{ "name": "wiz", "title": "Wiz", "version": "4.2.0", "release": "ga", "description": "Collect logs from Wiz with Elastic Agent.", "type": "integration", "download": "/epr/wiz/wiz-4.2.0.zip", "path": "/package/wiz/4.2.0", "icons": [ { "src": "/img/wiz-logo.svg", "path": "/package/wiz/4.2.0/img/wiz-logo.svg", "title": "Wiz logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.0 || ^9.1.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "cloudsecurity_cdr", "vulnerability_workflow", "misconfiguration_workflow", "cloud", "siem" ], "signature_path": "/epr/wiz/wiz-4.2.0.zip.sig", "format_version": "3.3.2", "readme": "/package/wiz/4.2.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/wiz-audit-dashboard.png", "path": "/package/wiz/4.2.0/img/wiz-audit-dashboard.png", "title": "Wiz Audit Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/wiz-issue-dashboard.png", "path": "/package/wiz/4.2.0/img/wiz-issue-dashboard.png", "title": "Wiz Issue Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/wiz-vulnerability-dashboard.png", "path": "/package/wiz/4.2.0/img/wiz-vulnerability-dashboard.png", "title": "Wiz Vulnerability Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/wiz-cloud_configuration_finding-dashboard.png", "path": "/package/wiz/4.2.0/img/wiz-cloud_configuration_finding-dashboard.png", "title": "Wiz Cloud Configuration Finding Dashboard Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/wiz-misconfiguration-findings.png", "path": "/package/wiz/4.2.0/img/wiz-misconfiguration-findings.png", "title": "Misconfiguration Findings view with Wiz data in Elastic Security Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/wiz-context-entity-flyout.png", "path": "/package/wiz/4.2.0/img/wiz-context-entity-flyout.png", "title": "Misconfiguration Findings view with Wiz data in Elastic Security Screenshot", "size": "600x600", "type": "image/png" }, { "src": "/img/wiz-defend-dashboard.png", "path": "/package/wiz/4.2.0/img/wiz-defend-dashboard.png", "title": "Wiz Defend Dashboard Screenshot", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/wiz/4.2.0/LICENSE.txt", "/package/wiz/4.2.0/changelog.yml", "/package/wiz/4.2.0/manifest.yml", "/package/wiz/4.2.0/validation.yml", "/package/wiz/4.2.0/docs/README.md", "/package/wiz/4.2.0/img/wiz-audit-dashboard.png", "/package/wiz/4.2.0/img/wiz-cloud_configuration_finding-dashboard.png", "/package/wiz/4.2.0/img/wiz-context-entity-flyout.png", "/package/wiz/4.2.0/img/wiz-defend-dashboard.png", "/package/wiz/4.2.0/img/wiz-issue-dashboard.png", "/package/wiz/4.2.0/img/wiz-logo.svg", "/package/wiz/4.2.0/img/wiz-misconfiguration-findings.png", "/package/wiz/4.2.0/img/wiz-vulnerability-dashboard.png", "/package/wiz/4.2.0/kibana/tags.yml", "/package/wiz/4.2.0/data_stream/audit/manifest.yml", "/package/wiz/4.2.0/data_stream/audit/sample_event.json", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding/manifest.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding/sample_event.json", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding_full_posture/manifest.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding_full_posture/sample_event.json", "/package/wiz/4.2.0/data_stream/defend/manifest.yml", "/package/wiz/4.2.0/data_stream/defend/sample_event.json", "/package/wiz/4.2.0/data_stream/issue/manifest.yml", "/package/wiz/4.2.0/data_stream/issue/sample_event.json", "/package/wiz/4.2.0/data_stream/vulnerability/manifest.yml", "/package/wiz/4.2.0/data_stream/vulnerability/sample_event.json", "/package/wiz/4.2.0/kibana/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a.json", "/package/wiz/4.2.0/kibana/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368.json", "/package/wiz/4.2.0/kibana/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf.json", "/package/wiz/4.2.0/kibana/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273.json", "/package/wiz/4.2.0/kibana/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf.json", "/package/wiz/4.2.0/kibana/search/wiz-f71321c0-a641-4411-a33e-f39569c2c7be.json", "/package/wiz/4.2.0/data_stream/audit/fields/base-fields.yml", "/package/wiz/4.2.0/data_stream/audit/fields/beats.yml", "/package/wiz/4.2.0/data_stream/audit/fields/fields.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding/fields/base-fields.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding/fields/beats.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding/fields/fields.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding/fields/resource.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding/fields/result.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding/fields/rule.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding_full_posture/fields/base-fields.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding_full_posture/fields/beats.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding_full_posture/fields/fields.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding_full_posture/fields/resource.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding_full_posture/fields/result.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding_full_posture/fields/rule.yml", "/package/wiz/4.2.0/data_stream/defend/fields/base-fields.yml", "/package/wiz/4.2.0/data_stream/defend/fields/beats.yml", "/package/wiz/4.2.0/data_stream/defend/fields/fields.yml", "/package/wiz/4.2.0/data_stream/issue/fields/base-fields.yml", "/package/wiz/4.2.0/data_stream/issue/fields/beats.yml", "/package/wiz/4.2.0/data_stream/issue/fields/fields.yml", "/package/wiz/4.2.0/data_stream/vulnerability/fields/base-fields.yml", "/package/wiz/4.2.0/data_stream/vulnerability/fields/beats.yml", "/package/wiz/4.2.0/data_stream/vulnerability/fields/fields.yml", "/package/wiz/4.2.0/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml", "/package/wiz/4.2.0/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml", "/package/wiz/4.2.0/data_stream/audit/agent/stream/cel.yml.hbs", "/package/wiz/4.2.