc0+(mEsHdv z>X3cQ^lkl?teVpO?Ww(M6@&{1t^;H30J!vuAygr_oeyKu$!YF=!E*Xyl*GNLURJ zetMR6L>wt7BDpWamH~*EMA#aW3=fFleKmX4MO9w4Q-^t`J#)i*7KnQ!dHH(1<)h$B z#s!|0Vc&V7JLth@B^_95C67@UoV3jDPk7#edw-kp2VA1@&jEx9)nVU~JwQKE8f9j1 zkW0h}ejo{m9Rg#o&WwPDi`jyxoUc zRkTUNLa1pTc!>|rK?+^EY3 z%A-BrG^d%`jBIC)Tl`V)_vTvTu4x6QPDAc7n4Trc1&KMq&H6QV#unid-V5(DuAikA zz9*hG!vz~$Wd?3NXFyZVpD(i7$-&4*k9j(*YiGxtx~p_c-$;*NfAF5SH=g3$yvdgW zl74p&nX|~N(6qQRq)E#L3lXRZBeN^g)QuZ3>5!ZCD~^24*tVWv+?biS?P)_*++qfa zbPL5R2i-!?SvI)&#`yw&P|X@OuN`U>v?Vzr(C75!Nt41QMwPkHWezu6EC04PwlXdu zVakO{QyO~xUO(TzFUM%N7V|WZyNrY1rL`EHm1IUphE}_KG%1nDS25~H>-r1eRn3DN zVJJS#%;D@YwZ{MLJXx+{!lOjPqS{k2YMr6A@*05B)S zX2)n?$7E2NuyEV{9c}=~yE;K(n_TScL^P!FsxhzGE@G1hnMg8zN9Z7{+#kTLfJ(w) zO?8lGSmV*NR`k&|vMVSqsT`E^uDx=mH(4M*bG2%#`55@LZ|@04H^KU)UWKi#FKY^I zlTDer(eU2rR&i>yz(?K;yVQvUynhF;%K6y&ic?2GG@*MmWtN3=9D17|EZ6()m)rY2 zotu{0d}SrRz*VA@=e^@v(DN1$Z(pdbBc6|JZM2Q+p(4*_YKbgF!#+;s9c6Sc^-PWv z6Fk4iBu2`DN>Uq+;vb6i?;aNP-yQuCV*=nbJGi7cxBxE-Ge#=uHuq;cCkouO3&4nc z?(`bxYF6u-bVj(You5|SU{mZYv@=>FQy<&LqxqwYAN{u1aTRwkJzBjZO!ZBG(Hy&* z+ly)V`t04{GM;9e{hwj{wJ{zng9J-k(I4tgLk>hrif`XS`cs(PPkwxBL&dF_xo$&( zxMls2oG08Q)VZ(=w81Es4Av?Xv7O6Xk#BLenxUbaX~fFD%jdfw0lDB{Te9CCV3tpX zT1`pPO~D>bK9BmJXZOJQ>VCyz%>PElH{R$dpfQlPKb!IePBIfKUrxLkofKg@Xp|j^S%5pgayG zhvM8-WRNt$*{*$e*|U@xHBVyZoDjOtY3f#I(gl@(<T; z2DDuzIEL)NSnbs)ag`d&yV)WxzU>hF$#3c1AfP(N6DDjv;8h)3*KH_lnn%^=T^Ito zc4-{N$(F;_DCY!f^&oW!xkCCn4ECOCPvvu>|M26cEwqwyrAZE7j89Z+g5|2-x_3@Y z_?8BCPwAHp!L}$(Ea#Nc6W01)@N9olBT8Q&g$I#X*_N_ZFFjO(ng6B~t}$?zKYcPz zn1GgNU-|rtC9`b!`D`<{HjTTP!0Uql@b0e;=bytmvQJBkemif`5=;_{cF3Dxj(M+N?hht5y+Vu(*cfW!glr%Yn6Eand zJZiz({5W{Db$#ETC={hY$1Dw76*;Iun!c=+Sty0pbw;@6(d%ovbY+jClOh$n({YCs zJQvPUz3ao3o5?H}_|CpU#1|^^k1!eWgW<0-zjZvK%cv`$l09R?IRuBG1p=()AUzB1 zczL99xx* zKsS}^#FoRO=^^?X*JEg=D>SmLaI#$S%7$QgH?3>pBz`{H=WCvQ=AwTPLW7e7MAg}! z(pUfKSJc$=lZp8a(NBKty1Lk)+6$hqq~B$h>pDM3!F%rs^eoXpFGy*Vol94-nb1(r|?<8Tddl%8{1=^LW5Nw@dC3vn~y7K^Gn9s`cEBP=VeZnU<(Oo zZ&Ws9wuC(CJj^N6?k~1q}41Af7QFuVPFxFq?s?lUwn)Lp`%n%wqE~ zX51TlFwEH!i*_GeEk8gdiV^mwzT(%c1KrN3m1ef5{-2fc$*U$6lKX#tOT1j+^=%_p zi1kT_M_jG=&qe$95%}$(U6dPcBesIw+^Btw*SC;-W$Hc~9dOFFCZ8@}p+6Yk1`R;_ zV-UZ;%wT!(z$QaA6pifG?U!WG<>>m=<2 zw4uF2zIcy`91@A1HY9iAt?5?IS$o|a>6FW^%RWud1EaD=%=zZ$yhrdTrHB7I?kXL4 zYfSadTy~F7CGV!|NB8JGts}^=`MSSu6$54&GF`3~(iMAiGM9&=>a1wyZNH7PtQQps ziz`if`iO3@;$}LVnQw+TQS&~ zbYu5fC5#NE1vem7mok_(H=L2ParxBPONa!c7w-jI+P_{TI3eaf2m<2STq_%@9~#qxa6v9 z3bk}6Y5Y?!J4QA=#{K1>^v8^>m%GfbY|mde-&ywSD82tcuhhBB-C~W$Pd^Vso>8n% z5QQ1hoJ_gslCL@WN$NwB(5;{E3>qt|TSzlGSArqij3m~ed|%G((!!(@@DmA$Gt&cF zx!rtul;Z^8oT3tOGjE$y3b;t11U@&SD5o8~?dP-?o;Od7( zq#nU}1?r7PxI2<1#?-u89WC;GCA}GPOa+OoIr;tc+$K(|x8eZOb0@E*#jdkS?c1P! zYuU8D#YOVztFud0=)LL~HJ5jQ=2!9DUsX~=6I|cCCxh|+PNs+K!1Lx7BOApy6~I~+ zM5GT`lNL+aarX~ZS-bOxk5dIH>htmwEjJy=%S$jsq=5Zzj~0qP;8opC\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Wiz/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Wiz](https://wiz.io/) solution for Microsoft Sentinel lets Wiz push [Wiz Issues](https://docs.wiz.io/wiz-docs/docs/issues), Wiz Detections, [Wiz Vulnerability Findings](https://docs.wiz.io/wiz-docs/docs/vulnerability-findings), and [Wiz Audit Logs](https://docs.wiz.io/wiz-docs/docs/audit-log-settings) into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint (DCE) using the Wiz service principal; this solution grants that service principal the least-privilege RBAC it needs, and Wiz then creates the data collection rule and tables. There is no Azure Function to host and no workspace shared keys to manage.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\na. [Data Collection Rules and the Logs Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/logs-ingestion-api-overview) \n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Wiz/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Wiz](https://wiz.io/) solution for Microsoft Sentinel lets Wiz push [Wiz Issues](https://docs.wiz.io/wiz-docs/docs/issues), Wiz Detections, and [Wiz Audit Logs](https://docs.wiz.io/wiz-docs/docs/audit-log-settings) into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint (DCE) using the Wiz service principal; this solution grants that service principal the least-privilege RBAC it needs, and Wiz then creates the data collection rule and tables. There is no Azure Function to host and no workspace shared keys to manage.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\na. [Data Collection Rules and the Logs Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/logs-ingestion-api-overview) \n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -110,7 +110,7 @@ "name": "workbook1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "A visualized overview of Wiz Issues, Detections, Vulnerability Findings and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview" + "text": "A visualized overview of Wiz Issues, Detections and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview" } } ] diff --git a/Solutions/Wiz/Package/mainTemplate.json b/Solutions/Wiz/Package/mainTemplate.json index 8c4039c91de..163febc1631 100644 --- a/Solutions/Wiz/Package/mainTemplate.json +++ b/Solutions/Wiz/Package/mainTemplate.json @@ -90,7 +90,7 @@ "id": "[variables('_uiConfigId1')]", "title": "Wiz for Microsoft Sentinel", "publisher": "Wiz", - "descriptionMarkdown": "The Wiz integration pushes Wiz **Issues**, **Detections**, **Audit Logs**, and **Vulnerability Findings** into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint using the Wiz service principal, so there is no Azure Function to host and no shared keys to manage. This connector grants that service principal the least-privilege RBAC it needs; Wiz then creates the data collection rule and tables and begins pushing once you configure the integration in the Wiz