cspm.wiz

[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How to send data to Devo ] [ 4 Table structure ]

Introduction

The tags beginning with cspm.wiz identify events generated by Wiz.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as cspm.wiz. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag	Data table

Tag	Data table
`cspm.wiz.audit.default`	`cspm.wiz.audit.default`
`cspm.wiz.cloud_configuration.default`	`cspm.wiz.cloud_configuration.default`
`cspm.wiz.cloud_event.default`	`cspm.wiz.cloud_event.default`
`cspm.wiz.issues.default`	`cspm.wiz.issues.default`
`cspm.wiz.system_activity.default`	`cspm.wiz.system_activity.default`
`cspm.wiz.vulnerabilities.default`	`cspm.wiz.vulnerabilities.default`

For more information, read more About Devo tags.

How to send data to Devo

To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in this article.

Table structure

These are the fields displayed in these tables:

cspm.wiz.audit.default
cspm.wiz.cloud_configuration.default
cspm.wiz.cloud_event.default
cspm.wiz.issues.default
cspm.wiz.system_activity.default
cspm.wiz.vulnerabilities.default

cspm.wiz.audit.default

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
id	`str`
action	`str`
request_id	`str`
status	`str`
timestamp	`str`
action_client_id	`str`
action_groups	`str`
action_name	`str`
action_products	`str`
action_role	`str`
action_scopes	`str`
action_user_email	`str`
action_user_id	`str`
action_userpool_id	`str`
user_agent	`str`
source_ip	`str`
source_ipv4	`ip4`
source_ipv6	`ip6`
service_account_id	`str`
service_account_name	`str`
user	`str`
at_devo_pulling_id	`str`
is_flattened	`bool`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

cspm.wiz.cloud_configuration.default

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
id	`str`
target_external_id	`str`
target_object_provider_unique_id	`str`
first_seen_at	`timestamp`
severity	`str`
result	`str`
status	`str`
remediation	`str`
resource_id	`str`
resource_provider_id	`str`
resource_name	`str`
resource_native_type	`str`
resource_type	`str`
resource_region	`str`
resource_subscription	`str`
resource_projects	`str`
resource_tags	`str`
rule_id	`str`
rule_graph_id	`str`
rule_name	`str`
rule_description	`str`
rule_remediation_instructions	`str`
rule_function_as_control	`bool`
security_sub_categories	`str`
ignore_rules	`str`
at_devo_pulling_id	`str`
is_flattened	`bool`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

cspm.wiz.cloud_event.default

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
id	`str`
name	`str`
kind	`str`
origin	`str`
severity	`str`
external_id	`str`
external_name	`str`
cloud_platform	`str`
timestamp	`timestamp`
cloud_native_service	`str`
category	`str`
actor_id	`str`
actor_external_id	`str`
actor_provider_unique_id	`str`
actor_type	`str`
actor_cloud_account	`str`
actor_is_external_cloud_account	`bool`
actor_friendly_name	`str`
actor_name	`str`
actor_email	`str`
actor_user_agent	`str`
actor_ip	`str`
actor_ipv4	`ip4`
actor_ipv6	`ip6`
actor_ip_meta_country	`str`
actor_ip_meta_country_code	`str`
actor_ip_meta_city	`str`
actor_ip_meta_reputation	`str`
actor_ip_meta_reputation_source	`str`
actor_ip_meta_reputation_description	`str`
is_foreign_actor_ip	`bool`
subject_resource_id	`str`
subject_resource_external_id	`str`
subject_resource_provider_unique_id	`str`
subject_resource_type	`str`
subject_resource_native_type	`str`
subject_resource_name	`str`
subject_resource_hostname	`str`
subject_resource_cloud_account_id	`str`
subject_resource_cloud_account_external_id	`str`
subject_resource_cloud_account_name	`str`
subject_resource_cloud_account_cloud_provider	`str`
subject_resource_cloud_account_linked_projects	`str`
subject_resource_region	`str`
subject_resource_tags	`str`
subject_resource_open_to_all_internet	`bool`
subject_resource_has_sensitive_data	`bool`
subject_resource_kubernetes_cluster_id	`str`
subject_resource_kubernetes_cluster_name	`str`
subject_resource_kubernetes_cluster_type	`str`
subject_resource_kubernetes_namespace_id	`str`
subject_resource_kubernetes_namespace_name	`str`
subject_resource_kubernetes_namespace_type	`str`
subject_resource_kubernetes_flavor	`str`
subject_resource_container_service	`str`
cloud_provider_url	`str`
file_path	`str`
hash	`str`
at_devo_pulling_id	`str`
is_flattened	`bool`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

