Skip to main content

Wiz Integration Guide

Overview

The Wiz integration connects NINA workflows to the Wiz cloud security platform (CNAPP) across 40 resources and 81 operations. The schema is derived directly from Wiz's published OpenAPI documentation, so parameter descriptions, enums, and defaults match what Wiz users see in their own developer portal.

The surface groups into seven areas:

Core read surface (read:* scopes):

  • Issue — Query, update, comment on, and aggregate Wiz security issues (toxic combinations, vulnerabilities, misconfigurations, threat detections)
  • Cloud Resource — Inventory cloud resources across connected accounts (VMs, buckets, databases, container images, etc.)
  • Vulnerability Finding — List vulnerability findings with CVE details, exploit indicators, and the affected workload
  • Repository — Inventory repositories from connected VCS integrations (GitHub, GitLab, Bitbucket, AzureDevOps)
  • Project — List Wiz projects (logical groupings of cloud resources)
  • Audit Log — Pull audit log entries for compliance and incident investigation

Findings surfaces (one resource per finding type, same list + *Report pattern):

  • Attack Surface Finding, Host Configuration Finding, IaC Finding, SAST Finding, Secret Finding, Configuration Finding, Hosted Tech, CCR (Cloud Configuration Rules), Compliance, Excessive Access, Network Exposure, Data Finding, External Network, Posture Issue

Threat detection (WizDefend):

  • Detection — List and retrieve individual threat detection signals from connected cloud accounts (V2 query)

Reports:

  • Report — List all reports, delete, rerun. Plus per-resource createReport / updateReport mutations across the findings surfaces.

Forensics & Graph:

  • Forensics — Copy a cloud resource snapshot to an external account for deep investigation
  • Graph Search — Execute ad-hoc Security Graph queries and resolve provider-unique IDs to Wiz graph entity IDs

Comments & admin:

  • Comment — Add, create, edit, delete comments on issues / postures
  • Service Account, User Role, User, Security Framework, IP Restriction, Session, Portal, File, Data Classifier Type — admin and configuration read operations

Authentication uses OAuth2 client credentials (client_id + client_secret). The Wiz API is GraphQL-based; NINA exposes each operation as a discrete workflow node and handles GraphQL details internally. Tokens are fetched automatically and cached.


Credential Configuration

Authentication

FieldDescriptionDefault
Client IDService account client ID (~53 chars)
Client SecretService account client secret (~64 chars)
RegionWiz data-center region — the <region> part of https://api.<region>.app.wiz.io/graphql
EndpointFull GraphQL endpoint URL override (replaces region)
Auth FlavorOAuth2 backend: cognito or auth0cognito
Token URLToken endpoint overridederived from auth flavor
AudienceOAuth2 audience overridederived from auth flavor

Either Region or Endpoint must be set. For most tenants, set the Region — NINA will derive https://api.<region>.app.wiz.io/graphql automatically.

On region values: Wiz uses two-letter continent prefix + digits (us1, us2, us3, eu1, eu2, eu3, eu4, eu23, etc.). The integration validates by shape ([a-z]{2}\d+) rather than an enum, so newer regions Wiz introduces work without integration updates. Find your specific region in the Wiz portal under Settings → Tenant InfoAPI Endpoint URL.

The two auth flavors exist because Wiz operates two OAuth backends:

  • Cognito (default, current) — token endpoint https://auth.app.wiz.io/oauth/token, audience wiz-api
  • Auth0 (legacy) — token endpoint https://auth.wiz.io/oauth/token, audience beyond-api

Try Cognito first. Switch to Auth0 only if token exchange fails.