portal.", + "descriptionMarkdown": "The Wiz integration pushes Wiz **Issues**, **Detections**, and **Audit Logs** into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint using the Wiz service principal, so there is no Azure Function to host and no shared keys to manage. This connector grants that service principal the least-privilege RBAC it needs; Wiz then creates the data collection rule and tables and begins pushing once you configure the integration in the Wiz portal.", "logo": "Wiz.svg", "graphQueries": [ { @@ -107,11 +107,6 @@ "metricName": "Total Audit Logs received", "legend": "WizAuditLogsV3_CL", "baseQuery": "WizAuditLogsV3_CL" - }, - { - "metricName": "Total Vulnerability Findings received", - "legend": "WizVulnerabilitiesV3_CL", - "baseQuery": "WizVulnerabilitiesV3_CL" } ], "sampleQueries": [ @@ -122,17 +117,13 @@ { "description": "All Wiz Detections", "query": "WizDetectionsV3_CL\n | sort by TimeGenerated desc" - }, - { - "description": "All Wiz Vulnerability Findings", - "query": "WizVulnerabilitiesV3_CL\n | sort by TimeGenerated desc" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "union isfuzzy=true (WizIssuesV3_CL), (WizDetectionsV3_CL), (WizAuditLogsV3_CL), (WizVulnerabilitiesV3_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + "union isfuzzy=true (WizIssuesV3_CL), (WizDetectionsV3_CL), (WizAuditLogsV3_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" ] } ], @@ -148,10 +139,6 @@ { "name": "WizAuditLogsV3_CL", "lastDataReceivedQuery": "WizAuditLogsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "WizVulnerabilitiesV3_CL", - "lastDataReceivedQuery": "WizVulnerabilitiesV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "availability": { @@ -162,7 +149,7 @@ "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required to grant the Wiz service principal access to the workspace.", + "permissionsDisplayText": "read and write permissions are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { @@ -170,6 +157,15 @@ "read": true, "delete": true } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } } ], "customs": [ @@ -189,7 +185,7 @@ "title": "STEP 1 - Get the Wiz service principal object ID" }, { - "description": "Deploy the custom role and assignment into the resource group that hosts this workspace. Paste the object ID from Step 1 (and, optionally, a Data Collection Endpoint resource ID).\n\n1. Click **Deploy to Azure**: \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FWiz%2FData%20Connectors%2Fazuredeploy_WizSentinelIntegration.json) \n2. Select the **Subscription** and the **Resource group** that hosts this workspace. \n3. Enter **wizPrincipalObjectId** (from Step 1); optionally **dataCollectionEndpointId**. \n4. **Review + create**.", + "description": "Deploy the custom role and assignment into the resource group that hosts this workspace. Paste the object ID from Step 1 (and, optionally, a Data Collection Endpoint resource ID).\n\n1. Click **Deploy the Wiz RBAC role**: \n\n\t[![Deploy the Wiz RBAC role](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FWiz%2FData%20Connectors%2Fazuredeploy_WizSentinelIntegration.json) \n2. Select the **Subscription** and the **Resource group** that hosts this workspace. \n3. Enter **wizPrincipalObjectId** (from Step 1); optionally **dataCollectionEndpointId**. \n4. **Review + create**.", "instructions": [ { "parameters": { @@ -204,7 +200,7 @@ "title": "STEP 2 - Grant Wiz the RBAC" }, { - "description": "In Wiz, go to **Settings > Integrations > Add > Microsoft Sentinel**. Paste your **Tenant ID**, **Workspace Resource ID**, and **Data Collection Endpoint Resource ID**, tick *Deployment completed*, and save. Wiz then creates the data collection rule and tables and begins pushing Issues, Detections, Audit Logs, and Vulnerability Findings into this workspace.", + "description": "In Wiz, go to **Settings > Integrations > Add > Microsoft Sentinel**. Paste your **Tenant ID**, **Workspace Resource ID**, and **Data Collection Endpoint Resource ID**, tick *Deployment completed*, and save. Wiz then creates the data collection rule and tables and begins pushing Issues, Detections, and Audit Logs into this workspace.", "title": "STEP 3 - Configure the integration in Wiz" } ] @@ -292,7 +288,7 @@ "connectorUiConfig": { "title": "Wiz for Microsoft Sentinel", "publisher": "Wiz", - "descriptionMarkdown": "The Wiz integration pushes Wiz **Issues**, **Detections**, **Audit Logs**, and **Vulnerability Findings** into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint using the Wiz service principal, so there is no Azure Function to host and no shared keys to manage. This connector grants that service principal the least-privilege RBAC it needs; Wiz then creates the data collection rule and tables and begins pushing once you configure the integration in the Wiz portal.", + "descriptionMarkdown": "The Wiz integration pushes Wiz **Issues**, **Detections**, and **Audit Logs** into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint using the Wiz service principal, so there is no Azure Function to host and no shared keys to manage. This connector grants that service principal the least-privilege RBAC it needs; Wiz then creates the data collection rule and tables and begins pushing once you configure the integration in the Wiz portal.", "graphQueries": [ { "metricName": "Total Issues received", @@ -308,11 +304,6 @@ "metricName": "Total Audit Logs received", "legend": "WizAuditLogsV3_CL", "baseQuery": "WizAuditLogsV3_CL" - }, - { - "metricName": "Total Vulnerability Findings received", - "legend": "WizVulnerabilitiesV3_CL", - "baseQuery": "WizVulnerabilitiesV3_CL" } ], "dataTypes": [ @@ -327,17 +318,13 @@ { "name": "WizAuditLogsV3_CL", "lastDataReceivedQuery": "WizAuditLogsV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "WizVulnerabilitiesV3_CL", - "lastDataReceivedQuery": "WizVulnerabilitiesV3_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "union isfuzzy=true (WizIssuesV3_CL), (WizDetectionsV3_CL), (WizAuditLogsV3_CL), (WizVulnerabilitiesV3_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + "union isfuzzy=true (WizIssuesV3_CL), (WizDetectionsV3_CL), (WizAuditLogsV3_CL)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" ] } ], @@ -349,10 +336,6 @@ { "description": "All Wiz Detections", "query": "WizDetectionsV3_CL\n | sort by TimeGenerated desc" - }, - { - "description": "All Wiz Vulnerability Findings", - "query": "WizVulnerabilitiesV3_CL\n | sort by TimeGenerated desc" } ], "availability": { @@ -363,7 +346,7 @@ "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required to grant the Wiz service principal access to the workspace.", + "permissionsDisplayText": "read and write permissions are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { @@ -371,6 +354,15 @@ "read": true, "delete": true } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } } ], "customs": [ @@ -390,7 +382,7 @@ "title": "STEP 1 - Get the Wiz service principal object ID" }, { - "description": "Deploy the custom role and assignment into the resource group that hosts this workspace. Paste the object ID from Step 1 (and, optionally, a Data Collection Endpoint resource ID).\n\n1. Click **Deploy to Azure**: \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FWiz%2FData%20Connectors%2Fazuredeploy_WizSentinelIntegration.json) \n2. Select the **Subscription** and the **Resource group** that hosts this workspace. \n3. Enter **wizPrincipalObjectId** (from Step 1); optionally **dataCollectionEndpointId**. \n4. **Review + create**.", + "description": "Deploy the custom role and assignment into the resource group that hosts this workspace. Paste the object ID from Step 1 (and, optionally, a Data Collection Endpoint resource ID).\n\n1. Click **Deploy the Wiz RBAC role**: \n\n\t[![Deploy the Wiz RBAC role](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FWiz%2FData%20Connectors%2Fazuredeploy_WizSentinelIntegration.json) \n2. Select the **Subscription** and the **Resource group** that hosts this workspace. \n3. Enter **wizPrincipalObjectId** (from Step 1); optionally **dataCollectionEndpointId**. \n4. **Review + create**.", "instructions": [ { "parameters": { @@ -405,7 +397,7 @@ "title": "STEP 2 - Grant Wiz the RBAC" }, { - "description": "In Wiz, go to **Settings > Integrations > Add > Microsoft Sentinel**. Paste your **Tenant ID**, **Workspace Resource ID**, and **Data Collection Endpoint Resource ID**, tick *Deployment completed*, and save. Wiz then creates the data collection rule and tables and begins pushing Issues, Detections, Audit Logs, and Vulnerability Findings into this workspace.", + "description": "In Wiz, go to **Settings > Integrations > Add > Microsoft Sentinel**. Paste your **Tenant ID**, **Workspace Resource ID**, and **Data Collection Endpoint Resource ID**, tick *Deployment completed*, and save. Wiz then creates the data collection rule and tables and begins pushing Issues, Detections, and Audit Logs into this workspace.", "title": "STEP 3 - Configure the integration in Wiz" } ], @@ -436,11 +428,11 @@ "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "A visualized overview of Wiz Issues, Detections, Vulnerability Findings and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview" + "description": "A visualized overview of Wiz Issues, Detections and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview" }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Issues over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Issues over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Detections over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Detections over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizVulnerabilitiesV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Vulnerability findings over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Vulnerability findings over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Audit logs over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Audit logs over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by severity\",\"title\":\"Issues by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by status\",\"title\":\"Issues by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by tostring(entitySnapshot.cloudPlatform)\",\"title\":\"Issues by cloud platform\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by cloud platform\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize arg_max(TimeGenerated, *) by detectionId\\n| summarize count() by severity\",\"title\":\"Detections by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Detections by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize arg_max(TimeGenerated, *) by detectionId\\n| summarize count() by tdrSource\",\"title\":\"Detections by TDR source\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Detections by TDR source\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize arg_max(TimeGenerated, *) by auditlogId\\n| summarize count() by action\",\"title\":\"Audit logs by action\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit logs by action\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize arg_max(TimeGenerated, *) by auditlogId\\n| summarize count() by status\",\"title\":\"Audit logs by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit logs by status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizVulnerabilitiesV3_CL \\n| summarize arg_max(TimeGenerated, *) by id\\n| summarize