Wiz - Add Tags to Assets
  • 20 Jan 2025
  • 7 Minutes to read
  • Dark
    Light
  • PDF

Wiz - Add Tags to Assets

  • Dark
    Light
  • PDF

Article summary

Wiz - Add Tags to Assets extracts tags from correlated assets within Axonius and adds them to the corresponding asset in Wiz, if it exists, that matches the parameters of the selected query or to assets selected on the relevant asset page.

For example, if a Wiz device correlates with a Tenable device, the tags on the Tenable device will be added to that device in Wiz.

See an example of the custom tags data and the JSON schema below.

See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.

Note:

Notes:
  • This Enforcement Action works for all asset types except for Users.
  • To use this Enforcement Action, you must successfully configure the Wiz adapter.

Required Fields

These fields must be configured to run the Enforcement Set.

  • Action name - The name of this Enforcement Action. The system sets a default name. You can change the name.
  • Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.

  • Use stored credentials from the Wiz adapter - Select this option to use credentials from the adapter connection. By default, the first connection is selected.
    • When you select this option, the Select Adapter Connection drop-down becomes available. Select the adapter connection to use for this Enforcement Action.
    Note:
    To use this option, you must successfully configure a Wiz adapter connection.
  • Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.

Additional Fields

These fields are optional.

Connection and Credentials

When Use stored credentials from the adapter is toggled off, some of the connection fields below are required to create the connection, while other fields are optional.

  • Wiz URL - The API URL of the Wiz server that Axonius can communicate with via the Required Ports. You can find the API URL required for the connection configuration via the following Wiz URL: https://app.wiz.io/user/profile. The Wiz URL should follow the pattern https://api.{region}.app.wiz.io/.

  • Wiz Authentication URL - Enter the authentication URL of either the Amazon Cognito or Auth0 (legacy) method of authentication used to enable the connection to Wiz together with the API token.

    Note:
    • The authentication URL should include the hostname only, omitting any suffixes. For example, enter auth.app.wiz.io without a trailing /auth/token

    • Confirm that the public IP address of your Axonius instance is added to the "Source IP address" configuration within the Wiz application.

    • If you are filtering outbound traffic from your Axonius instance, verify that you have both the Wiz URL and Wiz Authentication URL as allowed destinations.

  • Client Key and Client Secret - See Obtaining the Client Secret and Client ID for details about how to obtain the Client Key and Client Secret.

  • HTTPS Proxy - Connect the adapter to a proxy instead of directly connecting it to the domain.

  • Project ID Mapping (Legacy Only) - Enter the Project ID of the account to fetch.

  • Project UUID - Enter a project UUID to fetch resources only from the project listed. To obtain the project UUID, in the Wiz platform:

    1. Select Settings > Projects.
    2. Click the three dots to the right of the relevant project.
    3. Copy the project UUID provided.
      Specifying a single project UUID is most recommended. You can use an asterisk to pull all projects, but permission errors might encounter as a result.

Required Permissions

The stored credentials, or those provided in Connection and Credentials, must have the following permission(s) to perform this Enforcement Action:

  • create:external_data_ingestion
  • read:system_activities
  • read:resources

Required Ports

Axonius must be able to communicate with the value supplied in Wiz URL via the following ports:

  • TCP port 443

APIs

Axonius uses the wiz.io API.

Example of Custom Tag Data

Below is a sample of the custom tags data:

{
  "integrationId": "000c0c7b-5f59-46ea-a305-934a15b94930",
  "dataSources": [
    {
      "id": "29A4E640-4BFD-4779-856756756",
      "analysisDate": "2023-08-02T16:50:00Z",
      "assets": [
        {
          "assetIdentifier": {
            "cloudPlatform": "AWS",
            "providerId": "arn:aws:ec2:eu-central-1:9123455:instance/i-04ea5a462c85555"
          },
          "customTags": [
            {
              "key": "App",
              "value": "Spotify"
            },
            {
              "key": "Owner",
              "value": "Beyoncé"
            }
          ]
        }
      ]
    }
  ]
}

