Skip to main content
Wiz uses Automation Rules to forward Threat Detections to Wirespeed in real-time via webhook.

Prerequisites

  • A Wiz tenant with admin or project-admin permissions
  • Network connectivity from Wiz to https://api.wirespeed.co

Setup in Wirespeed

  1. Login to Wirespeed and navigate to Integrations > Add Integration > Wiz
  2. Read this documentation and confirm you have completed the required setup steps
  3. Click Integrate
  4. Select Webhook Details
  5. Copy both the Webhook URL and the Webhook Secret — you’ll need both for the Wiz configuration

Setup in Wiz

Configure the webhook action first, then create the automation rule that uses it.

1. Create the Webhook Action

  1. Login to your Wiz tenant
  2. Navigate to Settings > Automation > Automation Actions
  3. Click Add Action and select Webhook
  4. Give the action a descriptive name (e.g. “Wirespeed Webhook”)
  5. In the URL field, paste the Webhook URL from Wirespeed
  6. Under Authentication, select Token (Bearer)
  7. Paste the Webhook Secret from Wirespeed as the token value — Wiz will send it as Authorization: Bearer <token>
  8. Save the action

2. Create the Automation Rule

  1. Navigate to Settings > Automation > Automation Rules
  2. Click Add Automation Rule
  3. Give the rule a descriptive name (e.g. “Forward threat detections to Wirespeed”)
  4. Configure the Trigger (When) based on what your Wiz tenant exposes:
    • If Detection is available as a trigger, select it. No additional filter is required.
    • If Detection is not available (license- or UI-dependent), select another available trigger such as Risk Issue or Cloud Event, then add a filter so the rule only fires on Threat Detection findings.
  5. Under Action, select the Wirespeed Webhook action you created above
  6. Save and enable the Automation Rule
Wirespeed authenticates incoming webhooks using a Bearer token. If the Webhook Secret is not configured on the Wiz webhook action, all webhook deliveries will be rejected with 401.

What Gets Ingested

Wirespeed receives and processes Threat Detections from Wiz — runtime security events triggered by Wiz Threat Detection Rules. Each detection is automatically normalized to OCSF and enriched with:
  • Severity — Critical, High, Medium, Low, or Informational
  • MITRE ATT&CK — Tactics and techniques mapped from the detection
  • Resources — Affected cloud resources, including cloud account, region, and resource type
  • Triggering Events — The underlying cloud events (e.g. API calls) that fired the detection, including actor IP, IP reputation, and process tree where available
Wirespeed processes Wiz Threat Detections only. Wiz Issues (misconfigurations and vulnerabilities from Controls) are not currently ingested.

Troubleshooting

Verify that your Automation Rule is enabled and that it is scoped to Threat Detections only — either via a Detection trigger, or via another trigger (e.g. Risk Issue, Cloud Event) with a filter limiting it to Threat Detection findings. Check the rule’s execution history in Wiz for errors or failed deliveries.
The rule is forwarding Cloud Findings instead of Threat Detections. Delete or disable any automation rule whose trigger is Cloud Finding / vulnerability / misconfiguration, and confirm the active rule is scoped to Threat Detection as described above.
Ensure you configured Token authentication in the Wiz Automation Rule and that the token matches the Webhook Secret shown in Wirespeed under Webhook Details. Re-copying the secret and re-saving the rule is the fastest fix.
Ensure your Wiz tenant can reach https://api.wirespeed.co on port 443. If you use IP-based firewall rules, allowlist the source IPs returned by the dataCenterInfrastructureDetails GraphQL query above.