count() by severity\",\"title\":\"Vulnerabilities by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Vulnerabilities by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizVulnerabilitiesV3_CL \\n| summarize arg_max(TimeGenerated, *) by id\\n| summarize count() by detectionMethod\",\"title\":\"Vulnerabilities by detection method\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Vulnerabilities by detection method\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizVulnerabilitiesV3_CL \\n| summarize arg_max(TimeGenerated, *) by id\\n| summarize count() by tostring(vulnerableAsset.type)\",\"title\":\"Vulnerabilities by asset type\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Vulnerabilities by asset type\"}],\"fromTemplateId\":\"sentinel-Alerts overview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Issues over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Issues over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Detections over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Detections over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Audit logs over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Audit logs over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by severity\",\"title\":\"Issues by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by status\",\"title\":\"Issues by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by tostring(entitySnapshot.cloudPlatform)\",\"title\":\"Issues by cloud platform\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by cloud platform\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize arg_max(TimeGenerated, *) by detectionId\\n| summarize count() by severity\",\"title\":\"Detections by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Detections by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize arg_max(TimeGenerated, *) by detectionId\\n| summarize count() by tdrSource\",\"title\":\"Detections by TDR source\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Detections by TDR source\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize arg_max(TimeGenerated, *) by auditlogId\\n| summarize count() by action\",\"title\":\"Audit logs by action\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit logs by action\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize arg_max(TimeGenerated, *) by auditlogId\\n| summarize count() by status\",\"title\":\"Audit logs by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit logs by status\"}],\"fromTemplateId\":\"sentinel-Alerts overview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -451,7 +443,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "@{workbookKey=WizFindingsWorkbook; logoFileName=Wiz_logo.svg; description=A visualized overview of Wiz Issues, Detections, Vulnerability Findings and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=3.0.0; title=Wiz Findings overview; templateRelativePath=WizFindings.json; subtitle=; provider=Wiz}.description", + "description": "@{workbookKey=WizFindingsWorkbook; logoFileName=Wiz_logo.svg; description=A visualized overview of Wiz Issues, Detections and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=3.0.0; title=Wiz Findings overview; templateRelativePath=WizFindings.json; subtitle=; provider=Wiz}.description", "parentId": "[variables('workbookId1')]", "contentId": "[variables('_workbookContentId1')]", "kind": "Workbook", @@ -486,10 +478,6 @@ "contentId": "WizAuditLogsV3_CL", "kind": "DataType" }, - { - "contentId": "WizVulnerabilitiesV3_CL", - "kind": "DataType" - }, { "contentId": "WizSentinel", "kind": "DataConnector" @@ -523,7 +511,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Wiz", "publisherDisplayName": "Wiz", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Wiz solution for Microsoft Sentinel lets Wiz push Wiz Issues, Wiz Detections, Wiz Vulnerability Findings, and Wiz Audit Logs into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint (DCE) using the Wiz service principal; this solution grants that service principal the least-privilege RBAC it needs, and Wiz then creates the data collection rule and tables. There is no Azure Function to host and no workspace shared keys to manage.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Data Collection Rules and the Logs Ingestion API
    2. \n
\n

Data Connectors: 1, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Wiz solution for Microsoft Sentinel lets Wiz push Wiz Issues, Wiz Detections, and Wiz Audit Logs into Microsoft Sentinel in real time. Wiz sends data to a Data Collection Endpoint (DCE) using the Wiz service principal; this solution grants that service principal the least-privilege RBAC it needs, and Wiz then creates the data collection rule and tables. There is no Azure Function to host and no workspace shared keys to manage.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Data Collection Rules and the Logs Ingestion API
    2. \n
\n

