cspm.wiz
Introduction
The tags beginning with cspm.wiz
identify events generated by Wiz.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed as cspm.wiz
. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
For more information, read more About Devo tags.
How to send data to Devo
To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in this article.
Table structure
These are the fields displayed in these tables:
cspm.wiz.audit.default
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
id |
| Â |
action |
| Â |
request_id |
| Â |
status |
| Â |
timestamp |
| Â |
action_client_id |
| Â |
action_groups |
| Â |
action_name |
| Â |
action_products |
| Â |
action_role |
| Â |
action_scopes |
| Â |
action_user_email |
| Â |
action_user_id |
| Â |
action_userpool_id |
| Â |
user_agent |
| Â |
source_ip |
| Â |
source_ipv4 |
| Â |
source_ipv6 |
| Â |
service_account_id |
| Â |
service_account_name |
| Â |
user |
| Â |
at_devo_pulling_id |
| Â |
is_flattened |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
cspm.wiz.cloud_configuration.default
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
id |
| Â |
target_external_id |
| Â |
target_object_provider_unique_id |
| Â |
first_seen_at |
| Â |
severity |
| Â |
result |
| Â |
status |
| Â |
remediation |
| Â |
resource_id |
| Â |
resource_provider_id |
| Â |
resource_name |
| Â |
resource_native_type |
| Â |
resource_type |
| Â |
resource_region |
| Â |
resource_subscription |
| Â |
resource_projects |
| Â |
resource_tags |
| Â |
rule_id |
| Â |
rule_graph_id |
| Â |
rule_name |
| Â |
rule_description |
| Â |
rule_remediation_instructions |
| Â |
rule_function_as_control |
| Â |
security_sub_categories |
| Â |
ignore_rules |
| Â |
at_devo_pulling_id |
| Â |
is_flattened |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
cspm.wiz.cloud_event.default
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
id |
| Â |
name |
| Â |
kind |
| Â |
origin |
| Â |
severity |
| Â |
external_id |
| Â |
external_name |
| Â |
cloud_platform |
| Â |
timestamp |
| Â |
cloud_native_service |
| Â |
category |
| Â |
actor_id |
| Â |
actor_external_id |
| Â |
actor_provider_unique_id |
| Â |
actor_type |
| Â |
actor_cloud_account |
| Â |
actor_is_external_cloud_account |
| Â |
actor_friendly_name |
| Â |
actor_name |
| Â |
actor_email |
| Â |
actor_user_agent |
| Â |
actor_ip |
| Â |
actor_ipv4 |
| Â |
actor_ipv6 |
| Â |
actor_ip_meta_country |
| Â |
actor_ip_meta_country_code |
| Â |
actor_ip_meta_city |
| Â |
actor_ip_meta_reputation |
| Â |
actor_ip_meta_reputation_source |
| Â |
actor_ip_meta_reputation_description |
| Â |
is_foreign_actor_ip |
| Â |
subject_resource_id |
| Â |
subject_resource_external_id |
| Â |
subject_resource_provider_unique_id |
| Â |
subject_resource_type |
| Â |
subject_resource_native_type |
| Â |
subject_resource_name |
| Â |
subject_resource_hostname |
| Â |
subject_resource_cloud_account_id |
| Â |
subject_resource_cloud_account_external_id |
| Â |
subject_resource_cloud_account_name |
| Â |
subject_resource_cloud_account_cloud_provider |
| Â |
subject_resource_cloud_account_linked_projects |
| Â |
subject_resource_region |
| Â |
subject_resource_tags |
| Â |
subject_resource_open_to_all_internet |
| Â |
subject_resource_has_sensitive_data |
| Â |
subject_resource_kubernetes_cluster_id |
| Â |
subject_resource_kubernetes_cluster_name |
| Â |
subject_resource_kubernetes_cluster_type |
| Â |
subject_resource_kubernetes_namespace_id |
| Â |
subject_resource_kubernetes_namespace_name |
| Â |
subject_resource_kubernetes_namespace_type |
| Â |
subject_resource_kubernetes_flavor |
| Â |
subject_resource_container_service |
| Â |
cloud_provider_url |
| Â |
file_path |
| Â |
hash |
| Â |
at_devo_pulling_id |
| Â |
is_flattened |
| Â |
hostchain |
|  ✓ |
tag |
|  ✓ |
rawMessage |
|  ✓ |
cspm.wiz.issues.default
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
hostname |
| Â | Â | Â |
version |
| split(tag, '.', 4) | tag | Â |
format |
| split(tag, '.', 5) | tag | Â |
id |
| Â | Â | Â |
control_id |
| Â | Â | Â |
control_name |
| Â | Â | Â |
query_relationships |
