Wiz Integration Guide
Overview
The Wiz integration connects NINA workflows to the Wiz cloud security platform (CNAPP) across 40 resources and 81 operations. The schema is derived directly from Wiz's published OpenAPI documentation, so parameter descriptions, enums, and defaults match what Wiz users see in their own developer portal.
The surface groups into seven areas:
Core read surface (read:* scopes):
- Issue — Query, update, comment on, and aggregate Wiz security issues (toxic combinations, vulnerabilities, misconfigurations, threat detections)
- Cloud Resource — Inventory cloud resources across connected accounts (VMs, buckets, databases, container images, etc.)
- Vulnerability Finding — List vulnerability findings with CVE details, exploit indicators, and the affected workload
- Repository — Inventory repositories from connected VCS integrations (GitHub, GitLab, Bitbucket, AzureDevOps)
- Project — List Wiz projects (logical groupings of cloud resources)
- Audit Log — Pull audit log entries for compliance and incident investigation
Findings surfaces (one resource per finding type, same list + *Report pattern):
- Attack Surface Finding, Host Configuration Finding, IaC Finding, SAST Finding, Secret Finding, Configuration Finding, Hosted Tech, CCR (Cloud Configuration Rules), Compliance, Excessive Access, Network Exposure, Data Finding, External Network, Posture Issue
Threat detection (WizDefend):
- Detection — List and retrieve individual threat detection signals from connected cloud accounts (V2 query)
Reports:
- Report — List all reports, delete, rerun. Plus per-resource
createReport/updateReportmutations across the findings surfaces.
Forensics & Graph:
- Forensics — Copy a cloud resource snapshot to an external account for deep investigation
- Graph Search — Execute ad-hoc Security Graph queries and resolve provider-unique IDs to Wiz graph entity IDs
Comments & admin:
- Comment — Add, create, edit, delete comments on issues / postures
- Service Account, User Role, User, Security Framework, IP Restriction, Session, Portal, File, Data Classifier Type — admin and configuration read operations
Authentication uses OAuth2 client credentials (client_id + client_secret). The Wiz API is GraphQL-based; NINA exposes each operation as a discrete workflow node and handles GraphQL details internally. Tokens are fetched automatically and cached.
Credential Configuration
Authentication
| Field | Description | Default |
|---|---|---|
| Client ID | Service account client ID (~53 chars) | — |
| Client Secret | Service account client secret (~64 chars) | — |
| Region | Wiz data-center region — the <region> part of https://api.<region>.app.wiz.io/graphql | — |
| Endpoint | Full GraphQL endpoint URL override (replaces region) | — |
| Auth Flavor | OAuth2 backend: cognito or auth0 | cognito |
| Token URL | Token endpoint override | derived from auth flavor |
| Audience | OAuth2 audience override | derived from auth flavor |
Either Region or Endpoint must be set. For most tenants, set the Region — NINA will derive https://api.<region>.app.wiz.io/graphql automatically.
On region values: Wiz uses two-letter continent prefix + digits (us1, us2, us3, eu1, eu2, eu3, eu4, eu23, etc.). The integration validates by shape ([a-z]{2}\d+) rather than an enum, so newer regions Wiz introduces work without integration updates. Find your specific region in the Wiz portal under Settings → Tenant Info → API Endpoint URL.
The two auth flavors exist because Wiz operates two OAuth backends:
- Cognito (default, current) — token endpoint
https://auth.app.wiz.io/oauth/token, audiencewiz-api - Auth0 (legacy) — token endpoint
https://auth.wiz.io/oauth/token, audiencebeyond-api
Try Cognito first. Switch to Auth0 only if token exchange fails.