Data Connectors: 1, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/Wiz/ReleaseNotes.md b/Solutions/Wiz/ReleaseNotes.md index 8902aaaf358..65dbf7ba4fe 100644 --- a/Solutions/Wiz/ReleaseNotes.md +++ b/Solutions/Wiz/ReleaseNotes.md @@ -1,5 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -| 4.0.0 | 15-06-2026 | Replaced the legacy Azure Function (REST API pull) **Connector** with the Microsoft Sentinel push integration (DCR + RBAC grant). Data is now pushed by Wiz to `WizIssuesV3_CL`, `WizDetectionsV3_CL`, `WizAuditLogsV3_CL`, and `WizVulnerabilitiesV3_CL` (Issues, Detections, Audit Logs, Vulnerability Findings). **Workbook** rewritten to the new tables and columns. | +| 4.0.0 | 15-06-2026 | Replaced the legacy Azure Function (REST API pull) **Connector** with the Microsoft Sentinel push integration (DCR + RBAC grant). Data is now pushed by Wiz to `WizIssuesV3_CL`, `WizDetectionsV3_CL`, and `WizAuditLogsV3_CL` (Issues, Detections, Audit Logs). **Workbook** rewritten to the new tables and columns. | | 3.0.0 | 15-07-2024 | Updated the queries on the **Workbook** and **Connector** to match with the new table names we offer | | 2.0.0 | 07-09-2023 | Updated **Workbook** query in Maintemplate | diff --git a/Solutions/Wiz/Workbooks/WizFindings.json b/Solutions/Wiz/Workbooks/WizFindings.json index 50fb87524e4..708e458f76d 100644 --- a/Solutions/Wiz/Workbooks/WizFindings.json +++ b/Solutions/Wiz/Workbooks/WizFindings.json @@ -27,19 +27,6 @@ }, "name": "Detections over time" }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "WizVulnerabilitiesV3_CL \n| summarize count() by bin(TimeGenerated, 1h)", - "title": "Vulnerability findings over time", - "size": 3, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "linechart" - }, - "name": "Vulnerability findings over time" - }, { "type": 3, "content": { @@ -150,48 +137,6 @@ }, "customWidth": "33", "name": "Audit logs by status" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "WizVulnerabilitiesV3_CL \n| summarize arg_max(TimeGenerated, *) by id\n| summarize count() by severity", - "title": "Vulnerabilities by severity", - "size": 3, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" - }, - "customWidth": "33", - "name": "Vulnerabilities by severity" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "WizVulnerabilitiesV3_CL \n| summarize arg_max(TimeGenerated, *) by id\n| summarize count() by detectionMethod", - "title": "Vulnerabilities by detection method", - "size": 3, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" - }, - "customWidth": "33", - "name": "Vulnerabilities by detection method" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "WizVulnerabilitiesV3_CL \n| summarize arg_max(TimeGenerated, *) by id\n| summarize count() by tostring(vulnerableAsset.type)", - "title": "Vulnerabilities by asset type", - "size": 3, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" - }, - "customWidth": "33", - "name": "Vulnerabilities by asset type" } ], "fromTemplateId": "sentinel-Alerts overview", diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index ba45a96474c..07bc9a39c2d 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -8268,12 +8268,11 @@ { "workbookKey": "WizFindingsWorkbook", "logoFileName": "Wiz_logo.svg", - "description": "A visualized overview of Wiz Issues, Detections, Vulnerability Findings and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview", + "description": "A visualized overview of Wiz Issues, Detections and Audit Logs.\nExplore, analyze and learn about your security posture using the Wiz Findings overview", "dataTypesDependencies": [ "WizIssuesV3_CL", "WizDetectionsV3_CL", - "WizAuditLogsV3_CL", - "WizVulnerabilitiesV3_CL" + "WizAuditLogsV3_CL" ], "dataConnectorsDependencies": [ "WizSentinel" From debbc60edf6e5db53076fc684197a552ffe3b0a9 Mon Sep 17 00:00:00 2001 From: Marek Kuczynski Date: Tue, 16 Jun 2026 21:45:41 +0200 Subject: [PATCH 3/3] Address Copilot review: branding, Cloud Shell wording, fromTemplateId MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Rebrand "Azure Sentinel" -> "Microsoft Sentinel" in the RBAC template's metadata.description and roleDescription. - Reword the connector Step 1: Cloud Shell needs no local install, but note that creating the service principal requires permission to register enterprise applications in Microsoft Entra ID (the previous "no install or login" was misleading). - Make the workbook fromTemplateId space-free ("sentinel-WizFindings"). - Regenerate the package. Deferred from Copilot's review (intentional): removing Microsoft.OperationalInsights/workspaces/sharedKeys/action (entangled with the data-connector validator's RestAPI permission template and the authoritative roles.sh / Terraform / CLI sources — needs a deliberate cross-artifact change). BasePath kept as the repo-standard path. Workbook TimeRange parameter left as a possible follow-up. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../Wiz/Data Connectors/WizSentinel.json | 2 +- .../azuredeploy_WizSentinelIntegration.json | 4 ++-- Solutions/Wiz/Package/4.0.0.zip | Bin 7925 -> 7944 bytes Solutions/Wiz/Package/mainTemplate.json | 6 +++--- Solutions/Wiz/Workbooks/WizFindings.json | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Solutions/Wiz/Data Connectors/WizSentinel.json b/Solutions/Wiz/Data Connectors/WizSentinel.json index 25b7d313be7..eeda7b72dd7 100644 --- a/Solutions/Wiz/Data Connectors/WizSentinel.json +++ b/Solutions/Wiz/Data Connectors/WizSentinel.json @@ -94,7 +94,7 @@ "instructionSteps": [ { "title": "STEP 1 - Get the Wiz service principal object ID", - "description": "ARM cannot resolve a Microsoft Entra object, so you supply the Wiz service principal **object ID**. In Azure Cloud Shell (no install or login needed) run the line below — it prints the object ID, creating the service principal first if it does not yet exist in your tenant:\n\n```bash\naz ad sp show --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv 2>/dev/null \\\n || az ad sp create --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv\n```" + "description": "ARM cannot resolve a Microsoft Entra object, so you supply the Wiz service principal **object ID**. In Azure Cloud Shell (no local install required; creating the service principal needs permission to register enterprise applications in Microsoft Entra ID) run the line below — it prints the object ID, creating the service principal first if it does not yet exist in your tenant:\n\n```bash\naz ad sp show --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv 2>/dev/null \\\n || az ad sp create --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv\n```" }, { "title": "STEP 2 - Grant Wiz the RBAC", diff --git a/Solutions/Wiz/Data Connectors/azuredeploy_WizSentinelIntegration.json b/Solutions/Wiz/Data Connectors/azuredeploy_WizSentinelIntegration.json index 83e9297b4e2..a58def64d84 100644 --- a/Solutions/Wiz/Data Connectors/azuredeploy_WizSentinelIntegration.json +++ b/Solutions/Wiz/Data Connectors/azuredeploy_WizSentinelIntegration.