Custom Tag JSON Schema

Below is the JSON schema of the custom tags data:

{
  "$id": "https://wiz.io/ingestionmodel.schema.json",
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "Wiz Ingestion Model",
  "type": "object",
  "properties": {
    "integrationId": {
      "type": "string"
    },
    "dataSources": {
      "type": "array",
      "items": {
        "$ref": "#/$defs/dataSource"
      }
    }
  },
  "required": [
    "integrationId",
    "dataSources"
  ],
  "additionalProperties": false,
  "$defs": {
    "cloudPlatform": {
      "enum": "{{.CloudPlatformEnum}}"
    },
    "status": {
      "enum": "{{.StatusEnum}"
    }
  },
  "severity": {
    "enum": "{{.SeverityEnum}}"
  },
  "eventSeverity": {
    "enum": "{{.EventSeverityEnum}}"
  },
  "detectionMethod": {
    "enum": "{{.DetectionMethodEnum}}"
  },
  "dataCategory": {
    "enum": "{{.DataCategoryEnum}}"
  },
  "dataClassifier": {
    "enum": "{{.DataClassifierEnum}}"
  },
  "mitreTacticId": {
    "enum": "{{.MitreTacticIdEnum}}"
  },
  "mitreTacticName": {
    "enum": "{{.MitreTacticNameEnum}}"
  },
  "mitreTechniqueId": {
    "enum": "{{.MitreTechniqueIdEnum}}"
  },
  "mitreTechniqueName": {
    "enum": "{{.MitreTechniqueNameEnum}}"
  },
  "dataSource": {
    "type": "object",
    "properties": {
      "id": {
        "type": "string"
      },
      "analysisDate": {
        "type": "string",
        "format": "date-time"
      },
      "assets": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/asset"
        }
      }
    },
    "required": [
      "id",
      "assets"
    ],
    "additionalProperties": false
  },
  "asset": {
    "type": "object",
    "properties": {
      "assetIdentifier": {
        "$ref": "#/$defs/assetIdentifier"
      },
      "cloudConfigurationFindings": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/cloudConfigFinding"
        }
      },
      "hostConfigurationFindings": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/hostConfigFinding"
        }
      },
      "vulnerabilityFindings": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/vulnerabilityFinding"
        }
      },
      "webAppVulnerabilityFindings": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/webAppVulnerabilityFinding"
        }
      },
      "dataFindings": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/dataFinding"
        }
      },
      "events": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/event"
        }
      },
      "customTags": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/keyValue"
        }
      }
    },
    "required": [
      "assetIdentifier"
    ],
    "additionalProperties": false
  },
  "assetIdentifier": {
    "type": "object",
    "properties": {
      "cloudPlatform": {
        "$ref": "#/$defs/cloudPlatform"
      },
      "providerId": {
        "type": "string"
      },
      "networkAddress": {
        "type": "string"
      },
      "endpointUrl": {
        "type": "string"
      }
    },
    "oneOf": [
      {
        "required": [
          "providerId"
        ]
      },
      {
        "required": [
          "networkAddress"
        ]
      },
      {
        "required": [
          "endpointUrl"
        ]
      }
    ],
    "required": [
      "cloudPlatform"
    ],
    "additionalProperties": false
  },
  "cloudConfigFinding": {
    "type": "object",
    "properties": {
      "id": {
        "type": "string"
      },
      "name": {
        "type": "string"
      },
      "status": {
        "$ref": "#/$defs/status"
      },
      "severity": {
        "$ref": "#/$defs/severity"
      },
      "externalDetectionSource": {
        "$ref": "#/$defs/detectionMethod"
      },
      "detailedName": {
        "type": "string"
      },
      "version": {
        "type": "string"
      },
      "externalFindingLink": {
        "type": "string"
      },
      "source": {
        "type": "string"
      },
      "description": {
        "type": "string"
      },
      "remediation": {
        "type": "string"
      }
    },
    "required": [
      "name",
      "status"
    ],
    "additionalProperties": false
  },
  "hostConfigFinding": {
    "type": "object",
    "properties": {
      "id": {
        "type": "string"
      },
      "name": {
        "type": "string"
      },
      "status": {
