This guide supports both Wiz Cloud and Wiz Defend integrations — the instructions are largely the same, but differences are noted where applicable.

Expel analyzes over 380 Wiz Issue types for evidence of post-exploit behavior, including issues from Wiz’s Kubernetes runtime sensor. Integrating your Wiz tenant with Workbench allows Expel to create a bi-directional service integration that provides our analysts with access to your Wiz service environments. This means Expel will be able to do all of the following on your behalf:

• Retrieve issues from Wiz related to control and threat detection investigations for the Cloud environments
• Collect necessary data from the Wiz platform, as needed, to perform certain MDR assessments
• Enhance certain Wiz Issues with Expel updates by adding information about the MDR analysis and related investigative activities that are taking place
• Change the Wiz status for certain Issues from “Open” to “In Progress” (active investigation is ongoing) or “Rejected” (suppressed or found to be benign)
• Access your Wiz service from the Expel Workbench in order to perform additional triage activities, assess specific types of Wiz Issues, and validate verifiable threats by conducting advanced querying and utilizing log data

Prerequisites

1. You must have a Wiz Advanced Tier License so that you can grant us access to your cloud services data.
2. You must have access to Wiz as a role with W(rite) permissions on the Settings > Deployments (Integrations) page. This account will be used to configure the webhook.
3. You must be able to add Expel as a new user in Wiz, which will grant us access to your console. This account is required for Expel to be able to triage and investigate Wiz issues.
4. If you are using Wiz in a GovCloud environment, please contact your Customer Success Manager (CSM) or Expel Support to assist you in completing a required legal addendum to allow GovCloud ingestion of events for your integration.

Quick Links

The setup process involves seven steps (select any step for detailed instructions):

1. Add an Expel API Integration in Wiz
2. Add Wiz as a Security Device in Workbench
3. Set Up Wiz Console Access for Expel
4. Review Synchronization Rules
5. Obtain the Webhook Credentials in Workbench
6. Add an Expel Webhook Integration in Wiz
7. Add an Automation Rule for Expel in Wiz

You can check the health of your Wiz integration in Workbench by going to Organization Settings > Security Devices and looking for the Wiz device, then checking the “Status” column.

Note:

Expel requires you to set specific permissions during the Wiz Service Account setup as described in this guide. Make sure to do the Wiz setup first; the Workbench setup will ask for the client ID, client secret, and API URL from the Wiz setup. 

In addition, while not required, Expel recommends also adding AWS, Azure, GCP, and OCI integrations as log sources to assist in providing more advanced and in-depth investigations within Workbench.

Step 1: Add an Expel API Integration in Wiz

The first step is to create a service account so that Expel can connect to your Wiz account via an API.

1. Log in to Wiz and using the left side menu, navigate to Settings > Deployments.
2. Select Add Deployment.
3. In the search bar, enter "Expel" and select Expel API.
4. On the New Expel API Integration page, configure the settings as follows:
   • Name - enter "Expel Workbench".
   • Scope - leave All Projects selected. This is recommended to ensure Expel receives data from all of your Wiz environment.
   • Permissions - review the permissions required for the service account for this integration. These are not editable.
5. Select Add Integration.
   
6. On the New Service Account Credentials page, copy and save the Client ID, Client Secret, API Endpoint URL, and API Authentication URL to a safe place for use in a later step. These credentials will not be accessible again, so be sure to record them now.
   
7. Select Done.
8. Confirm your new integration was added to the Integration tab of the Deployments page. It may take up to 24 hours for the status of your integration to transition to Active or Inactive.

Step 2: Add Wiz as a Security Device in Workbench

Now that you have created a new API Integration for Expel in Wiz, you can configure the integration in Workbench.

1. Log in to Workbench.
2. In the side menu, navigate to Organization Settings > Security Devices.
3. Selecct the Add Security Device button.
4. In the search box, type “Wiz” and then select the Wiz integration.
5. Complete the fields as follows:
   • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Wiz”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
   • Location - enter the location of your integration, for example “cloud”; this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
   • Wiz API Endpoint URL - enter the API Endpoint URL you saved from your Wiz settings.
   • Client ID - enter the Client ID you received when creating the service account in Wiz.
   • Client secret - enter the Client Secret you received when creating the service account in Wiz.
6. Select Save.
7. Next, set up console access. 
   • From the dropdown that displays on the next screen, under “How will you access the console?”, choose Set Up Now.
   • Select Save.
8. A confirmation message displays indicating your device has been created. Select Done.
9. If you are using Wiz in a GovCloud environment, please contact your CSM or Expel Support to assist you in completing the required legal addendum. Once complete, Expel will manually enable event ingestion for the integration and the device will appear healthy in Workbench.

Step 3: Set Up Wiz Console Access for Expel

Expel requires Wiz console access to allow analysts to perform investigation and triage. Without this additional level of information, alerts cannot be verified by our analysts and an investigation cannot be initiated. For more information, see Why Expel Asks for Console Access.

To configure Wiz console access properly, you will need to add Expel as an accepted domain in your Wiz tenant and then create a user account for Expel in your Wiz tenant. These steps must be performed in the correct order, and by following the instructions given below.

First, add Expel as an accepted domain:

1. In the Wiz side menu, hover over the round Settings icon.
2. Then, select Access Management and choose SSO & Login Security.
3. Use the Copy button to copy the Wiz Domain Verification Code (this is an SPF record that is unique to each Wiz tenant). Save it to a safe place, as you will need to send it to Expel.
   
    

6. Select Save.
7. Send the code via email to support@expel.com with the subject line of “Wiz Integration,” or open a ticket through Zendesk (accessed through Workbench). We will need to validate this record internally before you can continue, so pause here until you hear back from us.
8. After Expel notifies you that the record has been validated, you can continue with the instructions below.

