In the fast-evolving world of cloud security, security teams are challenged by complex environments, fragmented data flows, and overwhelming security log volumes. Staying ahead of threats means going beyond simple detection, it requires unified data integration, real-time insights, and the flexibility to adapt as risks evolve. The Wiz Webhook Source in Cribl Stream transforms how security teams handle runtime alerts and cloud risks. If you're juggling fragmented data pipelines or drowning in an avalanche of security logs, this integration will help streamline your SOC and keep you best situated relative to your data.
Our first integration with Wiz leveraged Stream’s REST Collector functionality to pull data from their Cloud Security Platform APIs. Context contained within the Wiz Cloud Security Platform is readily available for customers to access via Wiz’s API. Rather than customers scripting and scheduling the retrieval of this important security-relevant data on their own for their entire ecosystem of SaaS-based vendors, this is accomplished via a single Cribl UI and backed by a modern GitOps CI/CD workflow. In addition to Cribl Stream streamlining the retrieval of security-relevant data from Wiz, this data can be quickly and securely delivered to the destinations of your choosing or into Cribl Lake and accessed at any time via Cribl Search.
As a certified Wiz Integration (WIN) partner, Cribl Stream acts as the intelligent pipeline for the Wiz agentless runtime security alerts. By leveraging a standard HTTP-based webhook, Stream can capture real-time alert data from Wiz, process it on the fly, and route it to your preferred destinations, whether that's a SIEM, data lake, or analytics tool.
But why does this matter? Let's dive into the top benefits that make this integration a must-have for modern cloud security teams.
Instant Visibility into Runtime Threats
Gone are the days of delayed alerts buried in silos. The Wiz Webhook Source in Cribl Stream listens on a dedicated port (think 20000-20010 for cloud deployments) and ingests gzip-compressed HTTP requests carrying Wiz alerts in real-time. This push-based mechanism ensures you're not waiting on pull schedules or custom scripts. Alerts about anomalous behaviors, privilege escalations, or lateral movements in your cloud environment hit your pipeline immediately.
That means you get immediate cloud security visibility across multi-cloud setups. Security analysts get the full context needed to triage and remediate threats faster, reducing mean time to response (MTTR) from hours to minutes. Imagine correlating a suspicious API call in AWS with runtime anomalies in Azure all unified in one stream, without the hassle of disparate tools.
Data Optimization
Raw alert data is great, but it's the processing that turns it into gold. Cribl Stream's Pipeline capabilities shine here, automatically parsing, enriching, and normalizing Wiz alerts before routing to one or more destinations. Add custom fields via JavaScript expressions, apply conditional routing, or even buffer data with Persistent Queues to handle spikes or outages without dropping a single event.
Cribl Stream provides the ability to enrich these webhook delivered alerts from Wiz Defend with localized asset/identity/risk context or threat intelligence related context. Blending these alerts and detections from Wiz Defend allows you to address cloud-relevant visibility gaps while providing the ability to build cross-channel correlations and expand your threat hunting capabilities.
Simplified Compliance and Risk Prioritization
Compliance isn't a one-and-done checkbox, it's an ongoing battle against evolving regulations like GDPR, SOC 2, or PCI-DSS. Our Wiz API and Webhook integrations simplify compliance/retention strategies by capturing audit, configuration, vulnerability, and now real-time alert data from Wiz and routing it straight to long-term retention systems.
Benefits:
Regulatory Reporting - Automate feeds of compliance-focused data for audits, providing complete risk views without manual exports
Risk Prioritization - Use enriched data to score and prioritize threats based on business impact, cutting through alert fatigue
Cost-Effective Storage – Compress and route cloud-relevant security data into low-cost object storage while maintaining audit-ready fidelity
Operational Efficiency and Cost Savings
Why reinvent the wheel when Cribl handles the heavy lifting? Setup is a breeze: Configure the Wiz Webhook Source in the Cribl Stream UI, add authentication tokens, enable TLS for secure transit, and deploy via GitOps CI/CD… all without scripting marathons. This single-pane-of-glass approach to data retrieval means less time on plumbing and more on strategy.
On the cost front, optimized routing reduces redundancy, minimizes egress fees, and scales effortlessly with your cloud footprint. Plus, with the Cribl Stream flexible destinations, you can fan out alerts to multiple tools simultaneously (SIEM for ops, data lakes for forensics) without duplicating efforts.
Wiz Webhook
Details on configuring Wiz to send data to external webhooks are found here. You will also find information on configuring their Wiz Broker for on-prem deployments, the alert structures, and default headers that Wiz includes in each alert.
You will need to configure a new Wiz Webhook Source in Cribl Stream like what’s done in the below screenshot. You need to define which port Stream will be listening on and you will also need to create a token which will be used to authenticate to this new webhook. In addition to the port and token, you need to provide the Cribl Stream URL when configuring the Wiz UI which you can find under the menu Products -> Cribl -> Data Sources.
The below alert is a Wiz generated synthetic alert for Dev testing where you see lots of interesting context, including alignment to MITRE ATT&CK.
Ready to experience these benefits firsthand? Head over to Cribl Docs for a quick setup guide or check out the Wiz Integrations page to get started. Your cloud environment will thank you!