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding/agent/stream/cel.yml.hbs", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding_full_posture/agent/stream/cel.yml.hbs", "/package/wiz/4.2.0/data_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml", "/package/wiz/4.2.0/data_stream/defend/agent/stream/http_endpoint.yml.hbs", "/package/wiz/4.2.0/data_stream/defend/elasticsearch/ingest_pipeline/default.yml", "/package/wiz/4.2.0/data_stream/issue/agent/stream/cel.yml.hbs", "/package/wiz/4.2.0/data_stream/issue/elasticsearch/ingest_pipeline/default.yml", "/package/wiz/4.2.0/data_stream/vulnerability/agent/stream/cel.yml.hbs", "/package/wiz/4.2.0/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml", "/package/wiz/4.2.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml", "/package/wiz/4.2.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/beats.yml", "/package/wiz/4.2.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml", "/package/wiz/4.2.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/resource.yml", "/package/wiz/4.2.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/result.yml", "/package/wiz/4.2.0/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml", "/package/wiz/4.2.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml", "/package/wiz/4.2.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml", "/package/wiz/4.2.0/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml" ], "policy_templates": [ { "name": "wiz", "title": "Wiz logs", "description": "Collect Wiz logs.", "inputs": [ { "type": "cel", "vars": [ { "name": "client_id", "type": "text", "title": "Client ID", "description": "Client ID for the Wiz environment.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "Client Secret for the Wiz environment.", "multi": false, "required": true, "show_user": true }, { "name": "url", "type": "text", "title": "URL", "description": "Base URL of the Wiz API. Default URL given is for the demo environment.", "multi": false, "required": true, "show_user": true, "default": "https://api.us17.app.wiz.io" }, { "name": "token_url", "type": "text", "title": "Token URL", "description": "Token URL of Wiz.", "multi": false, "required": true, "show_user": false, "default": "https://auth.app.wiz.io/oauth/token" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Wiz logs via API", "description": "Collecting Wiz logs via API." }, { "type": "http_endpoint", "title": "Collect Wiz Defend logs via HTTP Endpoint", "description": "Collecting Detection events from Wiz Defend via HTTP Endpoint." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "wiz.audit", "title": "Collect Audit logs from Wiz.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Audit logs from Wiz. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Wiz API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Wiz API. The maximum supported batch size value is 500.", "multi": false, "required": true, "show_user": false, "default": 500 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "max_executions", "type": "integer", "title": "Maximum Pages Per Interval", "description": "Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval.", "multi": false, "required": false, "show_user": false, "default": 1000 }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "wiz-audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve wiz.audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Audit logs", "description": "Collect Audit logs from Wiz.", "enabled": false, "ingestion_method": "API" } ], "package": "wiz", "path": "audit" }, { "type": "logs", "dataset": "wiz.cloud_configuration_finding", "title": "Collet Cloud Configuration Finding logs from Wiz.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Cloud Configuration Finding logs from Wiz. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Wiz API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Wiz API. The maximum supported batch size value is 500.", "multi": false, "required": true, "show_user": false, "default": 500 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "max_executions", "type": "integer", "title": "Maximum Pages Per Interval", "description": "Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval.", "multi": false, "required": false, "show_user": false, "default": 1000 }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "wiz-cloud_configuration_finding" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve wiz.cloud_configuration_finding fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Cloud Configuration Finding logs", "description": "Collect Cloud Configuration Finding logs from Wiz.", "enabled": false, "ingestion_method": "API" } ], "package": "wiz", "path": "cloud_configuration_finding" }, { "type": "logs", "dataset": "wiz.cloud_configuration_finding_full_posture", "title": "Collect full Cloud Configuration Finding posture from Wiz.