Previous

Next

Wiz Dashboard - Audit Logs

Wiz Dashboard - Detections

Wiz Dashboard - Threats

Wiz Dashboard - Vulnerabilities

Overview

Wiz is a cloud-native security platform that identifies and prioritizes risks across your cloud environments.

This integration ingests the following data into Datadog Cloud SIEM through the Wiz API:

• Audit Logs: Capture key user activity in Wiz, including login events and all mutation actions (such as create, update, delete), supporting investigations and anomaly detection.
• Issues: Represent active risks detected by Wiz Controls, such as misconfigurations, exposed secrets, identity risks, and toxic combinations. Each issue is linked to a specific resource and includes severity and remediation context.
• Detections: Enables centralized visibility and automated alerting for cloud security risks by ingesting Wiz findings into your existing detection and response workflows.

We also ingest Security Findings into Datadog’s Cloud Security Platform:

• Vulnerabilities: Expose weaknesses in software or configuration across cloud resources. Each finding includes metadata like affected packages, versions, severity, and remediation guidance, and is mapped to related issues to help prioritize the most impactful risks.

• Configurations: Wiz configuration findings are the issues detected during a cloud security scan that highlight misconfigurations, compliance gaps, and potential vulnerabilities in your environment.

Use this integration to monitor your cloud security posture in real-time, correlate findings with observability data, and accelerate threat detection and response workflows across teams.

Data collection methods and frequency

API-based collection

• Audit Logs: Collected every 12 hours
• Issues (legacy): Collected every 12 hours
• Configurations and Vulnerabilities: Initial backfill followed by daily updates for new or status-changed security findings

Webhook-based collection (real-time)

• Issues (recommended): Toxic combinations and misconfigurations
• Threats: Security threats detected in your environment
• Detections: Security detections requiring investigation

Setup

Configuration

The Wiz integration offers two configuration methods:

• API Configuration: For collecting audit logs, configurations, and security findings
• Webhook Configuration: For collecting issues, threats, and detections in real-time

1. Follow Wiz’s Datadog integration guide to generate the required values for the Token URL, Query URL, Client ID, and Client Secret fields used to configure the Wiz integration in Datadog.

2. Copy the values you gathered from Wiz into the matching fields in the configuration table below.

3. After saving the configuration, verify data collection. Logs should appear within 15 minutes. The initial Security Findings backfill may take some time to process, but should be available within an hour.

API-Based Data

• Audit Logs: View in Log Explorer with source:wiz
• Configurations and Vulnerabilities: View in Cloud Security Management by hovering over Findings and selecting either Misconfigurations or Vulnerabilities, and then searching for source:wiz

Webhook-Based Data

View in Log Explorer with the following filters:

• Issues: source:wiz type:issue
• Detections: source:wiz type:detection
• Threats: source:wiz type:threat

If you don’t see your data:

1. Verify your log index configuration in Logs > Indexes for source:wiz*.
2. For webhook data, verify your webhook configuration in Wiz.
3. For API data, verify your service account permissions.

Data Collected

Wiz Audit Logs Wiz Detections Wiz Issues Wiz Threats Wiz Vulnerabilities

Metrics

The Wiz integration does not include any metrics.

Service Checks

The Wiz integration does not include any service checks.

Events

The Wiz integration does not include any events.

Logs

The Wiz integration collects:

• Audit logs (through API)
• Vulnerabilities (through API)
• Issues (through webhook)
• Threats (through webhook)
• Detections (through webhook)

Troubleshooting

Need help? Contact Datadog support or Wiz support.