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "description": "Provisions the RBAC required by the Wiz Azure Sentinel integration (ARM port of wiz-azure-sentinel-integration.sh). Deploy this INTO the resource group that hosts the Log Analytics workspace. It creates a custom role definition (assignable at the subscription) and assigns it to the Wiz service principal at that resource group, plus optionally at an existing Data Collection Endpoint in any resource group. Resource-group scoped so it can be deployed via a Deploy to Azure button, the Azure portal Build your own template editor (paste/upload), or az deployment group create. ARM cannot create the Entra service principal, so its object ID is supplied via the wizPrincipalObjectId parameter." + "description": "Provisions the RBAC required by the Wiz Microsoft Sentinel integration (ARM port of wiz-azure-sentinel-integration.sh). Deploy this INTO the resource group that hosts the Log Analytics workspace. It creates a custom role definition (assignable at the subscription) and assigns it to the Wiz service principal at that resource group, plus optionally at an existing Data Collection Endpoint in any resource group. Resource-group scoped so it can be deployed via a Deploy to Azure button, the Azure portal Build your own template editor (paste/upload), or az deployment group create. ARM cannot create the Entra service principal, so its object ID is supplied via the wizPrincipalObjectId parameter." }, "parameters": { "wizPrincipalObjectId": { @@ -29,7 +29,7 @@ "variables": { "roleDefName": "[guid(subscription().id, parameters('customRoleName'))]", "roleDefId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefName'))]", - "roleDescription": "Wiz Custom Role For Azure Sentinel Integration", + "roleDescription": "Wiz Custom Role For Microsoft Sentinel Integration", "actions": [ "Microsoft.Insights/DataCollectionRules/Read", "Microsoft.Insights/DataCollectionRules/Write", diff --git a/Solutions/Wiz/Package/4.0.0.zip b/Solutions/Wiz/Package/4.0.0.zip index 39f18307479dfdd91215812f463cf7af21e3ae3e..be9692bdaa06ee28ba505922fe86e54514686fc6 100644 GIT binary patch delta 5671 zcmV+?7TD?aJ%~OGP)h>@6aWAK2mm^*u?&j{4mz#ST(*r*v$7Qc0Bebpr3fN_E_*Y! zwW8#YG;N&3vtGOIdYZQ0*scGFG6_V&64n&J5}*}1&CEW;KEZvoeUdu|ASix|lI1k% zCY@;_5+4T#=L0zS;qd(f0OxMNf?1M8_DwO;EzIoD{5KcyPLb>XZ+c=^4g!M}34*uE#YqFnt-Bgq8EZgzUx_@8+_ zp^ErKVgK(R001~7R$~!i!Ao`vF330xMWp^ZWw$*hbS>TN1bdWN?py@1VuFK8`iCnK z!6mzO9sqpM-Gn3}6RKz==N$#YBUmkc0^q1wNU=$&BF0BaXGkXFFDM^>sj;&UJLyxO zUXeIZzmg!2SE*}IR4RD;BI&|CAB#Bf-JgVV|3=-vlgRgkPyM$&fJ+LDOGSx~t%4d; zcsmu*wG4?zT}$L!n2wo$HwGrbrxClMK3qj&qKm&cgtP*375{wDe{22%IOX=*@U_Un zCHeHq6Wk+ebK@l)X#o&mq!FZ*2|FbcTo)uoK|le)fmuR9(tvvSuZ`|pP&PO0`;D!w z*9!)n9c%rVYNe~qSTAi~z{$jj_zN+DLr#L3VxENQm_`(SWL_kHq_|RWPPt;71~{RT zsyM74!%&Fp9T(eOWztYjPZ;+ZA4w25G`eAQx=450>46<7%Ah5*FpN~kZ%D+*FrXO~ zrxU^gJ%mal@+N)%Dy_V^p&xE+S)Fy>SXn}9lJS<_W$fFd)VcvU_Wh}kucqvlac}4G z?l*gT-+sNb^Ub4wC%uYiZ>H?_%|uF9CR14I&NP>$dj2Ludd!Xlzha|PeM0Q&8SCEAenatWUp2+*`n4_4cZzak{L4hmPyJ1+@u&XgMyd_H zpF23Y*D{sc!7ro>cN@ z5n~!SVtwy<;qHKY6WHqyP(-SE8){SPqYpBwU%HfpQus>fMcOe?L1 zZThR5TRZlDJbSFs%W`Hf%Nbjsq>0udUs|(Ss9@Pvtu8qo!QutkE_a)iYWwyN5z6VX zNhm7`&njd!L$fMb)kJRSnwGgmDzSOeXq7J8Sfw((>rjg6aAl>iVpi6NDt47rp(y8t zNwNJE2f4x+Ww7!X?M9g>ZSJ>b$3tgRpGhmp8pK8<8Q zVU<-uIbV>GkY$!DyW6{aW+&%{5zQ~%k`-aSLn72$ zo-#x~{^Py96+hx#laX$xP6*~ZhS%w^!bpTPQY^DVtz77{TR-v1|4Wn|q^$)psxmAAtRauYhpDZWxf_*n% zwA^AZ(|<_?ciip0Dius?+`$s$*Qn*DS5(uq{x##;5PwfOjhOe#X}L&^=x3$IkoQZn z=cp_O;IPuhC%c2GBF}J-sUY2};)b%kO|Gtg7{gp*`KOMC)m6h!Q{m7p!n3f+WfT-*G<_jAM+6@sZwKn`+Sw^C*N7;~oo1&;==f z@NGmfhQI|JqJ4mqn45N#fU%HD6Uzn2F^Q-T*K{WFm9Z;5xEM2;v1Ox(a3w*Fi7NM~ zX$dHi$_*oS!vZ>@@bYhmN5D)ROg`15sxjr@MHC&Iu9Fzdbcj(LP)(Q8Vxs>!q$9?q zo&g-T;2wpUh>^A{Ho}o%OWDa{JY^1lh7U;4tDgTrj6@~9MNIoxEm=a50F3xRL_Lb(y2@@1eRM>Pj$X1`Q|s5gH%Bk(YYd5`Nb9Vk zQe~Z-DPD0ra}`*2O!Jycj;mPl-o`dpgFYhuMEhgPUpJ+g|Y>4GKKx+If-FrX`o zZ()sd7zA3Yj9Ar=>9=YT9B}v@q=*y@XK=wLRJ$Ics1MlDdSW*}gm}{FVuj1R=*>e@e6gKno zy4BTB3M@;W=H+>7z_X424lP%i#6PL0ATwZi zUTWz8$VhDNZTnl*^91nvj`N3p>|z$KqGEPU+t$PfL@Hbv*wNLP`+7bjM_V!1oJ=su z1@2+gOc&o;kCtXe-P#E>jl8U`pULRkx{0R2=iB($V{fe_*FVL)aV^qs=iBRn6*b@CMb24o5Xi6}($x0prLuU-Nds7;zqPt4MD(uTUy6Jh(( zmYlN|Q;}5B<8t-^Jx_gq%ermiw<+h-fTk_h7OawM{k;2eq@i#2Wk1l_T?8X54l2Lb z%O2306Y8A2z^ij=wpPCIVvHY|&6N_k(~CGvL_~oMMXWMSV9T#JZK%o@p6t!T<`|*U zu`2U_cOp1bBI;vQ>PkeDJ{eK2+$rO}n98rjP!Y!6c{qdlF5$j^drfCstBCU=R^GcL z6YZf^7QD*mm8KR~l(AG|QokN)lvnGY&f{Uan9hn)6JHAJ?@s6EDW_4V10sS>=NCyM zIP^R!B^>$_#+g(RQ34APrNvEVJ7u`s9gBuE@G$1j=9fOXMVH61=Cc&(MC!LO|0jI}*olXx>*!cULd;x`m{c^XnO<2vPg@YhCh!$7PGLv`F@^v9 z>)#lI!~S&ijwa)W)8p+02ivi{|;&Mi9NVO2b$>mWp^5ZKEL?x40gbU@2P5# zmXy2q63jR@D7m8f!_^;=l8rdJX%lhAGIl8oBLp^on%FHyeo+vZoO|saoDrFr)pP&` zY=?>oJBi^Dnh+8Mvu;y(I_>uKc&mqEvD1U2fO*$CT%L{q8K`5#IEGGVAF${^z51V5 zb%o{&3vx|*6PcWCDWR7W!&oW7x8{YC*zf#w>?$Vd>=g@wOQtc7^}Qu!FDoD-jdg04W@&=~8PXt+5lttr&VVdf zoaCZ_Mj*E#r>se=~?dQ9|xon@`z zgDOj!VTBVKnA;Ea@?neApuNh#$JZ5=ZB(tYCcdn$wouYCRT8B=*Pylxu~{VbI<(u? z|6zf0JANTP-UgNARDxe?X)NJ^3#76;)?d~xRb4(>2hO$RdRM`>etNF976jYePzCIC zRTOR=T=h@q+wZLPi+uSVe0a5g?{4#-v3TKZ!