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Wiz API. The maximum supported batch size value is 500.", "multi": false, "required": true, "show_user": false, "default": 500 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "max_executions", "type": "integer", "title": "Maximum Pages Per Interval", "description": "Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval.", "multi": false, "required": false, "show_user": false, "default": 1000 }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "wiz-cloud_configuration_finding_full_posture" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve wiz.cloud_configuration_finding_full_posture fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Cloud Configuration Finding full posture", "description": "Collect full Cloud Configuration Finding posture from Wiz.", "enabled": false, "ingestion_method": "API" } ], "package": "wiz", "path": "cloud_configuration_finding_full_posture" }, { "type": "logs", "dataset": "wiz.defend", "title": "Collect Detection events from Wiz Defend.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "http_endpoint", "vars": [ { "name": "listen_address", "type": "text", "title": "Listen Address", "description": "Bind address for the listener. Use 0.0.0.0 to listen on all interfaces.", "multi": false, "required": true, "show_user": true, "default": "localhost" }, { "name": "listen_port", "type": "integer", "title": "Listen Port", "description": "The port number the listener binds to.", "multi": false, "required": true, "show_user": true, "default": 9588 }, { "name": "url", "type": "text", "title": "URL", "description": "This option specifies which URL path to accept requests on. Defaults to /.", "multi": false, "required": false, "show_user": false, "default": "/" }, { "name": "basic_auth", "type": "bool", "title": "Authentiation (Basic)", "description": "Enables or disables HTTP basic auth for each incoming request. If enabled, both the username and password must be configured.\n", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "username", "type": "text", "title": "Username", "description": "If basic_auth is enabled, this is the username used for authentication against the HTTP listener. Requires password to also be set.", "multi": false, "required": false, "show_user": true }, { "name": "password", "type": "password", "title": "Password", "description": "If basic_auth is enabled, this is the password used for authentication against the HTTP listener. Requires username to also be set.", "multi": false, "required": false, "show_user": true }, { "name": "token", "type": "password", "title": "Authentiation (Token)", "description": "The token value required to authenticate via `Token`.", "multi": false, "required": false, "show_user": true }, { "name": "ssl", "type": "yaml", "title": "TLS", "description": "Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options.", "multi": false, "required": false, "show_user": false, "default": "# enabled: true\n# certificate: \"/etc/pki/client/cert.pem\"\n# key: \"/etc/pki/client/cert.key\"\n" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "wiz-defend" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve wiz.defend fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "http_endpoint.yml.hbs", "title": "Defend logs", "description": "Collect Detection events from Wiz Defend.", "enabled": false, "ingestion_method": "Webhook" } ], "package": "wiz", "path": "defend" }, { "type": "logs", "dataset": "wiz.issue", "title": "Collect Issue logs from Wiz.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Issue logs from Wiz. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Wiz API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Wiz API. The maximum supported batch size value is 500.", "multi": false, "required": true, "show_user": false, "default": 500 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "max_executions", "type": "integer", "title": "Maximum Pages Per Interval", "description": "Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval.", "multi": false, "required": false, "show_user": false, "default": 1000 }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "wiz-issue" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve wiz.issue fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Issue logs", "description": "Collect Issue logs from Wiz.", "enabled": false, "ingestion_method": "API" } ], "package": "wiz", "path": "issue" }, { "type": "logs", "dataset": "wiz.vulnerability", "title": "Collect Vulnerability logs from Wiz.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "include_all_vulnerability", "type": "bool", "title": "Include All Vulnerability Statuses", "description": "Enable this toggle to fetch all types of vulnerabilities, including those with statuses RESOLVED, OPEN, REJECTED, and IN_PROGRESS. By default, the API's default filter is used.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Vulnerability logs from Wiz. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Wiz API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Wiz API. The maximum supported batch size value is 500.", "multi": false, "required": true, "show_user": false, "default": 500 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "max_executions", "type": "integer", "title": "Maximum Pages Per Interval", "description": "Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval.", "multi": false, "required": false, "show_user": false, "default": 1000 }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "wiz-vulnerability" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve wiz.vulnerability fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Vulnerability logs", "description": "Collect Vulnerability logs from Wiz.", "enabled": false, "ingestion_method": "API" } ], "package": "wiz", "path": "vulnerability" } ] }