How to Get Your Wiz Service Account Credentials
- Log in to the Wiz portal as an administrator
- Navigate to Settings → Service Accounts
- Click Add Service Account and choose type Custom Integration (GraphQL API)
- Assign the API scopes your workflows require (see scope table below)
- Copy the generated Client ID and Client Secret — the secret is shown only once
- Note the GraphQL endpoint URL on the service account detail page; use it to derive your region
Common API scopes (assign only what you need):
| Scope | Unlocks |
|---|---|
read:issues | issue.query, issue.groupedCount, issue.severityCounts |
update:issues | issue.update, issue.clearDueAt, comment.add, comment.create, comment.edit, comment.delete |
read:resources (Read graph resource) | cloudResource.list, cloudResource.listV2, graphSearch.*, vulnerabilityFinding.list, repository.list |
read:projects | project.list |
read:vulnerabilities | vulnerabilityFinding.list, vulnerabilityFinding.ignore |
admin:audit | auditLog.list |
create:reports, read:reports | All *.createReport / *.updateReport operations, plus report.list / report.delete / report.rerun |
| WizDefend scopes | detection.list |
| Forensics scope | forensics.copyToExternalAccount |
read:security_settings | ipRestriction.list, session.getLifetime, portal.getInactivityTimeout |
read:user_management | user.manage, userRole.list, serviceAccount.list |
Creating a Credential in NINA
- Navigate to Credentials → Add New Credential
- Select integration service: Wiz
- Auth type: Service Account (Client Credentials)
- Fill in Client ID, Client Secret, and Region (or Endpoint)
- Leave Auth Flavor as cognito unless you know your tenant requires auth0
- Click Test Connection then Save
Supported Resources and Operations
Issue
Wiz security issues — the core surface for cloud security posture management. Issues represent rule violations across four types: TOXIC_COMBINATION, CLOUD_CONFIGURATION, VULNERABILITY, and THREAT_DETECTION. Lifecycle: OPEN → IN_PROGRESS → RESOLVED or REJECTED.
| Operation | Description |
|---|---|
query | Paginated list of issues with rich filter options (severity, status, type, dates, related entity, project, etc.) — also used to get a single issue by filtering on id |
update | Patch issue status, due date, note, or resolution reason (cannot null fields) |
clearDueAt | Null the due date using override semantics — separate op because of patch-vs-override |
groupedCount | Count issue groups by STATUS, SEVERITY, or TYPE |
severityCounts | Aggregated counts broken down by severity (critical/high/medium/low/informational) |
createReport | Create an issues-report (async export) |
updateReport | Modify an existing issues-report (rename, schedule, etc.) |
updateNote | Edit an existing issue note |
Key filters for query — all under filterBy:
severity,status,type— arrays of enum valuescreatedAt.after/createdAt.before— ISO-8601 rangeresolvedAt,statusChangedAt,dueAt— same shape, optional date rangesrelatedEntity.id/relatedEntity.type— filter by associated cloud resourceproject— array of project IDs (to scope to specific projects)hasNote,hasServiceTicket,hasRemediation,hasAutoRemediation— booleansriskEqualsAny,riskEqualsAll— array of risk indicatorsnoteContains— substring search on note textframeworkCategory— array of framework/category IDsvalidatedAsExploitable— boolean
Pagination: first (required, max 500), after (cursor from pageInfo.endCursor).
Sort: orderBy.field (one of SEVERITY, CREATED_AT, RESOLVED_AT, STATUS_CHANGED_AT) + orderBy.direction (ASC / DESC).
Patch vs override semantics: update uses patch (provided fields are changed, omitted ones unchanged, fields cannot be nulled). To null a due date use clearDueAt — it uses override semantics under the hood.
Comment
Replaces v1's issue.createNote / issue.deleteNote. Comments are a generic resource on the Wiz side — they attach to subjectType (e.g., ISSUE, POSTURE_ISSUE).
| Operation | Description |
|---|---|
add | Add a comment to an issue or posture issue (the canonical modern op) |
create | Older comment-create variant (kept for compatibility with workflows using the legacy shape) |
edit | Edit an existing comment |
delete | Delete a comment by ID |
Key parameters for add — under input:
subjectId(required) — the entity to comment onsubjectType(required) —ISSUEorPOSTURE_ISSUEbody(required) — comment textmentionedUserId— optional user mention
Cloud Resource
Cloud resources discovered by Wiz across all connected accounts — VMs, storage buckets, databases, container images, serverless functions, and every other entity type Wiz inventories.