Note:

If you move on to the next step before the SPF record has been validated, the integration will not work. Please wait to hear back from our support team before continuing.

Next, add a user account for Expel: 

1. If you are not still logged in to your Wiz console, log back in and select the round Settings icon.
2. Then, select Access Management and choose SSO & Login Security.
3. Add “expel.io” to your list of domains that can access the Wiz portal.
4. In the left menu bar, select User Management.
5. Select the Invite User button.
6. Configure the user with the following information:
   • Name - enter “Expel Analyst”
   • Email - enter “soc+<Your_Organization_Name>@expel.io”
     • For example, if your organization were Acme Corp, the format would be "soc+acme_corp@expel.io".
   • Identity Provider - leave as is; it should default to “Wiz” and not be editable
   • Role - select “Global Incident Response Analyst” from the dropdown menu
   • Expiration Date - leave as is; do not select an expiration date
7. Select Invite User.
8. An invite will be sent to Expel, and a member of the support team will accept the invite.
9. The support team will then set up two-factor authentication for the user account and update the Wiz security device in Workbench on your behalf.

Step 4: Review Synchronization Rules

Important: Wiz status syncing is only available for Wiz Cloud alerts, not Wiz Defend alerts.

If you have granted Expel access to your Wiz console in Step 3, we will simultaneously enable synchronization rules for your integration at the time that your device is onboarded. These rules define what, if any, action Expel will take based on a Wiz Issue and its resulting investigation (see the chart below for detailed information). You should be aware of these rules because they are what allow us to sync Workbench status updates with your Wiz console.

Note:

Wiz updates its new and current Issue information once every 24 hours. Because of this schedule, Expel polls for Wiz Issue information every 12 hours. In most cases, you can expect the Wiz console and Workbench status to sync within one calendar day.

If you would like more information about these rules, please reach out to our support team. Wiz synchronization rules cannot be viewed or edited in Workbench, however they can be disabled (instructions follow this chart). 

You may disable these synchronization rules if you wish, however Expel will not be able to sync with your Wiz console as part of your integration. Taking this action will disable all synchronization rules (rules cannot be changed individually), so it is not recommended. 

If you decide you want to disable:

1. Log in to Workbench.
2. In the side menu, navigate to Organization Settings > My Organizations.
3. Select your organization name.
4. Select the Integrations tab.
5. Scroll down to Wiz and select the pencil icon.
6. Select your Wiz device and choose Disable.

If you change your mind and would like to re-enable these rules, you can do so from the same screen. You should avoid choosing the Disconnect & Delete option unless you are removing Wiz functionality permanently. 

Step 5: Obtain the Webhook Credentials in Workbench

1. In the Workbench side menu, navigate to Organization Settings > Security Devices.
2. Locate your existing Wiz security device.
3. Select the arrow beside the device name, then select Edit from the dropdown menu.
4. Copy and save the following values to a safe place, as you will need to provide these in Wiz in a later step:
   • Webhook URL
   • Webhook username
   • Webhook password

Step 6: Add an Expel Webhook Integration in Wiz

1. In the Wiz side menu, navigate to Settings > Deployments.
2. Select Add Deployment.
3. In the search bar, enter "Expel" and select Expel Webhook.
4. On the New Expel Webhook Integration page, configure the settings as follows:
   • Name - enter "Expel Webhook".
   • Scope - leave All Projects selected. This is recommended to ensure Expel receives data from all of your Wiz environment.
   • URL - enter the Webhook URL value from Step 5.
   • Username - enter the Webhook username value from Step 5.
   • Password - enter the Webhook password value from Step 5.
5. Select Add Integration. Note: it may take up to 24 hours for the new integration's status to transition to Active or Inactive.

Step 7: Add an Automation Rule for Expel in Wiz

1. In the Wiz side menu, navigate to Policies > Response > Automation Rules.
2. Select Add Rule.
3. On the New Automation Rule page, configure the settings as follows:
   • Name - enter "Expel Webhook Rule".
   • Description (optional) - provide a description of the rule.
   • Scope - leave All Projects selected.
4. Configure the Rule Conditions section as follows:
   • WHEN the following trigger occurs -
     • For Wiz Cloud, select Issue from the dropdown, then leave only Created checked in the second dropdown.
     • For Wiz Defend, select Detection from the dropdown. Created will be automatically selected along with this option.
   • IF all of the following match - select Add Filter > Severity and then select every severity level checkbox.
     
   • THEN perform the following actions - select Add Action and then choose the Webhook integration you just created.
     
5. Select Continue.
6. On the Add Action page, select Test to verify a successful result. If the test fails, please make sure your configurations from Step 6 and Step 7 are correct.
7. Select OK.
8. Select Add Action.
9. Scroll to the bottom of the page to preview the existing Detections that match the selected "IF" filters. Verify that the filter results match your expectations.
10. Select Add Rule.

To verify that the Integration is working correctly, check the Integrations tab on Deployments page of the Wiz console. The Expel Webhook Integration should show an "Active" status (the status make take up to 24 hours to update after configuring). This page should also indicate the Automation Rule you configured. This rule will tell you which Detections match the condition you've created, so you can anticipate what will be sent through the Webhook.

Once the Webhook is in "Active" status, detections that trigger in your environment will typically appear in Workbench within 3-5 minutes.

To check if alerts are coming through, navigate to the Alerts Analysis page in Workbench. Wiz Cloud alerts will be prepended with "Wiz Cloud" in the alert name and Wiz Defend alerts will be prepended with "Wiz Defend".