How to Get Your Wiz Service Account Credentials

  1. Log in to the Wiz portal as an administrator
  2. Navigate to SettingsService Accounts
  3. Click Add Service Account and choose type Custom Integration (GraphQL API)
  4. Assign the API scopes your workflows require (see scope table below)
  5. Copy the generated Client ID and Client Secret — the secret is shown only once
  6. Note the GraphQL endpoint URL on the service account detail page; use it to derive your region

Common API scopes (assign only what you need):

ScopeUnlocks
read:issuesissue.query, issue.groupedCount, issue.severityCounts
update:issuesissue.update, issue.clearDueAt, comment.add, comment.create, comment.edit, comment.delete
read:resources (Read graph resource)cloudResource.list, cloudResource.listV2, graphSearch.*, vulnerabilityFinding.list, repository.list
read:projectsproject.list
read:vulnerabilitiesvulnerabilityFinding.list, vulnerabilityFinding.ignore
admin:auditauditLog.list
create:reports, read:reportsAll *.createReport / *.updateReport operations, plus report.list / report.delete / report.rerun
WizDefend scopesdetection.list
Forensics scopeforensics.copyToExternalAccount
read:security_settingsipRestriction.list, session.getLifetime, portal.getInactivityTimeout
read:user_managementuser.manage, userRole.list, serviceAccount.list

Creating a Credential in NINA

  1. Navigate to CredentialsAdd New Credential
  2. Select integration service: Wiz
  3. Auth type: Service Account (Client Credentials)
  4. Fill in Client ID, Client Secret, and Region (or Endpoint)
  5. Leave Auth Flavor as cognito unless you know your tenant requires auth0
  6. Click Test Connection then Save

Supported Resources and Operations

Issue

Wiz security issues — the core surface for cloud security posture management. Issues represent rule violations across four types: TOXIC_COMBINATION, CLOUD_CONFIGURATION, VULNERABILITY, and THREAT_DETECTION. Lifecycle: OPENIN_PROGRESSRESOLVED or REJECTED.

OperationDescription
queryPaginated list of issues with rich filter options (severity, status, type, dates, related entity, project, etc.) — also used to get a single issue by filtering on id
updatePatch issue status, due date, note, or resolution reason (cannot null fields)
clearDueAtNull the due date using override semantics — separate op because of patch-vs-override
groupedCountCount issue groups by STATUS, SEVERITY, or TYPE
severityCountsAggregated counts broken down by severity (critical/high/medium/low/informational)
createReportCreate an issues-report (async export)
updateReportModify an existing issues-report (rename, schedule, etc.)
updateNoteEdit an existing issue note

Key filters for query — all under filterBy:

  • severity, status, type — arrays of enum values
  • createdAt.after / createdAt.before — ISO-8601 range
  • resolvedAt, statusChangedAt, dueAt — same shape, optional date ranges
  • relatedEntity.id / relatedEntity.type — filter by associated cloud resource
  • project — array of project IDs (to scope to specific projects)
  • hasNote, hasServiceTicket, hasRemediation, hasAutoRemediation — booleans
  • riskEqualsAny, riskEqualsAll — array of risk indicators
  • noteContains — substring search on note text
  • frameworkCategory — array of framework/category IDs
  • validatedAsExploitable — boolean

Pagination: first (required, max 500), after (cursor from pageInfo.endCursor). Sort: orderBy.field (one of SEVERITY, CREATED_AT, RESOLVED_AT, STATUS_CHANGED_AT) + orderBy.direction (ASC / DESC).

Patch vs override semantics: update uses patch (provided fields are changed, omitted ones unchanged, fields cannot be nulled). To null a due date use clearDueAt — it uses override semantics under the hood.


Comment

Replaces v1's issue.createNote / issue.deleteNote. Comments are a generic resource on the Wiz side — they attach to subjectType (e.g., ISSUE, POSTURE_ISSUE).

OperationDescription
addAdd a comment to an issue or posture issue (the canonical modern op)
createOlder comment-create variant (kept for compatibility with workflows using the legacy shape)
editEdit an existing comment
deleteDelete a comment by ID

Key parameters for add — under input:

  • subjectId (required) — the entity to comment on
  • subjectType (required) — ISSUE or POSTURE_ISSUE
  • body (required) — comment text
  • mentionedUserId — optional user mention

Cloud Resource

Cloud resources discovered by Wiz across all connected accounts — VMs, storage buckets, databases, container images, serverless functions, and every other entity type Wiz inventories.