| Operation | Description |
|---|---|
list | Paginated list, filterable by search, type, subscription, and provider-unique ID |
listV2 | Newer V2 query variant — same filters, richer response shape |
Key filters under filterBy:
search— free-text on resource nametype— array of resource type strings (e.g.VIRTUAL_MACHINE,STORAGE_BUCKET,CONTAINER_IMAGE)subscriptionExternalId— array of cloud account / subscription external IDs (AWS account, Azure subscription)providerUniqueId— array of provider-unique IDs (e.g. AWS ARNs)projectId— array of Wiz project IDsupdatedAt,deletedAt— date-range filter objects
Pagination: first (required, default depends on op), after.
Resolving a provider ID to a Wiz ID: filter cloudResource.list with filterBy.providerUniqueId = [<arn>], take nodes[0].id from the response. The result is the Wiz internal UUID required by ops like forensics.copyToExternalAccount.
Vulnerability Finding
Per-asset vulnerability findings with CVE details, exploit indicators, and the affected workload.
| Operation | Description |
|---|---|
list | Paginated list with severity, status, exploit indicators, fix version, and the vulnerable asset |
ignore | Mark a vulnerability finding as ignored (suppression) |
Key filters for list:
severity— array of CVSS severitiesstatus— array of finding statuses (OPEN,RESOLVED, etc.)
Each finding node includes vulnerabilityExternalId (CVE ID), CVSSSeverity, hasExploit, hasCisaKevExploit, firstDetectedAt, lastDetectedAt, fixedVersion, and a polymorphic vulnerableAsset (one of VulnerableAssetVirtualMachine, VulnerableAssetServerless, VulnerableAssetContainerImage, VulnerableAssetContainer, VulnerableAssetBase).
Repository
Replaces v1's versionControlResource. Repositories and VCS resources connected to Wiz via GitHub, GitLab, Bitbucket, AzureDevOps integrations.
| Operation | Description |
|---|---|
list | Paginated list with rich filters (project, type, updated/deleted dates) |
Key filters under filterBy:
search— free-text searchproject— array of Wiz project IDstype— repository type filterupdatedAt.before/updatedAt.after/deletedAt.before/deletedAt.after— date ranges
Project
Wiz projects — logical groupings of cloud resources used for security posture management, access control, and team ownership.
| Operation | Description |
|---|---|
list | Paginated list of projects with extensive filter options |
Key filters under filterBy (subset — 40+ available):
search— match against project nameid.equals— project IDsimpact— business impact filterincludeArchived— booleanroot,isFolder— folder/root project filterscreatedAt— date range
Detection
WizDefend detections — individual threat signals raised by detection rules. Uses Wiz's newer DetectionsTableV2 query.
| Operation | Description |
|---|---|
list | Paginated list with rich filter options |
Key filters under filterBy:
id.equals— array of detection IDs (to get specific detections)issueId— single associated issue IDtype.equals— array ofGENERATED_THREAT,MATCH_ONLYcloudPlatform.equals— array of cloud platformsorigin.equals— array of origins (e.g.AWS_CLOUDTRAIL,WIZ_SENSOR)severity.equals— array of severitiescloudAccountOrCloudOrganizationId.equals— array of cloud account/org IDsresource.id.equals— nested filter for resource IDsmatchedRule.id— single rule ID (no wrapper)projectId— single project ID (no wrapper)createdAt.after/createdAt.before/createdAt.inLast— date filters
Note on filter wrappers: the WizDefend API wraps most filter values in { equals: [...] }. NINA exposes this as a nested .equals sub-field — see the filter list above. Plain scalars like issueId, projectId, and matchedRule.id skip the wrapper.
