Wiz Dashboard - Audit Logs
Wiz Dashboard - Detections
Wiz Dashboard - Vulnerabilities
Overview
Wiz is a cloud-native security platform that identifies and prioritizes risks across your cloud environments.
This integration ingests the following data into Datadog Cloud SIEM through the Wiz API:
- Audit Logs: Capture key user activity in Wiz, including login events and all mutation actions (such as create, update, delete), supporting investigations and anomaly detection.
- Issues: Represent active risks detected by Wiz Controls, such as misconfigurations, exposed secrets, identity risks, and toxic combinations. Each issue is linked to a specific resource and includes severity and remediation context.
- Detections: Enables centralized visibility and automated alerting for cloud security risks by ingesting Wiz findings into your existing detection and response workflows.
We also ingest vulnerabilities into Datadog’s Cloud Security Platform:
- Vulnerabilities: Expose weaknesses in software or configuration across cloud resources. Each finding includes metadata like affected packages, versions, severity, and remediation guidance, and is mapped to related issues to help prioritize the most impactful risks.
Use this integration to monitor your cloud security posture in real-time, correlate findings with observability data, and accelerate threat detection and response workflows across teams.
Data collection methods and frequency
API-based collection
- Audit Logs: Collected every 12 hours
- Issues (legacy): Collected every 12 hours
- Vulnerabilities: Initial backfill followed by daily updates for new or status-changed vulnerabilities
Webhook-based collection (real-time)
- Issues (recommended): Toxic combinations and misconfigurations
- Threats: Security threats detected in your environment
- Detections: Security detections requiring investigation
Setup
Configuration
The Wiz integration offers two configuration methods:
- API Configuration: For collecting audit logs and vulnerabilities
- Webhook Configuration: For collecting issues, threats, and detections in real-time
Prerequisites
This integration requires a Wiz tenant with permission to create service accounts. The required permissions vary by data type:
- Audit Logs:
admin:audit
- Vulnerabilities:
read:vulnerabilities
, create:reports
, read:reports
Note: Datadog recommends that you use separate service accounts for each data type to follow the principle of least privilege.
API configuration (Audit logs and vulnerabilities)
Step 1: Add a new account in Datadog
On the Wiz Integration tile, click Add New.
Enter a unique Datadog Account Name.
Paste the Wiz token URL for your data center:
Example format:
https://auth.app.wiz.io/oauth/token
Step 2: Enter the query URL
To find your Query URL endpoint:
- Log in to Wiz.
- Go to User Settings.
- Click Tenant in the left menu.
- Copy your API endpoint.
Example format:
https://api.<TENANT_REGION>.app.wiz.io/graphql
Step 3: Create a service account in Wiz
- Go to Settings > Access Management > Service Accounts.
- Click Add Service Account.
- Fill in:
- Name: For example,
Datadog Audit Logs
or Datadog Vulnerabilities
- Type: Custom Integration (GraphQL API)
- API Scopes: Select based on data type:
- For Audit Logs:
admin:audit
- For Vulnerabilities:
read:vulnerabilities
, create:reports
, read:reports
- Save the account and copy the Client ID and Client Secret into the table below.
Webhook configuration (Issues, Threats, and Detections)
Step 1: Generate your intake URL
- Choose the type of Wiz data you want to send to Datadog (Issues, Detections, or Threats).
Note: Create a separate webhook for each data type you want to collect.
- Generate an intake URL by either:
- Choosing an existing API key.
- Creating a new API key.
- Click Copy Intake URL for your selected data type.
- Go to Settings > Integrations > Webhooks in Wiz.
- Create a new webhook for Datadog.
- Paste the intake URL from Datadog into the webhook configuration.
For more information on Wiz’s webhook formats, see:
Wiz Detections and Threats webhooks support Automation Rules. For more information:
Validation
After setup, verify your data collection:
- Ensure you have a log index configured for
source:wiz
. - View your data in the appropriate location.
API-Based Data
Webhook-Based Data
View in Log Explorer with the following filters:
- Issues:
source:wiz type:issue
- Detections:
source:wiz type:detection
- Threats:
source:wiz type:threat
If you don’t see your data:
- Verify your log index configuration in Logs > Indexes for
source:wiz*
. - For webhook data, verify your webhook configuration in Wiz.
- For API data, verify your service account permissions.
Data Collected
Wiz Audit Logs
Wiz Detections
Wiz Issues
Wiz Threats
Wiz Vulnerabilities
Metrics
The Wiz integration does not include any metrics.
Service Checks
The Wiz integration does not include any service checks.
Events
The Wiz integration does not include any events.
Logs
The Wiz integration collects:
- Audit logs (through API)
- Vulnerabilities (through API)
- Issues (through webhook)
- Threats (through webhook)
- Detections (through webhook)
Troubleshooting
Need help? Contact Datadog support or Wiz support.