Full Report
Lock down your cloud infrastructure with the new Wiz integration with Microsoft Sentinel. Gain full context, support thorough investigations, and automate your response for ultimate security.
Analysis Summary
This article describes a partnership and integration between Wiz, a cloud security platform, and Microsoft Sentinel, a SIEM/SOAR solution. As such, it primarily discusses security products, integrations, and associated defensive and analytical techniques rather than offensive malware or attacker TTPs.
The summary below reflects the tools and defensive/analytical capabilities highlighted in the context.
# Tool/Technique: Wiz Integration with Microsoft Sentinel
## Overview
This describes a new integration capability between the Wiz cloud security platform and Microsoft Sentinel (formerly Azure Sentinel). The purpose is to break down security silos, enrich findings with context from both platforms, correlate security data across the security stack, and automate parts of the remediation workflow for joint customers operating in cloud environments.
## Technical Details
- Type: Tool Integration (Security Platform Capabilities)
- Platform: Cloud Environments (Microsoft Azure, multi-cloud environments), Microsoft Sentinel (Cloud-native SIEM/SOAR)
- Capabilities: Data consolidation, threat investigation enrichment, security metric tracking, automated remediation workflow synchronization.
- First Seen: Current announcement (implied recent or ongoing rollout)
## MITRE ATT&CK Mapping
*Note: Since this describes a defensive integration, direct offensive mappings are not applicable. The capabilities support detection and response phases.*
- [T1559 - Inter-Process Communication] (Relevant to automated data exchange/integration)
- [T1559.003 - API] (For data synchronization between platforms)
## Functionality
### Core Capabilities
- **Risk and Vulnerability Management:** Consolidates Wiz issues, vulnerabilities, and audit logs into Sentinel for unified access and investigation.
- **Investigation Enrichment:** Adds context from Wiz (e.g., impacted vulnerabilities, workloads, identities) to Azure security findings.
- **Query and Analyze:** Enables use of Sentinel's rich query language over integrated security data to understand attack paths and cloud security issues.
- **Security Metrics Analysis:** Allows tracking of security metrics (Identify, Protect, Detect, Respond, Recover) over time, filterable by business unit or project.
### Advanced Features
- **Remediation Workflows (SOAR):** Allows synchronization of remediation steps from Sentinel back to Wiz's visibility or triggering external actions automatically (e.g., notifying owners, paging on-call teams, updating Jira cases).
- **Cloud Security Correlation:** Addresses challenges of varied logging formats and high data velocity in multi-cloud setups by standardizing and correlating data.
## Indicators of Compromise
As this describes a defensive security integration, specific offensive IoCs are not provided. The content focuses on *defending* against threats within cloud environments.
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
N/A (This is a description of a commercial security tool integration.)
## Detection Methods
The content describes utilizing Microsoft Sentinel's capabilities for detection:
- **Signature-based detection:** Implied via leveraging existing threat intelligence fed into Sentinel.
- **Behavioral detection:** Achieved through advanced correlation and attack path analysis across cloud service logs housed in Sentinel.
- **YARA rules:** Not explicitly mentioned, but a capability of Sentinel if deployed.
## Mitigation Strategies
The integration itself serves as a major mitigation and detection enhancement strategy.
- **Data Consolidation:** Centralizing security data (Wiz findings + Azure logs) reduces visibility gaps inherent in multi-cloud setups.
- **Automated Response:** Utilizing SOAR capabilities in Sentinel to rapidly trigger remediation workflows based on correlated findings.
- **Proactive Risk Tracking:** Analyzing metrics over time (ID/Protect/Detect/Respond/Recover) to continuously reduce the overall security posture risk score.
## Related Tools/Techniques
- **Microsoft Sentinel:** Cloud-native SIEM and SOAR solution.
- **Traditional SIEMs:** Mentioned as systems that often struggle with cloud security correlation and context.
- **Cloud Security Posture Management (CSPM):** Implied function of the Wiz platform components being integrated.