| Â | Â | Â |
query_select |
| Â | Â | Â |
query_type |
| Â | Â | Â |
security_sub_categories |
| Â | Â | Â |
created_at |
| Â | Â | Â |
updated_at |
| Â | Â | Â |
projects |
| Â | Â | Â |
status |
| Â | Â | Â |
severity |
| Â | Â | Â |
entity_id |
| Â | Â | Â |
entity_name |
| Â | Â | Â |
entity_type |
| Â | Â | Â |
entity_snapshot_id |
| Â | Â | Â |
entity_snapshot_type |
| Â | Â | Â |
entity_snapshot_nativeType |
| Â | Â | Â |
entity_snapshot_name |
| Â | Â | Â |
entity_snapshot_subscription_id |
| Â | Â | Â |
entity_snapshot_subscription_external_id |
| Â | Â | Â |
entity_snapshot_subscription_name |
| Â | Â | Â |
entity_snapshot_resource_group_id |
| Â | Â | Â |
entity_snapshot_resource_group_externalId |
| Â | Â | Â |
entity_snapshot_region |
| Â | Â | Â |
entity_snapshot_cloud_platform |
| Â | Â | Â |
entity_snapshot_cloud_provider_url |
| Â | Â | Â |
entity_snapshot_provider_id |
| Â | Â | Â |
entity_snapshot_status |
| Â | Â | Â |
entity_snapshot_aws_autoscaling_group_name |
| Â | Â | Â |
entity_snapshot_aws_ec2_fleet_id |
| Â | Â | Â |
entity_snapshot_aws_ec2launchtemplate_id |
| Â | Â | Â |
entity_snapshot_aws_ec2launchtemplate_version |
| Â | Â | Â |
entity_snapshot_eks_cluster_name |
| Â | Â | Â |
entity_snapshot_eks_nodegroup_name |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_enabled |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_pulumi_project |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_pulumi_stack |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_topology_kubernetes_io_zone |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_csi_ready |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_io_cluster_name |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_io_disk_size |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_io_node_group_type |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_outpost_id |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_dc |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_region |
| Â | Â | Â |
entity_snapshot_k8s_io_cluster_autoscaler_wiz_orchestrator_eks_cluster_go_uxyracz1 |
| Â | Â | Â |
entity_snapshot_kubernetes_io_cluster_wiz_orchestrator_eks_cluster_go_uxyracz1 |
| Â | Â | Â |
entity_snapshot_pulumi_project |
| Â | Â | Â |
entity_snapshot_pulumi_stack |
| Â | Â | Â |
entity_snapshot_topology_ebs_csi_aws_com_zone |
| Â | Â | Â |
entity_snapshot_wiz |
| Â | Â | Â |
entity_snapshot_wiz_dc |
| Â | Â | Â |
entity_snapshot_wiz_region |
| Â | Â | Â |
entity_snapshot_wiz_outpost_id |
| Â | Â | Â |
note |
| Â | Â | Â |
service_ticket |
| Â | Â | Â |
service_tickets |
| Â | Â | Â |
at_devo_pulling_id |
| Â | Â | Â |
is_flattened |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  |  | ✓ |
cspm.wiz.system_activity.default
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
id |
| Â |
name |
| Â |
trigger_type |
| Â |
triggered_by_id |
| Â |
created_at |
| Â |
started_at |
| Â |
ended_at |
| Â |
status |
| Â |
status_info |
| Â |
summary |
| Â |
group_id |
| Â |
at_devo_pulling_id |
| Â |
is_flattened |
| Â |
hostchain |
|  ✓ |
tag |
|  ✓ |
rawMessage |
|  ✓ |
cspm.wiz.vulnerabilities.default
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
hostname |
| Â |
id |
| Â |
portal_url |
| Â |
name |
| Â |
cve_description |
| Â |
cvss_severity |
| Â |
score |
| Â |
exploitability_score |
| Â |
impact_score |
| Â |
data_source_name |
| Â |
has_exploit |
| Â |
has_cisa_kev_exploit |
| Â |
status |
| Â |
vendor_severity |
| Â |
first_detected_at |
| Â |
last_detected_at |
| Â |
resolved_at |
| Â |
description |
| Â |
remediation |
| Â |
detailed_name |
| Â |
version |
| Â |
fixed_version |
| Â |
detection_method |
| Â |
link |
| Â |
location_path |
| Â |
resolution_reason |
| Â |
epss_severity |
| Â |
epss_percentile |
| Â |
epss_probability |
| Â |
validated_in_runtime |
| Â |
layer_id |
| Â |
layer_details |
| Â |
layer_is_base_layer |
| Â |
projects |
| Â |
ignore_rules |
| Â |
asset_id |
| Â |
asset_type |
| Â |
asset_name |
| Â |
asset_region |
| ✓ |
asset_provider_unique_id |
| ✓ |
asset_cloud_provider_url |
| ✓ |