OperationDescription
listPaginated list, filterable by search, type, subscription, and provider-unique ID
listV2Newer V2 query variant — same filters, richer response shape

Key filters under filterBy:

  • search — free-text on resource name
  • type — array of resource type strings (e.g. VIRTUAL_MACHINE, STORAGE_BUCKET, CONTAINER_IMAGE)
  • subscriptionExternalId — array of cloud account / subscription external IDs (AWS account, Azure subscription)
  • providerUniqueId — array of provider-unique IDs (e.g. AWS ARNs)
  • projectId — array of Wiz project IDs
  • updatedAt, deletedAt — date-range filter objects

Pagination: first (required, default depends on op), after.

Resolving a provider ID to a Wiz ID: filter cloudResource.list with filterBy.providerUniqueId = [<arn>], take nodes[0].id from the response. The result is the Wiz internal UUID required by ops like forensics.copyToExternalAccount.


Vulnerability Finding

Per-asset vulnerability findings with CVE details, exploit indicators, and the affected workload.

OperationDescription
listPaginated list with severity, status, exploit indicators, fix version, and the vulnerable asset
ignoreMark a vulnerability finding as ignored (suppression)

Key filters for list:

  • severity — array of CVSS severities
  • status — array of finding statuses (OPEN, RESOLVED, etc.)

Each finding node includes vulnerabilityExternalId (CVE ID), CVSSSeverity, hasExploit, hasCisaKevExploit, firstDetectedAt, lastDetectedAt, fixedVersion, and a polymorphic vulnerableAsset (one of VulnerableAssetVirtualMachine, VulnerableAssetServerless, VulnerableAssetContainerImage, VulnerableAssetContainer, VulnerableAssetBase).


Repository

Replaces v1's versionControlResource. Repositories and VCS resources connected to Wiz via GitHub, GitLab, Bitbucket, AzureDevOps integrations.

OperationDescription
listPaginated list with rich filters (project, type, updated/deleted dates)

Key filters under filterBy:

  • search — free-text search
  • project — array of Wiz project IDs
  • type — repository type filter
  • updatedAt.before / updatedAt.after / deletedAt.before / deletedAt.after — date ranges

Project

Wiz projects — logical groupings of cloud resources used for security posture management, access control, and team ownership.

OperationDescription
listPaginated list of projects with extensive filter options

Key filters under filterBy (subset — 40+ available):

  • search — match against project name
  • id.equals — project IDs
  • impact — business impact filter
  • includeArchived — boolean
  • root, isFolder — folder/root project filters
  • createdAt — date range

Detection

WizDefend detections — individual threat signals raised by detection rules. Uses Wiz's newer DetectionsTableV2 query.

OperationDescription
listPaginated list with rich filter options

Key filters under filterBy:

  • id.equals — array of detection IDs (to get specific detections)
  • issueId — single associated issue ID
  • type.equals — array of GENERATED_THREAT, MATCH_ONLY
  • cloudPlatform.equals — array of cloud platforms
  • origin.equals — array of origins (e.g. AWS_CLOUDTRAIL, WIZ_SENSOR)
  • severity.equals — array of severities
  • cloudAccountOrCloudOrganizationId.equals — array of cloud account/org IDs
  • resource.id.equals — nested filter for resource IDs
  • matchedRule.id — single rule ID (no wrapper)
  • projectId — single project ID (no wrapper)
  • createdAt.after / createdAt.before / createdAt.inLast — date filters

Note on filter wrappers: the WizDefend API wraps most filter values in { equals: [...] }. NINA exposes this as a nested .equals sub-field — see the filter list above. Plain scalars like issueId, projectId, and matchedRule.id skip the wrapper.


