Detection rules › Panther
Wiz Alert Passthrough Rule
This is a third-party alert feed, not a detection over modeled telemetry. Another security product raised the finding; this rule forwards or reshapes it into the SIEM. It is searchable for reference but is excluded from the detection-rule browse and the ATT&CK coverage matrix.
This rule enriches and contextualizes security alerts generated by Wiz.
Rule body yaml
AnalysisType: rule
RuleID: Wiz.Alert.Passthrough
Description: This rule enriches and contextualizes security alerts generated by Wiz.
DisplayName: Wiz Alert Passthrough Rule
Runbook: Review the Wiz alert details to determine what malicious behavior was detected, and whether or not it was blocked.
Reference: https://www.wiz.io/product
Enabled: true
Filename: wiz_alert_passthrough.py
Severity: Medium
LogTypes:
- Wiz.Issues
DedupPeriodMinutes: 720
Threshold: 1
Tests:
- Name: Open Alert
ExpectedResult: true
Log:
{
"createdAt": "2024-06-04 02:28:06.763277000",
"entitySnapshot": {
"cloudProviderURL": "",
"externalId": "someExternalId",
"id": "12345",
"name": "someName",
"nativeType": "",
"providerId": "someProviderId",
"region": "",
"resourceGroupExternalId": "",
"subscriptionExternalId": "",
"subscriptionName": "",
"tags": { },
"type": "DATA_FINDING"
},
"id": "54321",
"notes": [ ],
"projects": [
{
"businessUnit": "",
"id": "45678",
"name": "Project 2",
"riskProfile": {
"businessImpact": "MBI"
},
"slug": "project-2"
},
],
"serviceTickets": [ ],
"severity": "HIGH",
"sourceRule": {
"__typename": "Control",
"controlDescription": "Alert Description",
"id": "12345",
"name": "Alert Name",
"resolutionRecommendation": "Alert Resolution Recommendation",
"securitySubCategories": [
{
"category": {
"framework": {
"name": "Wiz for Risk Assessment"
},
"name": "High Profile Threats"
},
"title": "High-profile vulnerability exploited in the wild"
},
{
"category": {
"framework": {
"name": "MITRE ATT&CK Matrix"
},
"name": "TA0001 Initial Access"
},
"title": "T1190 Exploit Public-Facing Application"
},
]
},
"status": "OPEN",
"statusChangedAt": "2024-06-04 02:28:06.597355000",
"type": "TOXIC_COMBINATION",
"updatedAt": "2024-06-04 02:28:06.763277000"
}
- Name: Low-Severity Open Alert
ExpectedResult: true
Log:
{
"createdAt": "2024-06-04 02:28:06.763277000",
"entitySnapshot": {
"cloudProviderURL": "",
"externalId": "someExternalId",
"id": "12345",
"name": "someName",
"nativeType": "",
"providerId": "someProviderId",
"region": "",
"resourceGroupExternalId": "",
"subscriptionExternalId": "",
"subscriptionName": "",
"tags": { },
"type": "DATA_FINDING"
},
"id": "54321",
"notes": [ ],
"projects": [
{
"businessUnit": "",
"id": "45678",
"name": "Project 2",
"riskProfile": {
"businessImpact": "MBI"
},
"slug": "project-2"
},
],
"serviceTickets": [ ],
"severity": "LOW",
"sourceRule": {
"__typename": "Control",
"controlDescription": "Alert Description",
"id": "12345",
"name": "Alert Name",
"resolutionRecommendation": "Alert Resolution Recommendation",
"securitySubCategories": [
{
"category": {
"framework": {
"name": "Wiz for Risk Assessment"
},
"name": "High Profile Threats"
},
"title": "High-profile vulnerability exploited in the wild"
},
{
"category": {
"framework": {
"name": "MITRE ATT&CK Matrix"
},
"name": "TA0001 Initial Access"
},
"title": "T1190 Exploit Public-Facing Application"
},
]
},
"status": "OPEN",
"statusChangedAt": "2024-06-04 02:28:06.597355000",
"type": "TOXIC_COMBINATION",
"updatedAt": "2024-06-04 02:28:06.763277000"
}
- Name: Resolved Alert
ExpectedResult: false
Log:
{
"createdAt": "2024-06-04 02:28:06.763277000",
"entitySnapshot": {
"cloudProviderURL": "",
"externalId": "someExternalId",
"id": "12345",
"name": "someName",
"nativeType": "",
"providerId": "someProviderId",
"region": "",
"resourceGroupExternalId": "",
"subscriptionExternalId": "",
"subscriptionName": "",
"tags": { },
"type": "DATA_FINDING"
},
"id": "54321",
"notes": [ ],
"projects": [
{
"businessUnit": "",
"id": "45678",
"name": "Project 2",
"riskProfile": {
"businessImpact": "MBI"
},
"slug": "project-2"
},
],
"serviceTickets": [ ],
"severity": "HIGH",
"sourceRule": {
"__typename": "Control",
"controlDescription": "Alert Description",
"id": "12345",
"name": "Alert Name",
"resolutionRecommendation": "Alert Resolution Recommendation"
},
"status": "RESOLVED",
"statusChangedAt": "2024-06-04 02:28:06.597355000",
"type": "TOXIC_COMBINATION",
"updatedAt": "2024-06-04 02:28:06.763277000"
}
Detection logic
Condition
status eq "OPEN"
severity ne "INFORMATIONAL"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
id | |
type | |
entity_snapshot | entitySnapshot |
name | sourceRule.name |