Wiz

Supported OS Linux Windows Mac OS

Integration version3.0.0

Overview

Wiz is a cloud-native security platform that identifies and prioritizes risks across your cloud environments.

This integration ingests the following data into Datadog Cloud SIEM through the Wiz API:

  • Audit Logs: Capture key user activity in Wiz, including login events and all mutation actions (such as create, update, delete), supporting investigations and anomaly detection.
  • Issues: Represent active risks detected by Wiz Controls, such as misconfigurations, exposed secrets, identity risks, and toxic combinations. Each issue is linked to a specific resource and includes severity and remediation context.
  • Detections: Enables centralized visibility and automated alerting for cloud security risks by ingesting Wiz findings into your existing detection and response workflows.

We also ingest vulnerabilities into Datadog’s Cloud Security Platform:

  • Vulnerabilities: Expose weaknesses in software or configuration across cloud resources. Each finding includes metadata like affected packages, versions, severity, and remediation guidance, and is mapped to related issues to help prioritize the most impactful risks.

Use this integration to monitor your cloud security posture in real-time, correlate findings with observability data, and accelerate threat detection and response workflows across teams.

Data collection methods and frequency

API-based collection

  • Audit Logs: Collected every 12 hours
  • Issues (legacy): Collected every 12 hours
  • Vulnerabilities: Initial backfill followed by daily updates for new or status-changed vulnerabilities

Webhook-based collection (real-time)

  • Issues (recommended): Toxic combinations and misconfigurations
  • Threats: Security threats detected in your environment
  • Detections: Security detections requiring investigation

Setup

Configuration

The Wiz integration offers two configuration methods:

  • API Configuration: For collecting audit logs and vulnerabilities
  • Webhook Configuration: For collecting issues, threats, and detections in real-time

Prerequisites

This integration requires a Wiz tenant with permission to create service accounts. The required permissions vary by data type:

  • Audit Logs: admin:audit
  • Vulnerabilities: read:vulnerabilities, create:reports, read:reports

Note: Datadog recommends that you use separate service accounts for each data type to follow the principle of least privilege.

API configuration (Audit logs and vulnerabilities)

Step 1: Add a new account in Datadog

  1. On the Wiz Integration tile, click Add New.

  2. Enter a unique Datadog Account Name.

  3. Paste the Wiz token URL for your data center:

    Example format:

    https://auth.app.wiz.io/oauth/token
    

Step 2: Enter the query URL

To find your Query URL endpoint:

  1. Log in to Wiz.
  2. Go to User Settings.
  3. Click Tenant in the left menu.
  4. Copy your API endpoint.

Example format:

https://api.<TENANT_REGION>.app.wiz.io/graphql

Step 3: Create a service account in Wiz

  1. Go to Settings > Access Management > Service Accounts.
  2. Click Add Service Account.
  3. Fill in:
    • Name: For example, Datadog Audit Logs or Datadog Vulnerabilities
    • Type: Custom Integration (GraphQL API)
    • API Scopes: Select based on data type:
      • For Audit Logs: admin:audit
      • For Vulnerabilities: read:vulnerabilities, create:reports, read:reports
  4. Save the account and copy the Client ID and Client Secret into the table below.

Webhook configuration (Issues, Threats, and Detections)

Step 1: Generate your intake URL

  1. Choose the type of Wiz data you want to send to Datadog (Issues, Detections, or Threats). Note: Create a separate webhook for each data type you want to collect.
  2. Generate an intake URL by either:
    • Choosing an existing API key.
    • Creating a new API key.
  3. Click Copy Intake URL for your selected data type.

Step 2: Configure the webhook in Wiz

  1. Go to Settings > Integrations > Webhooks in Wiz.
  2. Create a new webhook for Datadog.
  3. Paste the intake URL from Datadog into the webhook configuration.

For more information on Wiz’s webhook formats, see:

Step 3: Configure automated actions (Optional)

Wiz Detections and Threats webhooks support Automation Rules. For more information:

Validation

After setup, verify your data collection:

  1. Ensure you have a log index configured for source:wiz.
  2. View your data in the appropriate location.

API-Based Data

Webhook-Based Data

View in Log Explorer with the following filters:

  • Issues: source:wiz type:issue
  • Detections: source:wiz type:detection
  • Threats: source:wiz type:threat

If you don’t see your data:

  1. Verify your log index configuration in Logs > Indexes for source:wiz*.
  2. For webhook data, verify your webhook configuration in Wiz.
  3. For API data, verify your service account permissions.

Data Collected

Wiz Audit Logs Wiz Detections Wiz Issues Wiz Threats Wiz Vulnerabilities

Metrics

The Wiz integration does not include any metrics.

Service Checks

The Wiz integration does not include any service checks.

Events

The Wiz integration does not include any events.

Logs

The Wiz integration collects:

  • Audit logs (through API)
  • Vulnerabilities (through API)
  • Issues (through webhook)
  • Threats (through webhook)
  • Detections (through webhook)

Troubleshooting

Need help? Contact Datadog support or Wiz support.