Reports (generic)

OperationDescription
listList all reports in the tenant
deleteDelete a report by ID
rerunRe-execute a report

Plus a per-resource createReport / updateReport pair on every findings surface (see below).


Findings Surfaces

These resources all follow the same shape: a list operation for reading findings and a createReport / updateReport pair for async report generation. Pick the resource that matches the findings type you want.

ResourceOperationsWiz module
attackSurfaceFindinglist, createReport, updateReportExternal attack surface
hostConfigurationFindinglist, createReport, updateReportOS / host config
iacFindingcreateReport, updateReport (list under configurationFinding)IaC scanning
sastFindinglist, createReport, updateReportStatic code scanning
secretFindinglist, createReport, updateReportSecret scanning
configurationFindinglistCloud configuration
hostedTechlist, createReport, updateReportHosted technologies inventory
ccrcreateReport, updateReportCloud Configuration Rules (CCR)
compliancecreateReport, updateReportCompliance assessments
excessiveAccesscreateReport, updateReportExcessive access (CIEM)
networkExposurelist, updateReportNetwork exposure
dataFindingcreateReportV2, updateReportV2DSPM data findings (V2 only)
externalNetworkcreateReportExternal network exposures
postureIssuelist, update, createReport, updateReportPosture issues
penetrationTestFindingcreateManual pen-test results
appEndpointlist, createReport, updateReportApplication endpoints
applicationEndpointlistAlternative application endpoint accessor
inventorycreateReport, updateReport, createReportV2, updateReportV2Cloud inventory exports
vulnerabilitycreateReport, updateReportVulnerability reports

Common report-create shape — input.name, input.type, input.projectId, plus filter and schedule fields documented per-operation in the schema. Reports run asynchronously; use report.list or the matching *-status ops to poll for completion.


Forensics

Cloud resource forensics — initiate a copy of a resource snapshot to an externally configured account for deep investigation.

OperationDescription
copyToExternalAccountAsync copy; returns a systemActivityGroupId for tracking

Key parameter:

  • input.id (required) — Wiz cloud resource ID (UUID). If you only have a provider-unique ID (ARN), call cloudResource.list with filterBy.providerUniqueId first and take the resulting nodes[0].id.

Wiz Security Graph search — execute ad-hoc graph entity queries and translate provider-unique IDs to Wiz graph entity IDs.

OperationDescription
runExecute a GraphEntityQueryInput against the Security Graph
resolveResourceGraphIDTranslate a providerUniqueId (e.g. AWS ARN) into a Wiz graph entity ID

Key parameters for run:

  • queryGraphEntityQueryInput object
  • projectId (required) — project scope, or * for all projects
  • first (max 500), after — pagination
  • fetchTotalCount, quick, fetchPublicExposurePaths, fetchInternalExposurePaths, fetchIssueAnalytics, fetchLateralMovement, fetchKubernetes — booleans to expand the response

Admin / Configuration

Lightweight read operations for security settings and identity.

ResourceOpDescription
auditLoglistAudit log entries — filter by action, status, user
serviceAccountlistList service accounts (read:user_management)
userRolelistList user roles
usermanageUser management surface
securityFrameworklistList compliance/security frameworks (CIS, NIST, etc.)
ipRestrictionlistTenant IP allowlist
sessiongetLifetimeConfigured session lifetime
portalgetInactivityTimeoutPortal inactivity timeout
dataClassifierTypelistDSPM data classifier types
filerequestUploadRequest a file upload ID (for evidence uploads)
fileUploadIdgetStatusPoll a file upload's status
vulnerabilityUrlgetStatusPoll a vulnerability URL/report status

Examples

List High-Severity Open Issues

{
"integration_service": "wiz",
"resource": "issue",
"operation": "query",
"parameters": {
"filterBy": {
"severity": ["CRITICAL", "HIGH"],
"status": ["OPEN", "IN_PROGRESS"]
},
"first": 100,
"orderBy": {
"field": "SEVERITY",
"direction": "DESC"
}
}
}