cspm.wiz.issues.default

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
version	`str`	`split(tag, '.', 4)`	tag
format	`str`	`split(tag, '.', 5)`	tag
id	`str`
control_id	`str`
control_name	`str`
query_relationships	`str`
query_select	`bool`
query_type	`str`
security_sub_categories	`str`
created_at	`str`
updated_at	`timestamp`
projects	`str`
status	`str`
severity	`str`
entity_id	`str`
entity_name	`str`
entity_type	`str`
entity_snapshot_id	`str`
entity_snapshot_type	`str`
entity_snapshot_nativeType	`str`
entity_snapshot_name	`str`
entity_snapshot_subscription_id	`str`
entity_snapshot_subscription_external_id	`str`
entity_snapshot_subscription_name	`str`
entity_snapshot_resource_group_id	`str`
entity_snapshot_resource_group_externalId	`str`
entity_snapshot_region	`str`
entity_snapshot_cloud_platform	`str`
entity_snapshot_cloud_provider_url	`str`
entity_snapshot_provider_id	`str`
entity_snapshot_status	`str`
entity_snapshot_aws_autoscaling_group_name	`str`
entity_snapshot_aws_ec2_fleet_id	`str`
entity_snapshot_aws_ec2launchtemplate_id	`str`
entity_snapshot_aws_ec2launchtemplate_version	`str`
entity_snapshot_eks_cluster_name	`str`
entity_snapshot_eks_nodegroup_name	`str`
entity_snapshot_k8s_io_cluster_autoscaler_enabled	`str`
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_pulumi_project	`str`
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_pulumi_stack	`str`
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_topology_kubernetes_io_zone	`str`
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz	`str`
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_csi_ready	`str`
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_io_cluster_name	`str`
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_io_disk_size	`str`
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_io_node_group_type	`str`
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_outpost_id	`str`
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_dc	`str`
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_region	`str`
entity_snapshot_k8s_io_cluster_autoscaler_wiz_orchestrator_eks_cluster_go_uxyracz1	`str`
entity_snapshot_kubernetes_io_cluster_wiz_orchestrator_eks_cluster_go_uxyracz1	`str`
entity_snapshot_pulumi_project	`str`
entity_snapshot_pulumi_stack	`str`
entity_snapshot_topology_ebs_csi_aws_com_zone	`str`
entity_snapshot_wiz	`str`
entity_snapshot_wiz_dc	`str`
entity_snapshot_wiz_region	`str`
entity_snapshot_wiz_outpost_id	`str`
note	`str`
service_ticket	`str`
service_tickets	`str`
at_devo_pulling_id	`str`
is_flattened	`bool`
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`			✓

cspm.wiz.system_activity.default

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
id	`str`
name	`str`
trigger_type	`str`
triggered_by_id	`str`
created_at	`timestamp`
started_at	`timestamp`
ended_at	`timestamp`
status	`str`
status_info	`str`
summary	`str`
group_id	`str`
at_devo_pulling_id	`str`
is_flattened	`bool`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

cspm.wiz.vulnerabilities.default

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
id	`str`
portal_url	`str`
name	`str`
cve_description	`str`
cvss_severity	`str`
score	`float8`
exploitability_score	`float8`
impact_score	`float8`
data_source_name	`str`
has_exploit	`bool`
has_cisa_kev_exploit	`bool`
status	`str`
vendor_severity	`str`
first_detected_at	`timestamp`
last_detected_at	`timestamp`
resolved_at	`str`
description	`str`
remediation	`str`
detailed_name	`str`
version	`str`
fixed_version	`str`
detection_method	`str`
link	`str`
location_path	`str`
resolution_reason	`str`
epss_severity	`str`
epss_percentile	`float8`
epss_probability	`str`
validated_in_runtime	`str`
layer_id	`str`
layer_details	`str`
layer_is_base_layer	`bool`
projects	`str`
ignore_rules	`str`
asset_id	`str`
asset_type	`str`
asset_name	`str`
asset_region	`str`	✓
asset_provider_unique_id	`str`	✓
asset_cloud_provider_url	`str`	✓

Devo latest