Document toolboxDocument toolbox

cspm.wiz

Introduction

The tags beginning with cspm.wiz identify events generated by Wiz.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as cspm.wiz. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

cspm.wiz.audit.default

cspm.wiz.audit.default

cspm.wiz.cloud_configuration.default

cspm.wiz.cloud_configuration.default

cspm.wiz.cloud_event.default

cspm.wiz.cloud_event.default

cspm.wiz.issues.default

cspm.wiz.issues.default

cspm.wiz.system_activity.default

cspm.wiz.system_activity.default

cspm.wiz.vulnerabilities.default

cspm.wiz.vulnerabilities.default

For more information, read more About Devo tags.

How to send data to Devo

To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in this article.

Table structure

These are the fields displayed in these tables:

cspm.wiz.audit.default

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

id

str

 

action

str

 

request_id

str

 

status

str

 

timestamp

str

 

action_client_id

str

 

action_groups

str

 

action_name

str

 

action_products

str

 

action_role

str

 

action_scopes

str

 

action_user_email

str

 

action_user_id

str

 

action_userpool_id

str

 

user_agent

str

 

source_ip

str

 

source_ipv4

ip4

 

source_ipv6

ip6

 

service_account_id

str

 

service_account_name

str

 

user

str

 

at_devo_pulling_id

str

 

is_flattened

bool

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

cspm.wiz.cloud_configuration.default

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

id

str

 

target_external_id

str

 

target_object_provider_unique_id

str

 

first_seen_at

timestamp

 

severity

str

 

result

str

 

status

str

 

remediation

str

 

resource_id

str

 

resource_provider_id

str

 

resource_name

str

 

resource_native_type

str

 

resource_type

str

 

resource_region

str

 

resource_subscription

str

 

resource_projects

str

 

resource_tags

str

 

rule_id

str

 

rule_graph_id

str

 

rule_name

str

 

rule_description

str

 

rule_remediation_instructions

str

 

rule_function_as_control

bool

 

security_sub_categories

str

 

ignore_rules

str

 

at_devo_pulling_id

str

 

is_flattened

bool

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

cspm.wiz.cloud_event.default

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

id

str

 

name

str

 

kind

str

 

origin

str

 

severity

str

 

external_id

str

 

external_name

str

 

cloud_platform

str

 

timestamp

timestamp

 

cloud_native_service

str

 

category

str

 

actor_id

str

 

actor_external_id

str

 

actor_provider_unique_id

str

 

actor_type

str

 

actor_cloud_account

str

 

actor_is_external_cloud_account

bool

 

actor_friendly_name

str

 

actor_name

str

 

actor_email

str

 

actor_user_agent

str

 

actor_ip

str

 

actor_ipv4

ip4

 

actor_ipv6

ip6

 

actor_ip_meta_country

str

 

actor_ip_meta_country_code

str

 

actor_ip_meta_city

str

 

actor_ip_meta_reputation

str

 

actor_ip_meta_reputation_source

str

 

actor_ip_meta_reputation_description

str

 

is_foreign_actor_ip

bool

 

subject_resource_id

str

 

subject_resource_external_id

str

 

subject_resource_provider_unique_id

str

 

subject_resource_type

str

 

subject_resource_native_type

str

 

subject_resource_name

str

 

subject_resource_hostname

str

 

subject_resource_cloud_account_id

str

 

subject_resource_cloud_account_external_id

str

 

subject_resource_cloud_account_name

str

 

subject_resource_cloud_account_cloud_provider

str

 

subject_resource_cloud_account_linked_projects

str

 

subject_resource_region

str

 

subject_resource_tags

str

 

subject_resource_open_to_all_internet

bool

 

subject_resource_has_sensitive_data

bool

 

subject_resource_kubernetes_cluster_id

str

 

subject_resource_kubernetes_cluster_name

str

 

subject_resource_kubernetes_cluster_type

str

 

subject_resource_kubernetes_namespace_id

str

 

subject_resource_kubernetes_namespace_name

str

 

subject_resource_kubernetes_namespace_type

str

 

subject_resource_kubernetes_flavor

str

 

subject_resource_container_service

str

 

cloud_provider_url

str

 

file_path

str

 

hash

str

 

at_devo_pulling_id

str

 

is_flattened

bool

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓

cspm.wiz.issues.default

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

version

str

split(tag, '.', 4)

tag

 

format

str

split(tag, '.', 5)

tag

 

id

str

 