Get a Single Issue by ID

{
"integration_service": "wiz",
"resource": "issue",
"operation": "query",
"parameters": {
"filterBy": {
"id": ["abcd1234-5678-90ab-cdef-1234567890ab"]
},
"first": 1
}
}

Update an Issue's Status

{
"integration_service": "wiz",
"resource": "issue",
"operation": "update",
"parameters": {
"issueId": "abcd1234-5678-90ab-cdef-1234567890ab",
"patch": {
"status": "IN_PROGRESS",
"note": "Investigating with platform team"
}
}
}

Resolve an Issue with Reason

{
"integration_service": "wiz",
"resource": "issue",
"operation": "update",
"parameters": {
"issueId": "abcd1234-5678-90ab-cdef-1234567890ab",
"patch": {
"status": "RESOLVED",
"resolutionReason": "False positive — internal-only resource"
}
}
}

Clear an Issue's Due Date

{
"integration_service": "wiz",
"resource": "issue",
"operation": "clearDueAt",
"parameters": {
"issueId": "abcd1234-5678-90ab-cdef-1234567890ab"
}
}

Add a Comment to an Issue

{
"integration_service": "wiz",
"resource": "comment",
"operation": "add",
"parameters": {
"input": {
"subjectId": "abcd1234-5678-90ab-cdef-1234567890ab",
"subjectType": "ISSUE",
"body": "Confirmed remediation in PR #1234"
}
}
}

Get Issue Severity Counts (Dashboard)

{
"integration_service": "wiz",
"resource": "issue",
"operation": "severityCounts",
"parameters": {
"filterBy": {
"status": ["OPEN", "IN_PROGRESS"]
}
}
}

Search Cloud Resources by Type

{
"integration_service": "wiz",
"resource": "cloudResource",
"operation": "list",
"parameters": {
"filterBy": {
"type": ["VIRTUAL_MACHINE"],
"subscriptionExternalId": ["123456789012"]
},
"first": 200
}
}

Resolve a Cloud Resource by ARN

{
"integration_service": "wiz",
"resource": "cloudResource",
"operation": "list",
"parameters": {
"filterBy": {
"providerUniqueId": ["arn:aws:ec2:us-east-1:123456789012:instance/i-0abc1234"]
},
"first": 1
}
}

The Wiz internal ID is nodes[0].id in the response.

List Critical Vulnerability Findings

{
"integration_service": "wiz",
"resource": "vulnerabilityFinding",
"operation": "list",
"parameters": {
"filterBy": {
"severity": ["CRITICAL"],
"status": ["OPEN"]
},
"first": 100
}
}

List Repositories

{
"integration_service": "wiz",
"resource": "repository",
"operation": "list",
"parameters": {
"first": 50,
"filterBy": {
"search": "prod"
}
}
}

Trigger Forensics Copy

{
"integration_service": "wiz",
"resource": "forensics",
"operation": "copyToExternalAccount",
"parameters": {
"input": {
"id": "wiz-resource-uuid-from-cloudResource-list"
}
}
}

List WizDefend Detections in the Last 24 Hours

{
"integration_service": "wiz",
"resource": "detection",
"operation": "list",
"parameters": {
"filterBy": {
"severity": {
"equals": ["CRITICAL", "HIGH"]
},
"createdAt": {
"inLast": {
"amount": 24,
"unit": "DurationFilterValueUnitHours"
}
}
},
"first": 250,
"orderBy": {
"field": "CREATED_AT",
"direction": "DESC"
}
}
}

Pull Audit Log

{
"integration_service": "wiz",
"resource": "auditLog",
"operation": "list",
"parameters": {
"filterBy": {
"action": ["LOGIN", "LOGOUT"],
"status": ["SUCCESS"]
},
"first": 100
}
}