        "$ref": "#/$defs/status"
      },
      "severity": {
        "$ref": "#/$defs/severity"
      },
      "externalFindingLink": {
        "type": "string"
      },
      "source": {
        "type": "string"
      },
      "description": {
        "type": "string"
      },
      "remediation": {
        "type": "string"
      }
    },
    "required": [
      "name",
      "status"
    ],
    "additionalProperties": false
  },
  "vulnerabilityFinding": {
    "type": "object",
    "properties": {
      "id": {
        "type": "string"
      },
      "name": {
        "type": "string"
      },
      "severity": {
        "$ref": "#/$defs/severity"
      },
      "externalDetectionSource": {
        "$ref": "#/$defs/detectionMethod"
      },
      "detailedName": {
        "type": "string"
      },
      "version": {
        "type": "string"
      },
      "fixedVersion": {
        "type": "string"
      },
      "externalFindingLink": {
        "type": "string"
      },
      "source": {
        "type": "string"
      },
      "description": {
        "type": "string"
      },
      "remediation": {
        "type": "string"
      },
      "validatedAtRuntime": {
        "type": "boolean"
      }
    },
    "required": [
      "name",
      "severity"
    ],
    "additionalProperties": false
  },
  "webAppVulnerabilityFinding": {
    "type": "object",
    "properties": {
      "id": {
        "type": "string"
      },
      "name": {
        "type": "string"
      },
      "severity": {
        "$ref": "#/$defs/severity"
      },
      "detailedName": {
        "type": "string"
      },
      "externalFindingLink": {
        "type": "string"
      },
      "source": {
        "type": "string"
      },
      "description": {
        "type": "string"
      },
      "remediation": {
        "type": "string"
      }
    },
    "required": [
      "name",
      "severity"
    ],
    "additionalProperties": false
  },
  "dataFinding": {
    "type": "object",
    "properties": {
      "id": {
        "type": "string"
      },
      "name": {
        "type": "string"
      },
      "source": {
        "type": "string"
      },
      "externalFindingLink": {
        "type": "string"
      },
      "dataCategory": {
        "$ref": "#/$defs/dataCategory"
      },
      "severity": {
        "$ref": "#/$defs/severity"
      },
      "dataClassifierId": {
        "$ref": "#/$defs/dataClassifier"
      }
    },
    "required": [
      "name",
      "dataCategory",
      "dataClassifierId"
    ],
    "additionalProperties": false
  },
  "event": {
    "type": "object",
    "properties": {
      "id": {
        "type": "string"
      },
      "timestamp": {
        "type": "string",
        "format": "date-time"
      },
      "name": {
        "type": "string"
      },
      "description": {
        "type": "string"
      },
      "externalFindingLink": {
        "type": "string"
      },
      "severity": {
        "$ref": "#/$defs/eventSeverity"
      },
      "mitreTacticIds": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/mitreTacticId"
        }
      },
      "mitreTacticNames": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/mitreTacticName"
        }
      },
      "mitreTechniqueIds": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/mitreTechniqueId"
        }
      },
      "mitreTechniqueNames": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/mitreTechniqueName"
        }
      },
      "principal": {
        "type": "string"
      },
      "ipAddress": {
        "type": "string"
      },
      "commandLine": {
        "type": "string"
      },
      "path": {
        "type": "string"
      },
      "hash": {
        "type": "string"
      }
    },
    "required": [
      "id",
      "timestamp",
      "name",
      "externalFindingLink",
      "severity",
      "mitreTacticIds",
      "mitreTechniqueIds"
    ],
    "additionalProperties": false
  },
  "keyValue": {
    "type": "object",
    "properties": {
      "key": {
        "type": "string"
      },
      "value": {
        "type": "string"
      }
    },
    "required": [
      "key",
      "value"
    ],
    "additionalProperties": false
  }
}


For more details about other Enforcement Actions available, see Action Library.


Was this article helpful?