 

 

control_id

str

 

 

 

control_name

str

 

 

 

query_relationships

str

 

 

 

query_select

bool

 

 

 

query_type

str

 

 

 

security_sub_categories

str

 

 

 

created_at

str

 

 

 

updated_at

timestamp

 

 

 

projects

str

 

 

 

status

str

 

 

 

severity

str

 

 

 

entity_id

str

 

 

 

entity_name

str

 

 

 

entity_type

str

 

 

 

entity_snapshot_id

str

 

 

 

entity_snapshot_type

str

 

 

 

entity_snapshot_nativeType

str

 

 

 

entity_snapshot_name

str

 

 

 

entity_snapshot_subscription_id

str

 

 

 

entity_snapshot_subscription_external_id

str

 

 

 

entity_snapshot_subscription_name

str

 

 

 

entity_snapshot_resource_group_id

str

 

 

 

entity_snapshot_resource_group_externalId

str

 

 

 

entity_snapshot_region

str

 

 

 

entity_snapshot_cloud_platform

str

 

 

 

entity_snapshot_cloud_provider_url

str

 

 

 

entity_snapshot_provider_id

str

 

 

 

entity_snapshot_status

str

 

 

 

entity_snapshot_aws_autoscaling_group_name

str

 

 

 

entity_snapshot_aws_ec2_fleet_id

str

 

 

 

entity_snapshot_aws_ec2launchtemplate_id

str

 

 

 

entity_snapshot_aws_ec2launchtemplate_version

str

 

 

 

entity_snapshot_eks_cluster_name

str

 

 

 

entity_snapshot_eks_nodegroup_name

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_enabled

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_pulumi_project

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_pulumi_stack

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_topology_kubernetes_io_zone

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_csi_ready

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_io_cluster_name

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_io_disk_size

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_io_node_group_type

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_outpost_id

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_dc

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_node_template_label_wiz_region

str

 

 

 

entity_snapshot_k8s_io_cluster_autoscaler_wiz_orchestrator_eks_cluster_go_uxyracz1

str

 

 

 

entity_snapshot_kubernetes_io_cluster_wiz_orchestrator_eks_cluster_go_uxyracz1

str

 

 

 

entity_snapshot_pulumi_project

str

 

 

 

entity_snapshot_pulumi_stack

str

 

 

 

entity_snapshot_topology_ebs_csi_aws_com_zone

str

 

 

 

entity_snapshot_wiz

str

 

 

 

entity_snapshot_wiz_dc

str

 

 

 

entity_snapshot_wiz_region

str

 

 

 

entity_snapshot_wiz_outpost_id

str

 

 

 

note

str

 

 

 

service_ticket

str

 

 

 

service_tickets

str

 

 

 

at_devo_pulling_id

str

 

 

 

is_flattened

bool

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

cspm.wiz.system_activity.default

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

id

str

 

name

str

 

trigger_type

str

 

triggered_by_id

str

 

created_at

timestamp

 

started_at

timestamp

 

ended_at

timestamp

 

status

str

 

status_info

str

 

summary

str

 

group_id

str

 

at_devo_pulling_id

str

 

is_flattened

bool

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓

cspm.wiz.vulnerabilities.default

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

id

str

 

portal_url

str

 

name

str

 

cve_description

str

 

cvss_severity

str

 

score

float8

 

exploitability_score

float8

 

impact_score

float8

 

data_source_name

str

 

has_exploit

bool

 

has_cisa_kev_exploit

bool

 

status

str

 

vendor_severity

str

 

first_detected_at

timestamp

 

last_detected_at

timestamp

 

resolved_at

str

 

description

str

 

remediation

str

 

detailed_name

str

 

version

str

 

fixed_version

str

 

detection_method

str

 

link

str

 

location_path

str

 

resolution_reason

str

 

epss_severity

str

 

epss_percentile

float8

 

epss_probability

str

 

validated_in_runtime

str

 

layer_id

str

 

layer_details

str

 

layer_is_base_layer

bool

 

projects

str

 

ignore_rules

str

 

asset_id

str

 

asset_type

str

 

asset_name

str

 

asset_region

str

✓

asset_provider_unique_id

str

✓

asset_cloud_provider_url

str

✓