Create an IaC Findings Report

{
"integration_service": "wiz",
"resource": "iacFinding",
"operation": "createReport",
"parameters": {
"input": {
"name": "Weekly IaC Findings — Production",
"type": "IAC_FINDINGS",
"projectId": "prod-project-uuid"
}
}
}

Translate ARN to Wiz Graph Entity ID

{
"integration_service": "wiz",
"resource": "graphSearch",
"operation": "resolveResourceGraphID",
"parameters": {
"projectId": "*",
"query": {
"type": ["VIRTUAL_MACHINE"],
"where": {
"providerUniqueId": {
"EQUALS": ["arn:aws:ec2:us-east-1:123456789012:instance/i-0abc1234"]
}
}
}
}
}

Common Workflow Patterns

Daily Critical Issue Triage

  1. Schedule Node — run every morning
  2. severityCounts (issue) — get per-severity totals for status OPEN/IN_PROGRESS
  3. Conditional Node — if criticalSeverityCount > 0, continue
  4. query (issue) — fetch critical issues with filterBy.severity = ["CRITICAL"]
  5. Slack / Teams Node — post a digest with Wiz portal links
  6. Optional: update (issue) — bulk-assign or comment via comment.add

Vulnerability Sweep on a Specific Asset

  1. list (cloudResource) — filterBy.providerUniqueId = [<arn>], first: 1 — get Wiz internal ID
  2. query (issue) — filterBy.relatedEntity.id = [<wiz-id>] — fetch issues on that resource
  3. list (vulnerabilityFinding) — fetch CVEs for that resource
  4. Script Node — merge into a per-asset risk report

Threat Detection Auto-Response

  1. Schedule Node — every 5 minutes
  2. list (detection) — createdAt.inLast = { amount: 5, unit: DurationFilterValueUnitMinutes }, severity.equals = ["CRITICAL"]
  3. Loop Node — iterate over each detection
  4. Conditional / Switch — route by cloudPlatform.equals value
  5. AWS / GCP / Azure Node — execute response action (isolate VM, revoke key, etc.)
  6. update (issue) — set the linked issue status to IN_PROGRESS with a note

Audit Log Compliance Snapshot

  1. Schedule Node — weekly
  2. list (auditLog) — filterBy.createdAt.after = <7-days-ago>
  3. Script Node — group entries by action and performer
  4. Email / SharePoint — file the snapshot

Forensics on Demand

  1. Webhook / Alert Node — incoming SOC alert with an asset ARN
  2. list (cloudResource) — filterBy.providerUniqueId = [<arn>] — get Wiz internal ID
  3. copyToExternalAccount (forensics) — initiate the snapshot copy
  4. Script Node — record systemActivityGroupId for tracking
  5. Notify the IR team with the activity ID and Wiz portal link

Issue → Graph Walk

  1. query (issue) — fetch issue with all fields including evidenceQuery
  2. Script Node — parse evidenceQuery JSON
  3. run (graphSearch) — execute the query with projectId = "*"
  4. Output: the graph entities affected by the issue

Scheduled Report Pipeline

  1. Schedule Node — monthly
  2. createReport (iacFinding / sastFinding / secretFinding / ...) — kick off async report
  3. Polling loop — call vulnerabilityUrl.getStatus (or the equivalent status endpoint) every N minutes
  4. Once ready — download the CSV from the URL the status returns
  5. SharePoint / S3 / email — distribute the report