Reports (generic)
| Operation | Description |
|---|---|
list | List all reports in the tenant |
delete | Delete a report by ID |
rerun | Re-execute a report |
Plus a per-resource createReport / updateReport pair on every findings surface (see below).
Findings Surfaces
These resources all follow the same shape: a list operation for reading findings and a createReport / updateReport pair for async report generation. Pick the resource that matches the findings type you want.
| Resource | Operations | Wiz module |
|---|---|---|
attackSurfaceFinding | list, createReport, updateReport | External attack surface |
hostConfigurationFinding | list, createReport, updateReport | OS / host config |
iacFinding | createReport, updateReport (list under configurationFinding) | IaC scanning |
sastFinding | list, createReport, updateReport | Static code scanning |
secretFinding | list, createReport, updateReport | Secret scanning |
configurationFinding | list | Cloud configuration |
hostedTech | list, createReport, updateReport | Hosted technologies inventory |
ccr | createReport, updateReport | Cloud Configuration Rules (CCR) |
compliance | createReport, updateReport | Compliance assessments |
excessiveAccess | createReport, updateReport | Excessive access (CIEM) |
networkExposure | list, updateReport | Network exposure |
dataFinding | createReportV2, updateReportV2 | DSPM data findings (V2 only) |
externalNetwork | createReport | External network exposures |
postureIssue | list, update, createReport, updateReport | Posture issues |
penetrationTestFinding | create | Manual pen-test results |
appEndpoint | list, createReport, updateReport | Application endpoints |
applicationEndpoint | list | Alternative application endpoint accessor |
inventory | createReport, updateReport, createReportV2, updateReportV2 | Cloud inventory exports |
vulnerability | createReport, updateReport | Vulnerability reports |
Common report-create shape — input.name, input.type, input.projectId, plus filter and schedule fields documented per-operation in the schema. Reports run asynchronously; use report.list or the matching *-status ops to poll for completion.
Forensics
Cloud resource forensics — initiate a copy of a resource snapshot to an externally configured account for deep investigation.
| Operation | Description |
|---|---|
copyToExternalAccount | Async copy; returns a systemActivityGroupId for tracking |
Key parameter:
input.id(required) — Wiz cloud resource ID (UUID). If you only have a provider-unique ID (ARN), callcloudResource.listwithfilterBy.providerUniqueIdfirst and take the resultingnodes[0].id.
Graph Search
Wiz Security Graph search — execute ad-hoc graph entity queries and translate provider-unique IDs to Wiz graph entity IDs.
| Operation | Description |
|---|---|
run | Execute a GraphEntityQueryInput against the Security Graph |
resolveResourceGraphID | Translate a providerUniqueId (e.g. AWS ARN) into a Wiz graph entity ID |
Key parameters for run:
query—GraphEntityQueryInputobjectprojectId(required) — project scope, or*for all projectsfirst(max 500),after— paginationfetchTotalCount,quick,fetchPublicExposurePaths,fetchInternalExposurePaths,fetchIssueAnalytics,fetchLateralMovement,fetchKubernetes— booleans to expand the response
Admin / Configuration
Lightweight read operations for security settings and identity.
