Expel analyzes over 380 Wiz Issue types for evidence of post-exploit behavior, including issues from Wiz’s Kubernetes runtime sensor. Integrating your Wiz tenant with Workbench allows Expel to create a bi-directional service integration that provides our analysts with access to your Wiz service environments. This means Expel will be able to do all of the following on your behalf:
- Retrieve issues from Wiz related to control and threat detection investigations for the Cloud environments
- Collect necessary data from the Wiz platform, as needed, to perform certain MDR assessments
- Enhance certain Wiz Issues with Expel updates by adding information about the MDR analysis and related investigative activities that are taking place
- Change the Wiz status for certain Issues from “Open” to “In Progress” (active investigation is ongoing) or “Rejected” (suppressed or found to be benign)
- Access your Wiz service from the Expel Workbench in order to perform additional triage activities, assess specific types of Wiz Issues, and validate verifiable threats by conducting advanced querying and utilizing log data
Prerequisites
- You must have a Wiz Advanced Tier License so that you can grant us access to your cloud services data.
- You must be able to add Expel as a new user in Wiz, which will grant us access to your console.
Quick Start
The setup process involves four steps (select any step for detailed instructions):
- Create a New Service Account in Wiz
- Add Wiz as a Security Device in Workbench
- Set up Wiz Console Access for Expel
- Review Synchronization Rules
You can check the health of your Wiz integration in Workbench by going to Organization Settings > Security Devices and looking for the Wiz device, then checking the “Status” column.
Note:
Expel requires you to set specific permissions during the Wiz Service Account setup as described in this guide. Make sure to do the Wiz setup first; the Workbench setup will ask for the client ID, client secret, and API URL from the Wiz setup.
In addition, while not required, Expel recommends also adding AWS, Azure, and GCP integrations as log sources to assist in providing more advanced and in-depth investigations within Workbench.
Step 1: Create a New Service Account in Wiz
The first step is to create a service account so that Expel can connect to your Wiz account via an API.
- Log in to your Wiz tenant.
- In the top menu bar, select the round Settings icon.
- In the left menu bar, scroll down and select Service Accounts.
- Select the Add Service Account button.
- On the New Service Account screen, configure the following settings:
- Name - enter “Expel Integration”.
- Type - select Custom Integration (GraphQL API).
- Projects - leave as is (no projects selected).
- Expiration Date - leave as is (no date selected).
- Still on the New Service Account screen, grant the following permissions to these API Scopes:
- Resources - check the read:resources box.
- Issues - check the read:issues box.
- Issue Comments - check the write:issue_comments box.
- Vulnerabilities - check the main box to select all permissions (this action will select both read:vulnerabilities and update:vulnerabilities).
- Issue Status - check the write:issue_status box.
- Select the Add Service Account button.
- Copy the Client ID and Client Secret from the confirmation screen and save them in a safe place, as they will not display again. You will also need them in the next section.
- Select Finish.
- Now, get your API Endpoint URL. Select the Profile icon in the top right of the screen, then choose User Settings.
- In the left menu, select Tenant.
- Copy the API Endpoint URL to a safe place to use in the next section.
Step 2: Add Wiz as a Security Device in Workbench
Now that you have created a new service account for Expel, you can configure the integration in Workbench.
- Log in to Workbench.
- In the side menu, navigate to Organization Settings > Security Devices.
- Selecct the Add Security Device button.
- In the search box, type “Wiz” and then select the Wiz integration.
- Complete the fields as follows:
- Name - enter a name that might help you more easily identify this integration, such as “CompanyName Wiz”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
- Location - enter the location of your integration, for example “cloud”; this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
- Wiz API Endpoint URL - enter the API Endpoint URL you saved from your Wiz Tenant settings.
- Client ID - enter the Client ID you received when creating the service account in Wiz.
- Client secret - enter the Client Secret you received when creating the service account in Wiz.
- Select Save.
-
Next, set up console access.