<)<6fal>lG`4N z+a7|uD6X+8)OIz#OM~u($3j}jz=;iusE?Eps&9L+UFN*J+pM>sxnwr(Ci!A99@_9>NWi zF$vf$_0x>YAg(eo;j95J*x%lOfA=m7L`2atlVEmhj#kZWTyqgugW6>RQGifLg=ROO zFRGmLdC|UpA#S*TfQu_l$vjbY9n=-iF*INB90uEXKd|tdfwMor)an#l>F@Nm2Tph3 zFhwVF;OxJ8KhW|waQ64Q1FI_oXTQ+E55EPcicZq{datD4AL>w0&}1tfp-}Tx`%|5{=%JjuE@i(M)An@6@m7x}-N0O=`8W7YlquE{813WE1GU zWWE~fw|jekx?0f)Ij_(D>iIr@{W)+wq4pE!xe`eRZp7fJ**Pbn91GR+@XGsH zlB}b~@eOC7i-Aq*@wv=Rk?N1)9vkP$w{=&rOc`JG*;uDKnm?17P=0i-xz{)q7soHb zF!^(uj4ah3W5Lrn8w9HcV$?Jl<{Y?wS(GpG$<9K5HN~IB3{*Pq{CGYG=Uq+lhu7VK zgQp8NZgcAE()P0ax{wVPnd}leHk3wA`iJwgYu83mTpP8L{b3-6eUoJ( z2`Hr@79BboI3EU8S3$FPS$1+Eu7$TuDn5--vy1nLq9b9TV(B-KK7+g6yBMbZh1aWfQSDo#4kKEN?2xB`Wq@Ur&7s+Uh;8 zA=5^lU($dmc0r&$7Sdc390J71KIY_@kA7 zPp%ecb*TNo+v0={ZL2QfMDH07VLz?43LIkHi4HPcDIMoGT)=OiZKRw9B$wyJUQs@7 zES6co{asD8&wLghJd-LCd~|@vo%_%F$uBs=ySRAa;|dQn2tKlKN!c@#j z>d`cxXEMb7XZ`SCz@LQ&|M}PdL4s+2%NBrV1jZ4)dS1CR)hQ19`9z0(6;Wz;p=qYW z{w2HZzoeQ}q+j+X{=hj%o`8PztWOSd^jzrMa1%0vA*~=J$@6G8la^$8&Bc`KIJO)( z2l|%@YwI2mU5=@vH7gRxk|nbXVVRkeG7ozxnfN)VGG)mkW#AlKvRmD0%FpV5i|i0k zWj-K+;+NiXSSzE#sh zyN7RBZ5|(ex3%a?R!_~`rJTLvrFFxgRW7dM_4&5n)0!tkufB<&3YJy&U${@BV1}HS z^Z0^#V=e+QVpQsn%FoR~Ml!R1%)t+7N+6J~h-ZLLbEZONT1^rWiV4MiyBbr8w?pQu zX`l>0B4(A7RT&C{ZpvqPPnPlhfR0GePt3im^DJvf6bW2KqlrY_Nv`i1{ZWX-5)n+$ z-(VKmIM7*!iSO%+DEd~$h)O+L5kV&U2Offit*H|Mpi6r`aLB;H2LU^ODATTk4K1?M zW9(1=&rN%GNyuEgnIAX@MJaz7Ta+cTUxO!4Q_2s|PK_B17}C}kL0%k^#%ydN;|6xR zU<;)Y!R+g~WYrl`Ju+)e2hPEZVkZBxlIywo9ojXS8fag5Rn4c)V(thU7Hkb(x_;eN z_s!YG%dWOHJ+m%&#wH_wkdc>RNo~&HYB!pA&=+DPwD-g?+rWV-2BV)3oNvAk-whlX zQ`Cp__d&Z9NVQ4T>Ow>HHNNCBYLPFgDP2)x!lU-NjB=~T+Neikw4*-CQ3}1c%XGP( z#G0#Sr7JO}aU`|z$U6r;SJ;WQ-SO)r{AXrQacn@y$!_YgyPMl!mZY1q!rW@1eNX|Z zx92q#GUN*cK9`}tjy=^tSikuILh_)%lWf6@F)p;=EE35|HOqs{sO=uL43xjyvCG1* zJ!8+BFOG;+7%PK@e(>SJ{{v7<0Rj{Q6aWAK2mm^*lW8794mz#ST(*r*v$7Qc0Bebp Nx*jzKZXN&t008cK2~Pk3 delta 5652 zcmV+v7VGJVKJ`5eP)h>@6aWAK2mmgTu?&j{4la?fZ#VNN|v)p zHt9?gk@z?`I3K{l4~Op`0CfIax)VAjoqgy`lnUhjU|^o~r-YL+ol>s)up~A357Q1CIv2m}9wr3px#aqGdhfZT!!? zo>E0TqOkw>4*&o=b*HSngc-kz#^_iu;Ev z5yB>T;^MGQLQiY6<K30>?KI|k< zJ$gkVU;R$}NY{E5QYoU)r9Xxu3O2X;wu{%9mWl(8Tas?bf|#7nFG4{isn>&1q<~ZE zQ4f@WfJg}>oH|NfgQ8Nw+ZS;c&iO<{zUTZRl=D~W{EdX3D?IAG?E_p=U|cFnJZu%z zgu>gI2(M*8T0QRYJxZ(_K*zp6_3+h<-7@a( zJl_3oZ}0nWcXqyid-SAV@$Aiv-M*Ph>Bx8rOWm2~vQ(#UGNecBNboB*KJ|8D!q1B> z7K&t>%)H99iIa9DIH#@>;gPZK4ed7+&-PVQtgc_%0)3|_N5;R5)%?`kv>JcvZEhsm z(El}{q1I;NpK{5@6D0?U`pS(SWHmo|v9Yz)gG?*u)Qv)arshc#IjXRk%$VxNuI))B ze-<&Ofg{%Uo(I%LLEXvP$C|PAHUzl z%YNK;I$BG)uWMpiR=-)6jUn&1 zc+XK;44}hG8=veBriwhnJ*NC*uZkPW@;14Dx?&KGd?qK<2BfM>WiO! zJx#HlWj9RCk3yzs$jA!QWmg-gGF~`P&xls-kZaCJwzNW`^Gl~>X2?fkh4BMO`O zdEM&iCk2+pPxJD;HRRdG{{$I-O{XMew-jCwiRE6#Y6j0?O5SbecwMR;gyQeiRgf7l zJTJ9$0AwsS_qM&Q>UjcqeaHDjKXx$>R#7p#rfqBDeIgaE4D9G?%zZtdk)y4cYfdJZ za8?grCSU10B=VWWQ-uu-~ zexCGWCIg?$FX%gkt%rC%jO*kX`VGhw1QJpR=^qgbsaL%OE>Igcot&5@=cEmFr7ME= zr7byUEv6!_qQ}+Q2lPCD^)2hRiPxr_M}3;KSX;14uJ!ZY$B~AC*_Zu9=XVi|tT?Fr zUN3tG=VL@-n5}APq?z5hRrcT zrDIj*|ISo!rbIZvsMM7RrvoykTsbqwJu#Eth>;?UJ83wBc@E)!o^ws-TdRokB39nJ zBopnSRu;U<=ar@wSCo-dVp_i*X_Qy%pU$IEvY5__QWIYa>+f#&*BPf_w+kYKZud7y zLpXF@DkU6xQ^uK8AyEPg5T(UUW;J=oRBkSJ+JT>rg|I z*sYe^0Tw(?%E^I$HY;2G&KlL+vMr7F{J>R6R^(hNSU7U6&6|XKJz!T!c!P39!ysgm z0to`2#mE>P_E9jW3ZoseGSkgeS@f}6rf>%_UD!5X%w zFMkG?a2z^%asP$_DGf-BaL1ryWEe$4h>1UM;7PY@YQX7#aktxtQyz!Yj(ib$a6X~F z51U+Qs21^k6mwsU8ISQ_TM$Mj9OW}kVMKi~gMaCXAkPrFWw{J&8PKKP^0`WiwASYr5j>9}4^zoC? zlSdk1tyFUZfGK^7>`9kU^4ZkeK;dBHg?H>01N~U)dhB9b09P!#P{dDrl4`s z?dkDWAH`y)4@W+8uXPYR838g-M{aQp-R?eM(V=?vU$5#4rS6_wlm1l3Cr(OeCqIgm z5_~Hy6h~y!GplcmxMYrO>_OEa3fVx{d$@P_aQEcl?ny{y{V`LMXcS3m5hd8n!`&0D zm-cUe#|GLT?w(AMkKx1J6MGUYAMT!9vfGEdC&;dcyW8nG%fsChO_~|Rn+!JUG>tIp z6SOTD^4&h1YZRhpOShYKnCQ_klC597%uRZ?+cfP%zSl=%MbTl-*zK8><6pHDoO<0Z zY-Z$O>uE*?pxZSEM^*x?0AMw2`%zz$gBvJ+_@7u+yWRTrRMt#4Ehm~hV>Ohww(J%2 z{Y$2ihxNV1WiKm$8;x~p7EDQlJ{eIzkK9Zqug-uhSTf{db4MbW}?Ek;HV`|*#i=PYEZ%#0iDf_EcV}JSaf|umF-w4LvDJi3f|lS z-x4=rSX~Enu$0)9M)jF;CjMJpAcsM$11lw1rAAAh-pqNw5-F8ndjr95O+t+0UzrBQ zOziB8go@LunO%5mpitOn{5l7!GIbEv-)CabS=JgpsIsIPR&)XbKKrR&K5UVH8Vpt$ zj`+HwvW<0B*2I_9)fP%xrb?`|=Nf93AvTL|UWazu`admD?v7W8TDQRpbt)mLwKSGc zx&>0%9qTV^m#VG=tpj~pa=ojdPCq?YTMJEXZm0qbx+*rd4n+FJ`Sv?&{UTp}2OnPT zyPJJ>t#ex1M`yi3rBAN!s;v)y&UR7lbL;zP^0BRaYkQyiq0xN(n?Szp!M*nY>Rs8c z)Ps0yP0k|F?$W5+X0+{Blnb$2 z0k$p$Xk7}(n%ghstwk-8uJ$&_qPhRH5Oa$rYYAlBCy0n!Vswk->61f$ywwYBJNRyG zjC3Jfw*jX6MZ;q%Zc^9v%OO;S(!VyP7n{_hRKNd?3Q{-c481$nMiHc02l0Uf5?A$ z7x*HiXqkyWzcmM*=H{xow5oS4G6oJnAf!UGo6oIO&X2rkx4jU}TR^LorX)@3Tn9kK z(*?~JJRQL{-VZH*C}!B%A7UDEimeQG`rE@!Z`fgqPUWz(|LXlv%iplGztDIK<)2+qlyU1Ie z21~z|?A8*f`^Ce+VP}84H%!zlel+Z)SBpjJlvvp*>4vR;Jn3S(I^M{0CnQwE&WGMm zD_IR)AA0LxT_H+;SN3J3|C3{3HEru*WB$nMu3R)m!^cJ2C&$HV+SbFx20bR>_)Y0> zuLoVtREG6Vy?U-odPC8qRx5k4z(?eAz_Ls>;nz#%sfm8Ox2LNWjX;jxPo4AnM6RCi z>Fdvd>oK)|pE%Ezh_h8AGEU9UISJ%MsJ@HW!_VTx7B!AuiJlA&(^F-~Mp7IbxsrpCFGd5C{~-=4C1DmFJ{opD4680_W^bA7 z|Cx8z zD=}QD>eh|TEEUYxJP&_4uBOI~aqi1!ZOf@l+qB2oYoTbb)|1JmNJ{Hm#2<&8w#k7% z4mFLR+-SJFTTRS5a?oUtzti*VuUQvXb4bO63l;uo<mkDj_9uW79sg^Y>V%U-; zvj;($nbR^4`w5x&`J^&s@gil|Ik;rEy3>T8)mO~Hr^7m`jH=j0-kAB!%^yR0gX6_Qs z-tjuQVbCg9%JE`*+wV`M$-}Gf$R~njmHjvF(a@hGCsH0?P-gA)g!akbl5p~ zQOtZ_R&qTze?q$^69erDx2pNXS)`7jVZqkmrR&#Sb>C=RyzFXQ(>3dYXKXqK8M+yk z)MoRocB8QeeIdp|dru61vkf~i!