| Resource | Op | Description |
|---|---|---|
auditLog | list | Audit log entries — filter by action, status, user |
serviceAccount | list | List service accounts (read:user_management) |
userRole | list | List user roles |
user | manage | User management surface |
securityFramework | list | List compliance/security frameworks (CIS, NIST, etc.) |
ipRestriction | list | Tenant IP allowlist |
session | getLifetime | Configured session lifetime |
portal | getInactivityTimeout | Portal inactivity timeout |
dataClassifierType | list | DSPM data classifier types |
file | requestUpload | Request a file upload ID (for evidence uploads) |
fileUploadId | getStatus | Poll a file upload's status |
vulnerabilityUrl | getStatus | Poll a vulnerability URL/report status |
Examples
List High-Severity Open Issues
{
"integration_service": "wiz",
"resource": "issue",
"operation": "query",
"parameters": {
"filterBy": {
"severity": ["CRITICAL", "HIGH"],
"status": ["OPEN", "IN_PROGRESS"]
},
"first": 100,
"orderBy": {
"field": "SEVERITY",
"direction": "DESC"
}
}
}
Get a Single Issue by ID
{
"integration_service": "wiz",
"resource": "issue",
"operation": "query",
"parameters": {
"filterBy": {
"id": ["abcd1234-5678-90ab-cdef-1234567890ab"]
},
"first": 1
}
}
Update an Issue's Status
{
"integration_service": "wiz",
"resource": "issue",
"operation": "update",
"parameters": {
"issueId": "abcd1234-5678-90ab-cdef-1234567890ab",
"patch": {
"status": "IN_PROGRESS",
"note": "Investigating with platform team"
}
}
}
Resolve an Issue with Reason
{
"integration_service": "wiz",
"resource": "issue",
"operation": "update",
"parameters": {
"issueId": "abcd1234-5678-90ab-cdef-1234567890ab",
"patch": {
"status": "RESOLVED",
"resolutionReason": "False positive — internal-only resource"
}
}
}
Clear an Issue's Due Date
{
"integration_service": "wiz",
"resource": "issue",
"operation": "clearDueAt",
"parameters": {
"issueId": "abcd1234-5678-90ab-cdef-1234567890ab"
}
}
Add a Comment to an Issue
{
"integration_service": "wiz",
"resource": "comment",
"operation": "add",
"parameters": {
"input": {
"subjectId": "abcd1234-5678-90ab-cdef-1234567890ab",
"subjectType": "ISSUE",
"body": "Confirmed remediation in PR #1234"
}
}
}
Get Issue Severity Counts (Dashboard)
{
"integration_service": "wiz",
"resource": "issue",
"operation": "severityCounts",
"parameters": {
"filterBy": {
"status": ["OPEN", "IN_PROGRESS"]
}
}
}
Search Cloud Resources by Type
{
"integration_service": "wiz",
"resource": "cloudResource",
"operation": "list",
"parameters": {
"filterBy": {
"type": ["VIRTUAL_MACHINE"],
"subscriptionExternalId": ["123456789012"]
},
"first": 200
}
}
Resolve a Cloud Resource by ARN
{
"integration_service": "wiz",
"resource": "cloudResource",
"operation": "list",
"parameters": {
"filterBy": {
"providerUniqueId": ["arn:aws:ec2:us-east-1:123456789012:instance/i-0abc1234"]
},
"first": 1
}
}
The Wiz internal ID is nodes[0].id in the response.
List Critical Vulnerability Findings
{
"integration_service": "wiz",
"resource": "vulnerabilityFinding",
"operation": "list",
"parameters": {
"filterBy": {
"severity": ["CRITICAL"],
"status": ["OPEN"]
},
"first": 100
}
}
List Repositories
{
"integration_service": "wiz",
"resource": "repository",
"operation": "list",
"parameters": {
"first": 50,
"filterBy": {
"search": "prod"
}
}
}
Trigger Forensics Copy
{
"integration_service": "wiz",
"resource": "forensics",
"operation": "copyToExternalAccount",
"parameters": {
"input": {
"id": "wiz-resource-uuid-from-cloudResource-list"
}
}
}
List WizDefend Detections in the Last 24 Hours
{
"integration_service": "wiz",
"resource": "detection",
"operation": "list",
"parameters": {
"filterBy": {
"severity": {
"equals": ["CRITICAL", "HIGH"]
},
"createdAt": {
"inLast": {
"amount": 24,
"unit": "DurationFilterValueUnitHours"
}
}
},
"first": 250,
"orderBy": {
"field": "CREATED_AT",
"direction": "DESC"
}
}
}
Pull Audit Log
{
"integration_service": "wiz",
"resource": "auditLog",
"operation": "list",
"parameters": {
"filterBy": {
"action": ["LOGIN", "LOGOUT"],
"status": ["SUCCESS"]
},
"first": 100
}
}
Create an IaC Findings Report
{
"integration_service": "wiz",
"resource": "iacFinding",
"operation": "createReport",