- From the dropdown that displays on the next screen, under “How will you access the console?”, choose Set Up Now.
- Select Save.
- A confirmation message displays indicating your device has been created. Select Done.
Step 3: Set up Wiz Console Access for Expel
Expel requires Wiz console access to allow analysts to perform investigation and triage. Without this additional level of information, alerts cannot be verified by our analysts and an investigation cannot be initiated.
To configure Wiz console access properly, you will need to do two things (in this order):
- Add Expel as an accepted domain in your Wiz tenant.
- Create a user account for Expel in your Wiz tenant.
First, add Expel as an accepted domain:
- Log in to your Wiz tenant.
- In the left menu bar, hover over the round Settings icon.
- Then, select Access Management and choose SSO & Login Security.
- Scroll to the Login Restrictions section and enter “expel.io” to add it to your list of domains that can access the Wiz portal.
- Use the Copy button to copy the Wiz Domain Verification Code (this is an SPF record that is unique to each Wiz tenant). Save it to a safe place, as you will need to send it to Expel.
- Select Save.
- Send the code via email to support@expel.com with the subject line of “Wiz Integration,” or open a ticket through Zendesk (accessed through Workbench). We will need to validate this record internally before you can continue, so pause here until you hear back from us.
- After Expel notifies you that the record has been validated, you can continue with the instructions below.
Note:
If you move on to the next step before the SPF record has been validated, the integration will not work. Please wait to hear back from our support team before continuing.
Next, add a user account for Expel:
- If you are not still logged in to your Wiz tenant, log back in and select the round Settings icon.
- In the left menu bar, select User Management.
- Select the Invite User button.
- Configure the user with the following information:
- Name - enter “Expel Analyst”
- Email - enter “expel_analyst@expel.io”
- Identity Provider - leave as is; it should default to “Wiz” and not be editable
- Role - select “Global Incident Response Analyst” from the dropdown menu
- Expiration Date - leave as is; do not select an expiration date
- Select Invite User.
- An invite will be sent to Expel, and a member of the support team will accept the invite.
- The support team will then set up two-factor authentication for the user account and update the Wiz security device in Workbench on your behalf.
Step 4: Review Synchronization Rules
If you have granted Expel access to your Wiz console in Step 3, we will simultaneously enable synchronization rules for your integration at the time that your device is onboarded. These rules define what, if any, action Expel will take based on a Wiz Issue and its resulting investigation (see the chart below for detailed information). You should be aware of these rules because they are what allow us to sync Workbench status updates with your Wiz console.
Note:
Wiz updates its new and current Issue information once every 24 hours. Because of this schedule, Expel polls for Wiz Issue information every 12 hours. In most cases, you can expect the Wiz console and Workbench status to sync within one calendar day.
If you would like more information about these rules, please reach out to our support team. Wiz synchronization rules cannot be viewed or edited in Workbench, however they can be disabled (instructions follow this chart).
Rule | Expel’s Actions in the Wiz Console on Your Behalf |
Expel Alert Created |
|
Expel Alert Closed |
|
Expel Alert Reopened |
|
Expel Alert Suppressed (Workbench) |
|
Expel Alert Suppressed (Detections) |
|
Expel Alert to Investigation |
|
Investigation to Incident |
|
Investigation Reopened |
|
Investigation Closed |
|
Incident Closed |
|
Wiz Issues Matches No Expel Detections |
|
You may disable these synchronization rules if you wish, however Expel will not be able to sync with your Wiz console as part of your integration. Taking this action will disable all synchronization rules (rules cannot be changed individually), so it is not recommended.
If you decide you want to disable:
- Log in to Workbench.
- In the side menu, navigate to Organization Settings > My Organizations.
- Select your organization name.
- Select the Integrations tab.
- Scroll down to Wiz and select the pencil icon.
- Select your Wiz device and choose Disable.
If you change your mind and would like to re-enable these rules, you can do so from the same screen. You should avoid choosing the Disconnect & Delete option unless you are removing Wiz functionality permanently.