# Wiz This guide walks through how to set up Wiz logs in Scanner Collect. Wiz provides two webhook-based data sources: **Wiz: Defend** (for cloud threat detections and runtime alerts) and **Wiz: Issues** (for cloud misconfiguration and security findings). Both are configured to send events directly to Scanner's HTTP receiver via webhooks. ## Step 1: Create a New Source In the Scanner UI, go to the Collect tab. * From the Overview page click the '+' icon in the upper right corner * Select create new **Collect Rule** * Choose either **Wiz: Defend** or **Wiz: Issues** (you may set up both). Click Continue. ### Step 1a: For Multiple Wiz Sources If you're collecting data from both **Wiz: Defend** and **Wiz: Issues**, you'll need to create two separate sources in Scanner Collect—one for each data type. The setup process is identical for both. ## Step 2: Configure the Source * Set a Display Name such as `my-org-wiz-defend` or `my-org-wiz-issues` depending on which source you're configuring. * Leave the Payload Format as the default: **JSON: Generic**. Click Next. ## Step 3: Configure Authentication * Keep the default Authentication Type: **Bearer Token**. * Generate a secure Bearer token. You can use a command like: `echo "token_$(uuidgen | tr '[:upper:]' '[:lower:]')"` * Note this token (we'll refer to it as `BEARER_TOKEN`)—you'll need it when configuring the webhook in Wiz. Click Next. ## Step 4: Configure Destination * Select the S3 bucket where you want raw logs delivered. * (Optional) Enter a bucket prefix. The default is fine for most setups. * Choose the Scanner index where searchable logs should go. * Leave the Source Label as the default: `wiz`. Click Next. ## Step 5: Transform and Enrich * Keep **Parse JSON Columns** enabled to automatically extract data from any stringified JSON fields. * (Optional) Add additional transformation or enrichment steps as desired. Click Next. ## Step 6: Timestamp Extraction Leave the default settings to extract timestamps from the timestamp fields. Click Next. ## Step 7: Review and Create * Review your configuration. * Click Create Source. After creation, Scanner will display a unique Endpoint URL like: `https://collect.your-org-and-region.scanner.dev/receiver/v1/http/` **Save this URL** — you'll need it when configuring the webhook in Wiz. ## Step 8: Configure in Wiz ### Accessing Wiz Settings * Log in to your Wiz account at `wiz.io`. * Navigate to **Settings** → **Integrations**. ### Creating the Webhook * Click **Add Integration** (or **+ Add** if you see it in the interface). * Under **SIEM & Automation Tools**, select **Webhook**. * Set a meaningful **Name** such as `Send Wiz Defend to Scanner` or `Send Wiz Issues to Scanner`. * Set the **Project Scope** to apply the integration to the appropriate projects (or select all if preferred). ### Configuring Webhook Details * Paste the Endpoint URL (from Step 7 above) into the **Webhook URL** field. ### Setting Up Authentication * Click **Add Header** to add a custom header for authentication. * Enter the header name: `Authorization` * Enter the header value: `Bearer ${BEARER_TOKEN}` * Replace `${BEARER_TOKEN}` with the actual Bearer token you generated in Step 3. ### Configuring Events * Select which events to send via the webhook: * For **Wiz: Defend**: Choose event types relevant to cloud threat detections and runtime alerts. * For **Wiz: Issues**: Choose event types relevant to issues, misconfigurations, exposed secrets, and identity risks. * You may select one or multiple event types depending on your needs. ### Finalizing the Webhook * Review all settings. * Click **Save** or **Create** to finalize the webhook configuration. Wiz will validate the webhook endpoint and begin sending events immediately. ## Verification After setup is complete, you should see events flowing into Scanner: 1. In the Wiz UI, you can monitor webhook delivery status in Settings → Integrations (if available). 2. In Scanner, navigate to the index you selected in Step 4 to view incoming Wiz logs. ## That's It Once routing is complete, logs will flow from Wiz → Scanner HTTP Receiver → S3 → Scanner index. Multiple webhook sources can be configured to send different Wiz data streams (Defend and Issues) to the same or different Scanner indexes for flexible organization and analysis.