"parameters": {
"input": {
"name": "Weekly IaC Findings — Production",
"type": "IAC_FINDINGS",
"projectId": "prod-project-uuid"
}
}
}
Translate ARN to Wiz Graph Entity ID
{
"integration_service": "wiz",
"resource": "graphSearch",
"operation": "resolveResourceGraphID",
"parameters": {
"projectId": "*",
"query": {
"type": ["VIRTUAL_MACHINE"],
"where": {
"providerUniqueId": {
"EQUALS": ["arn:aws:ec2:us-east-1:123456789012:instance/i-0abc1234"]
}
}
}
}
}
Common Workflow Patterns
Daily Critical Issue Triage
- Schedule Node — run every morning
severityCounts(issue) — get per-severity totals for statusOPEN/IN_PROGRESS- Conditional Node — if
criticalSeverityCount > 0, continue query(issue) — fetch critical issues withfilterBy.severity = ["CRITICAL"]- Slack / Teams Node — post a digest with Wiz portal links
- Optional:
update(issue) — bulk-assign or comment viacomment.add
Vulnerability Sweep on a Specific Asset
list(cloudResource) —filterBy.providerUniqueId = [<arn>],first: 1— get Wiz internal IDquery(issue) —filterBy.relatedEntity.id = [<wiz-id>]— fetch issues on that resourcelist(vulnerabilityFinding) — fetch CVEs for that resource- Script Node — merge into a per-asset risk report
Threat Detection Auto-Response
- Schedule Node — every 5 minutes
list(detection) —createdAt.inLast = { amount: 5, unit: DurationFilterValueUnitMinutes },severity.equals = ["CRITICAL"]- Loop Node — iterate over each detection
- Conditional / Switch — route by
cloudPlatform.equalsvalue - AWS / GCP / Azure Node — execute response action (isolate VM, revoke key, etc.)
update(issue) — set the linked issue status toIN_PROGRESSwith a note
Audit Log Compliance Snapshot
- Schedule Node — weekly
list(auditLog) —filterBy.createdAt.after = <7-days-ago>- Script Node — group entries by
actionandperformer - Email / SharePoint — file the snapshot
Forensics on Demand
- Webhook / Alert Node — incoming SOC alert with an asset ARN
list(cloudResource) —filterBy.providerUniqueId = [<arn>]— get Wiz internal IDcopyToExternalAccount(forensics) — initiate the snapshot copy- Script Node — record
systemActivityGroupIdfor tracking - Notify the IR team with the activity ID and Wiz portal link
Issue → Graph Walk
query(issue) — fetch issue with all fields includingevidenceQuery- Script Node — parse
evidenceQueryJSON run(graphSearch) — execute the query withprojectId = "*"- Output: the graph entities affected by the issue
Scheduled Report Pipeline
- Schedule Node — monthly
createReport(iacFinding / sastFinding / secretFinding / ...) — kick off async report- Polling loop — call
vulnerabilityUrl.getStatus(or the equivalent status endpoint) every N minutes - Once ready — download the CSV from the URL the status returns
- SharePoint / S3 / email — distribute the report
Migrating from the v1 schema
If you have workflows built against the previous (v1) integration shape, here are the rename / removal mappings:
| v1 operation | v2 equivalent | Notes |
|---|---|---|
issue.list | issue.query | Same semantics, renamed |
issue.get | issue.query with filterBy.id = [<id>], first: 1 | No separate get op |
issue.getEvidence | issue.query (returns evidenceQuery field) → graphSearch.run | Two-step chain, no automatic chaining |
issue.createNote | comment.add | Different input shape (subjectId/subjectType/body) |
issue.deleteNote | comment.delete | Renamed and re-homed under comment |
cloudResource.get | cloudResource.list with filterBy | No separate get op |
cloudResource.listIDs | cloudResource.list (returns id as part of nodes) | No lightweight ID-only variant |
project.getTeam | project.list with filterBy.search | No separate getTeam op |
threat.list / threat.get | issue.query with filterBy.type = ["THREAT_DETECTION"] | Wiz no longer models threats as a separate surface |
versionControlResource.list | repository.list | Renamed |
detection.list | detection.list | Same name; underlying query is now DetectionsTableV2 with a richer field selection |
Everything else (issue.clearDueAt, issue.update, issue.groupedCount, issue.severityCounts, forensics.copyToExternalAccount, graphSearch.run, graphSearch.resolveResourceGraphID, vulnerabilityFinding.list) carries over unchanged.
