Expel analyzes over 380 Wiz Issue types for evidence of post-exploit behavior, including issues from Wiz’s Kubernetes runtime sensor. Integrating your Wiz tenant with Workbench allows Expel to create a bi-directional service integration that provides our analysts with access to your Wiz service environments. This means Expel will be able to do all of the following on your behalf:

  • Retrieve issues from Wiz related to control and threat detection investigations for the Cloud environments 
  • Collect necessary data from the Wiz platform, as needed, to perform certain MDR assessments
  • Enhance certain Wiz Issues with Expel updates by adding information about the MDR analysis and related investigative activities that are taking place
  • Change the Wiz status for certain Issues from “Open” to “In Progress” (active investigation is ongoing) or “Rejected” (suppressed or found to be benign)
  • Access your Wiz service from the Expel Workbench in order to perform additional triage activities, assess specific types of Wiz Issues, and validate verifiable threats by conducting advanced querying and utilizing log data

Prerequisites

  1. You must have a Wiz Advanced Tier License so that you can grant us access to your cloud services data.
  2. You must be able to add Expel as a new user in Wiz, which will grant us access to your console.

Quick Start

The setup process involves four steps (click any step for detailed instructions):

  1. Create a New Service Account in Wiz
  2. Add Wiz as a Security Device in Workbench
  3. Set up Wiz Console Access for Expel
  4. Review Synchronization Rules

You can check the health of your Wiz integration in Workbench by going to Organization Settings > Security Devices and looking for the Wiz device, then checking the “Status” column.

Note:

Expel requires you to set specific permissions during the Wiz Service Account setup as described in this guide. Make sure to do the Wiz setup first; the Workbench setup will ask for the client ID, client secret, and API URL from the Wiz setup. 

In addition, while not required, Expel recommends also adding AWS, Azure, and GCP integrations as log sources to assist in providing more advanced and in-depth investigations within Workbench.

Step 1: Create a New Service Account in Wiz

The first step is to create a service account so that Expel can connect to your Wiz account via an API.

  1. Log in to your Wiz tenant.
  2. In the top menu bar, click the round Settings icon.
  3. In the left menu bar, scroll down and click on Service Accounts.
  4. Click the Add Service Account button.
  5. On the New Service Account screen, configure the following settings:
    • Name - type “Expel Integration”
    • Type - select Custom Integration (GraphQL API)
    • Projects - leave as is (no projects selected)
    • Expiration Date - leave as is (no date selected)
  6. Still on the New Service Account screen, grant the following permissions to these API Scopes:
    • Resources - check the read:resources box
    • Issues - check the update:issues and read:issues boxes
    • Vulnerabilities  - check the main box to select all permissions (this action will select both read:vulnerabilities and update:vulnerabilities)
  7. Click the Add Service Account button.
  8. Copy the Client ID and Client Secret from the confirmation screen and save them in a safe place, as they will not display again. You will also need them in the next section.
  9. Click Finish.
  10. Now, get your API Endpoint URL. Click the Profile icon in the top right of the screen, then choose User Settings.
  11. In the left menu, click on Tenant.
  12. Copy the API Endpoint URL to a safe place to use in the next section.

Step 2: Add Wiz as a Security Device in Workbench

Now that you have created a new service account for Expel, you can configure the integration in Workbench.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Click the Add Security Device button.
  4. In the search box, type “Wiz” and then select the Wiz integration.
  5. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Wiz”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud”; this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Wiz API Endpoint URL - enter the API Endpoint URL you saved from your Wiz Tenant settings.
    • Client ID - enter the Client ID you received when creating the service account in Wiz.
    • Client secret - enter the Client Secret you received when creating the service account in Wiz.
  6. Click Save.
  7. Next, set up console access. 
    • From the dropdown that displays on the next screen, under “How will you access the console?”, choose Set Up Now.
    • Click Save.
  8. A confirmation message displays indicating your device has been created. Click Done.

Step 3: Set up Wiz Console Access for Expel

Expel requires Wiz console access to allow analysts to perform investigation and triage. Without this additional level of information, alerts cannot be verified by our analysts and an investigation cannot be initiated.