Migrating from the v1 schema

If you have workflows built against the previous (v1) integration shape, here are the rename / removal mappings:

v1 operationv2 equivalentNotes
issue.listissue.querySame semantics, renamed
issue.getissue.query with filterBy.id = [<id>], first: 1No separate get op
issue.getEvidenceissue.query (returns evidenceQuery field) → graphSearch.runTwo-step chain, no automatic chaining
issue.createNotecomment.addDifferent input shape (subjectId/subjectType/body)
issue.deleteNotecomment.deleteRenamed and re-homed under comment
cloudResource.getcloudResource.list with filterByNo separate get op
cloudResource.listIDscloudResource.list (returns id as part of nodes)No lightweight ID-only variant
project.getTeamproject.list with filterBy.searchNo separate getTeam op
threat.list / threat.getissue.query with filterBy.type = ["THREAT_DETECTION"]Wiz no longer models threats as a separate surface
versionControlResource.listrepository.listRenamed
detection.listdetection.listSame name; underlying query is now DetectionsTableV2 with a richer field selection

Everything else (issue.clearDueAt, issue.update, issue.groupedCount, issue.severityCounts, forensics.copyToExternalAccount, graphSearch.run, graphSearch.resolveResourceGraphID, vulnerabilityFinding.list) carries over unchanged.


Troubleshooting

IssueResolution
401 Unauthorized on token fetchClient ID/secret invalid — verify in Settings → Service Accounts; rotate the secret if needed
Token endpoint connection failureWrong Auth Flavor — try switching between cognito and auth0
extensions.code: FORBIDDEN GraphQL errorService account lacks the required API scope — add the scope in the Wiz portal and rotate credentials
Cannot query field X on type YWiz schema drifted — open an issue; this typically means Wiz renamed or removed a field in a recent release
BAD_USER_INPUT on filterFilter shape is wrong — check whether the filter expects a plain scalar, a bare list, or an { equals: [...] } wrapper. Detection filters use the wrapper extensively; most other filters don't
Empty nodes[] on a single-ID lookupThe ID does not exist or the service account lacks scope to see it — confirm in the Wiz portal
429 Too Many RequestsTenant rate limit exceeded — Wiz typically allows ~100 req/s per tenant; reduce request rate or batch via larger first page sizes
Pagination returns the same pageForward after from pageInfo.endCursor and confirm hasNextPage was true
Update fails with "cannot null field"Use clearDueAt (override semantics) instead of update (patch semantics) when nulling a due date
forensics.copyToExternalAccount returns "resource not found"The id must be a Wiz internal resource UUID, not a providerUniqueId — call cloudResource.list with filterBy.providerUniqueId first to translate
Region rejected as invalidRegion must match [a-z]{2}\d+ (e.g. us1, eu23). If your tenant uses a non-standard region, use the Endpoint field instead with the full https://api.<region>.app.wiz.io/graphql URL
Federal tenant fails to authenticateSet the Endpoint field explicitly to your federal endpoint (.wiz.us suffix) and set Token URL + Audience manually
Workflow used threat.list / cloudResource.listIDs / issue.get and now errorsThose v1 ops are removed — see the migration table above

Security Considerations

  1. Protect Credentials: Store client ID and secret exclusively through NINA credential management — never in workflow parameters, logs, or version control
  2. Token Handling: Access tokens are cached in memory for the token's lifetime — they are never written to disk or logs
  3. Scope Minimisation: Grant only the API scopes the workflow needs. Read-only workflows should not be granted update:issues, create:reports, or forensics scopes
  4. Forensics Data Sensitivity: Forensics snapshots contain raw cloud resource state — restrict the external account configured to receive them and audit access regularly
  5. Threat Detection Data: WizDefend detections may include sensitive event payloads (raw API calls, network flows) — restrict workflow and credential visibility
  6. Comments: Comments added via comment.add are visible to all users with read access in the Wiz portal — do not include secrets, PII, or customer data
  7. Report Downloads: Report URLs returned by *.createReport ops are presigned and time-limited but still represent sensitive exports; treat them as data and dispose securely
  8. Service Account Rotation: Rotate client secrets at least every 90 days; rotate immediately if a workflow handler or NINA host is compromised
  9. Multi-Region: If your tenant spans regions, use a separate service account and credential per region rather than sharing one secret across regions

Additional Resources

Updated: 2026-05-27