Troubleshooting
| Issue | Resolution |
|---|---|
| 401 Unauthorized on token fetch | Client ID/secret invalid — verify in Settings → Service Accounts; rotate the secret if needed |
| Token endpoint connection failure | Wrong Auth Flavor — try switching between cognito and auth0 |
extensions.code: FORBIDDEN GraphQL error | Service account lacks the required API scope — add the scope in the Wiz portal and rotate credentials |
Cannot query field X on type Y | Wiz schema drifted — open an issue; this typically means Wiz renamed or removed a field in a recent release |
BAD_USER_INPUT on filter | Filter shape is wrong — check whether the filter expects a plain scalar, a bare list, or an { equals: [...] } wrapper. Detection filters use the wrapper extensively; most other filters don't |
Empty nodes[] on a single-ID lookup | The ID does not exist or the service account lacks scope to see it — confirm in the Wiz portal |
| 429 Too Many Requests | Tenant rate limit exceeded — Wiz typically allows ~100 req/s per tenant; reduce request rate or batch via larger first page sizes |
| Pagination returns the same page | Forward after from pageInfo.endCursor and confirm hasNextPage was true |
| Update fails with "cannot null field" | Use clearDueAt (override semantics) instead of update (patch semantics) when nulling a due date |
forensics.copyToExternalAccount returns "resource not found" | The id must be a Wiz internal resource UUID, not a providerUniqueId — call cloudResource.list with filterBy.providerUniqueId first to translate |
| Region rejected as invalid | Region must match [a-z]{2}\d+ (e.g. us1, eu23). If your tenant uses a non-standard region, use the Endpoint field instead with the full https://api.<region>.app.wiz.io/graphql URL |
| Federal tenant fails to authenticate | Set the Endpoint field explicitly to your federal endpoint (.wiz.us suffix) and set Token URL + Audience manually |
Workflow used threat.list / cloudResource.listIDs / issue.get and now errors | Those v1 ops are removed — see the migration table above |
Security Considerations
- Protect Credentials: Store client ID and secret exclusively through NINA credential management — never in workflow parameters, logs, or version control
- Token Handling: Access tokens are cached in memory for the token's lifetime — they are never written to disk or logs
- Scope Minimisation: Grant only the API scopes the workflow needs. Read-only workflows should not be granted
update:issues,create:reports, or forensics scopes - Forensics Data Sensitivity: Forensics snapshots contain raw cloud resource state — restrict the external account configured to receive them and audit access regularly
- Threat Detection Data: WizDefend detections may include sensitive event payloads (raw API calls, network flows) — restrict workflow and credential visibility
- Comments: Comments added via
comment.addare visible to all users with read access in the Wiz portal — do not include secrets, PII, or customer data - Report Downloads: Report URLs returned by
*.createReportops are presigned and time-limited but still represent sensitive exports; treat them as data and dispose securely - Service Account Rotation: Rotate client secrets at least every 90 days; rotate immediately if a workflow handler or NINA host is compromised
- Multi-Region: If your tenant spans regions, use a separate service account and credential per region rather than sharing one secret across regions
Additional Resources
- Wiz Documentation Portal
- Wiz API Introduction
- Using the Wiz API
- Service Accounts Settings
- Wiz GraphQL API Reference (in-portal, per operation)
- Wiz Public GitHub — Cortex XSOAR pack, Backstage plugin, AI plugin
Updated: 2026-05-27