To configure Wiz console access properly, you will need to do two things (in this order):

  1. Add Expel as an accepted domain in your Wiz tenant.
  2. Create a user account for Expel in your Wiz tenant. 

First, add Expel as an accepted domain:

  1. Log in to your Wiz tenant.
  2. In the left menu bar, hover over the round Settings icon.
  3. Then, click on Access Management and select SSO & Login Security.
  4. Scroll to the Login Restrictions section and enter “expel.io” to add it to your list of domains that can access the Wiz portal.
  5. Use the Copy button to copy the Wiz Domain Verification Code (this is an SPF record that is unique to each Wiz tenant). Save it to a safe place, as you will need to send it to Expel.
    Wiz_copy domain access code.png
  1. Click Save.
  2. Send the code via email to support@expel.com with the subject line of “Wiz Integration,” or open a ticket through Zendesk (accessed through Workbench). We will need to validate this record internally before you can continue, so pause here until you hear back from us.
  3. After Expel notifies you that the record has been validated, you can continue with the instructions below.

Note:

If you move on to the next step before the SPF record has been validated, the integration will not work. Please wait to hear back from our support team before continuing.

Next, add a user account for Expel: 

  1. If you are not still logged in to your Wiz tenant, log back in and click the round Settings icon.
  2. In the left menu bar, click on User Management.
  3. Click the Invite User button.
  4. Configure the user with the following information:
    • Name - enter “Expel Analyst”
    • Email - enter “expel_analyst@expel.io
    • Identity Provider - leave as is; it should default to “Wiz” and not be editable
    • Role - select “Global Incident Response Analyst” from the dropdown menu
    • Expiration Date - leave as is; do not select an expiration date
  5. Click Invite User.
  6. An invite will be sent to Expel, and a member of the support team will accept the invite.
  7. The support team will then set up two-factor authentication for the user account and update the Wiz security device in Workbench on your behalf.

Step 4: Review Synchronization Rules

If you have granted Expel access to your Wiz console in Step 3, we will simultaneously enable synchronization rules for your integration at the time that your device is onboarded. These rules define what, if any, action Expel will take based on a Wiz Issue and its resulting investigation (see the chart below for detailed information). You should be aware of these rules because they are what allow us to sync Workbench status updates with your Wiz console.

Note:

Wiz updates its new and current Issue information once every 24 hours. Because of this schedule, Expel polls for Wiz Issue information every 12 hours. In most cases, you can expect the Wiz console and Workbench status to sync within one calendar day.

If you would like more information about these rules, please reach out to our support team. Wiz synchronization rules cannot be viewed or edited in Workbench. 

Rule Expel’s Actions in the Wiz Console on Your Behalf
Expel Alert Created
  • Comment added
  • No status update made
Expel Alert Closed
  • Comment added
  • No status update made
Expel Alert Reopened
  • Status updated to “In Progress”
  • Comment also added
Expel Alert Suppressed (Workbench)
  • Status updated to "Ignored"
  • Comment added indicating the suppressed reason
Expel Alert Suppressed (Detections)
  • No action taken
Expel Alert to Investigation
  • Status updated to “In Progress”
  • Comment also added
Investigation to Incident
  • Status updated to “In Progress”
  • Comment also added
Investigation Reopened
  • Status updated to “In Progress”
  • Comment also added
Investigation Closed
  • Comment added
  • No status update made
Incident Closed
  • Comment added
  • No status update made
Wiz Issues Matches No Expel Detections
  • No action taken

 

You may disconnect these synchronization rules if you wish, however Expel will not be able to sync with your Wiz console as part of your integration. Taking this action will disconnect all synchronization rules (rules cannot be changed individually), so it is not recommended. 

If you decide you want to disconnect:

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > My Organizations.
  3. Click on your organization name.
  4. Click on the Integrations tab.
  5. Scroll down to Wiz and click the pencil icon.
  6. Select your Wiz device and click Disconnect Expel to Wiz Sync

If you change your mind and would like to reconnect these rules, you can do so from the same screen.