Wiz

This guide walks through how to set up Wiz logs in Scanner Collect. Wiz provides two webhook-based data sources: Wiz: Defend (for cloud threat detections and runtime alerts) and Wiz: Issues (for cloud misconfiguration and security findings). Both are configured to send events directly to Scanner's HTTP receiver via webhooks.

Step 1: Create a New Source

In the Scanner UI, go to the Collect tab.

  • Click Create New Source.

  • Click Select a Source Type.

  • Choose either Wiz: Defend or Wiz: Issues (you may set up both).

  • For Ingest Method, select HTTP Push.

  • For Destination, select Scanner.

If you only want logs stored in your S3 data lake (without indexing or detection), choose AWS S3 Only. This guide assumes you're using Scanner as the destination.

Click Next.

Step 1a: For Multiple Wiz Sources

If you're collecting data from both Wiz: Defend and Wiz: Issues, you'll need to create two separate sources in Scanner Collect—one for each data type. The setup process is identical for both.

Step 2: Configure the Source

  • Set a Display Name such as my-org-wiz-defend or my-org-wiz-issues depending on which source you're configuring.

  • Leave the Payload Format as the default: JSON: Generic.

Click Next.

Step 3: Configure Authentication

  • Keep the default Authentication Type: Bearer Token.

  • Generate a secure Bearer token. You can use a command like: echo "token_$(uuidgen | tr '[:upper:]' '[:lower:]')"

  • Note this token (we'll refer to it as BEARER_TOKEN)—you'll need it when configuring the webhook in Wiz.

Click Next.

Step 4: Configure Destination

  • Select the S3 bucket where you want raw logs delivered.

  • (Optional) Enter a bucket prefix. The default is fine for most setups.

  • Choose the Scanner index where searchable logs should go.

  • Leave the Source Label as the default: wiz.

Click Next.

Step 5: Transform and Enrich

  • Keep Parse JSON Columns enabled to automatically extract data from any stringified JSON fields.

  • (Optional) Add additional transformation or enrichment steps as desired.

Click Next.

Step 6: Timestamp Extraction

Leave the default settings to extract timestamps from the timestamp fields.

Click Next.

Step 7: Review and Create

  • Review your configuration.

  • Click Create Source.

After creation, Scanner will display a unique Endpoint URL like:

https://collect.your-org-and-region.scanner.dev/receiver/v1/http/<id>

Save this URL — you'll need it when configuring the webhook in Wiz.

Step 8: Configure in Wiz

Accessing Wiz Settings

  • Log in to your Wiz account at wiz.io.

  • Navigate to SettingsIntegrations.

Creating the Webhook

  • Click Add Integration (or + Add if you see it in the interface).

  • Under SIEM & Automation Tools, select Webhook.

  • Set a meaningful Name such as Send Wiz Defend to Scanner or Send Wiz Issues to Scanner.

  • Set the Project Scope to apply the integration to the appropriate projects (or select all if preferred).

Configuring Webhook Details

  • Paste the Endpoint URL (from Step 7 above) into the Webhook URL field.

Setting Up Authentication

  • Click Add Header to add a custom header for authentication.

  • Enter the header name: Authorization

  • Enter the header value: Bearer ${BEARER_TOKEN}

    • Replace ${BEARER_TOKEN} with the actual Bearer token you generated in Step 3.

Configuring Events

  • Select which events to send via the webhook:

    • For Wiz: Defend: Choose event types relevant to cloud threat detections and runtime alerts.

    • For Wiz: Issues: Choose event types relevant to issues, misconfigurations, exposed secrets, and identity risks.

  • You may select one or multiple event types depending on your needs.

Finalizing the Webhook

  • Review all settings.

  • Click Save or Create to finalize the webhook configuration.

Wiz will validate the webhook endpoint and begin sending events immediately.

Verification

After setup is complete, you should see events flowing into Scanner:

  1. In the Wiz UI, you can monitor webhook delivery status in Settings → Integrations (if available).

  2. In Scanner, navigate to the index you selected in Step 4 to view incoming Wiz logs.

That's It

Once routing is complete, logs will flow from Wiz → Scanner HTTP Receiver → S3 → Scanner index.

Multiple webhook sources can be configured to send different Wiz data streams (Defend and Issues) to the same or different Scanner indexes for flexible organization and analysis.

PreviousOktaNextData Transformation & Enrichment

Last updated

Was this helpful?