+`YjVduMVgLlIYOepF@^827&a-!OFXLX^W`Wj!e z47JE))Rai5F%?n!EJL}~V{O!Rjac;uafo-6Fc z+V1#udi*o9r#Lo1{pjiwQ2Y;4BpJN;S)a%&6@iwG5WO+p){SuOnm6nlBv@sUT7Y5&hu9gZ~Fm uO928D0~7!N00;msk&}ELLk=#H&|E1)BLSZk005halg%DA23sBg0001BQu/dev/null \\\n || az ad sp create --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv\n```", + "description": "ARM cannot resolve a Microsoft Entra object, so you supply the Wiz service principal **object ID**. In Azure Cloud Shell (no local install required; creating the service principal needs permission to register enterprise applications in Microsoft Entra ID) run the line below — it prints the object ID, creating the service principal first if it does not yet exist in your tenant:\n\n```bash\naz ad sp show --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv 2>/dev/null \\\n || az ad sp create --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv\n```", "title": "STEP 1 - Get the Wiz service principal object ID" }, { @@ -378,7 +378,7 @@ }, "instructionSteps": [ { - "description": "ARM cannot resolve a Microsoft Entra object, so you supply the Wiz service principal **object ID**. In Azure Cloud Shell (no install or login needed) run the line below — it prints the object ID, creating the service principal first if it does not yet exist in your tenant:\n\n```bash\naz ad sp show --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv 2>/dev/null \\\n || az ad sp create --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv\n```", + "description": "ARM cannot resolve a Microsoft Entra object, so you supply the Wiz service principal **object ID**. In Azure Cloud Shell (no local install required; creating the service principal needs permission to register enterprise applications in Microsoft Entra ID) run the line below — it prints the object ID, creating the service principal first if it does not yet exist in your tenant:\n\n```bash\naz ad sp show --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv 2>/dev/null \\\n || az ad sp create --id ae69b94b-e367-4660-9b35-cfb4b5966728 --query id -o tsv\n```", "title": "STEP 1 - Get the Wiz service principal object ID" }, { @@ -432,7 +432,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Issues over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Issues over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Detections over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Detections over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Audit logs over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Audit logs over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by severity\",\"title\":\"Issues by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by status\",\"title\":\"Issues by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by tostring(entitySnapshot.cloudPlatform)\",\"title\":\"Issues by cloud platform\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by cloud platform\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize arg_max(TimeGenerated, *) by detectionId\\n| summarize count() by severity\",\"title\":\"Detections by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Detections by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize arg_max(TimeGenerated, *) by detectionId\\n| summarize count() by tdrSource\",\"title\":\"Detections by TDR source\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Detections by TDR source\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize arg_max(TimeGenerated, *) by auditlogId\\n| summarize count() by action\",\"title\":\"Audit logs by action\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit logs by action\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize arg_max(TimeGenerated, *) by auditlogId\\n| summarize count() by status\",\"title\":\"Audit logs by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit logs by status\"}],\"fromTemplateId\":\"sentinel-Alerts overview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Issues over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Issues over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Detections over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Detections over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize count() by bin(TimeGenerated, 1h)\",\"title\":\"Audit logs over time\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"Audit logs over time\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by severity\",\"title\":\"Issues by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by status\",\"title\":\"Issues by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by status\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizIssuesV3_CL \\n| summarize arg_max(TimeGenerated, *) by issueId\\n| summarize count() by tostring(entitySnapshot.cloudPlatform)\",\"title\":\"Issues by cloud platform\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Issues by cloud platform\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize arg_max(TimeGenerated, *) by detectionId\\n| summarize count() by severity\",\"title\":\"Detections by severity\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Detections by severity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizDetectionsV3_CL \\n| summarize arg_max(TimeGenerated, *) by detectionId\\n| summarize count() by tdrSource\",\"title\":\"Detections by TDR source\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Detections by TDR source\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize arg_max(TimeGenerated, *) by auditlogId\\n| summarize count() by action\",\"title\":\"Audit logs by action\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit logs by action\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"WizAuditLogsV3_CL \\n| summarize arg_max(TimeGenerated, *) by auditlogId\\n| summarize count() by status\",\"title\":\"Audit logs by status\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"Audit logs by status\"}],\"fromTemplateId\":\"sentinel-WizFindings\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" diff --git a/Solutions/Wiz/Workbooks/WizFindings.json b/Solutions/Wiz/Workbooks/WizFindings.json index 708e458f76d..d50527deb9a 100644 --- a/Solutions/Wiz/Workbooks/WizFindings.json +++ b/Solutions/Wiz/Workbooks/WizFindings.json @@ -139,6 +139,6 @@ "name": "Audit logs by status" } ], - "fromTemplateId": "sentinel-Alerts overview", + "fromTemplateId": "sentinel-WizFindings", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" }