# Wiz This guide walks through how to set up Wiz logs in Scanner Collect. Wiz provides two webhook-based data sources: **Wiz: Defend** (for cloud threat detections and runtime alerts) and **Wiz: Issues** (for cloud misconfiguration and security findings). Both are configured to send events directly to Scanner's HTTP receiver via webhooks. ## Step 1: Create a New Source In the Scanner UI, go to the Collect tab. * From the Overview page click the '+' icon in the upper right corner * Select create new **Collect Rule** * Choose either **Wiz: Defend** or **Wiz: Issues** (you may set up both). Click Continue. ### Step 1a: For Multiple Wiz Sources If you're collecting data from both **Wiz: Defend** and **Wiz: Issues**, you'll need to create two separate sources in Scanner Collect—one for each data type. The setup process is identical for both. ## Step 2: Configure the Source * Set a Display Name such as `my-org-wiz-defend` or `my-org-wiz-issues` depending on which source you're configuring. * Leave the Payload Format as the default: **JSON: Generic**. Click Next. ## Step 3: Configure Authentication * Keep the default Authentication Type: **Bearer Token**. * Generate a secure Bearer token. You can use a command like: `echo "token_$(uuidgen | tr '[:upper:]' '[:lower:]')"` * Note this token (we'll refer to it as `BEARER_TOKEN`)—you'll need it when configuring the webhook in Wiz. Click Next. ## Step 4: Configure Destination * Select the S3 bucket where you want raw logs delivered. * (Optional) Enter a bucket prefix. The default is fine for most setups. * Choose the Scanner index where searchable logs should go. * Leave the Source Label as the default: `wiz`. Click Next. ## Step 5: Transform and Enrich * Keep **Parse JSON Columns** enabled to automatically extract data from any stringified JSON fields. * (Optional) Add additional transformation or enrichment steps as desired. Click Next. ## Step 6: Timestamp Extraction Leave the default settings to extract timestamps from the timestamp fields. Click Next. ## Step 7: Review and Create * Review your configuration. * Click Create Source. After creation, Scanner will display a unique Endpoint URL like: `https://collect.your-org-and-region.scanner.dev/receiver/v1/http/` **Save this URL** — you'll need it when configuring the webhook in Wiz. ## Step 8: Configure in Wiz ### Accessing Wiz Settings * Log in to your Wiz account at `wiz.io`. * Navigate to **Settings** → **Integrations**. ### Creating the Webhook * Click **Add Integration** (or **+ Add** if you see it in the interface). * Under **SIEM & Automation Tools**, select **Webhook**. * Set a meaningful **Name** such as `Send Wiz Defend to Scanner` or `Send Wiz Issues to Scanner`. * Set the **Project Scope** to apply the integration to the appropriate projects (or select all if preferred). ### Configuring Webhook Details * Paste the Endpoint URL (from Step 7 above) into the **Webhook URL** field. ### Setting Up Authentication * Click **Add Header** to add a custom header for authentication. * Enter the header name: `Authorization` * Enter the header value: `Bearer ${BEARER_TOKEN}` * Replace `${BEARER_TOKEN}` with the actual Bearer token you generated in Step 3. ### Configuring Events * Select which events to send via the webhook: * For **Wiz: Defend**: Choose event types relevant to cloud threat detections and runtime alerts. * For **Wiz: Issues**: Choose event types relevant to issues, misconfigurations, exposed secrets, and identity risks. * You may select one or multiple event types depending on your needs. ### Finalizing the Webhook * Review all settings. * Click **Save** or **Create** to finalize the webhook configuration. Wiz will validate the webhook endpoint and begin sending events immediately. ## Verification After setup is complete, you should see events flowing into Scanner: 1. In the Wiz UI, you can monitor webhook delivery status in Settings → Integrations (if available). 2. In Scanner, navigate to the index you selected in Step 4 to view incoming Wiz logs. ## That's It Once routing is complete, logs will flow from Wiz → Scanner HTTP Receiver → S3 → Scanner index. Multiple webhook sources can be configured to send different Wiz data streams (Defend and Issues) to the same or different Scanner indexes for flexible organization and analysis. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/wiz.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.