Wiz Sensor Detections
Wiz Runtime Sensor detections are alerts surfaced by Wiz Defend based on eBPF-based runtime monitoring. These detections cover malware, suspicious processes, lateral movement, and other runtime threats observed across your cloud workloads. RunReveal polls the Wiz GraphQL API every 5 minutes to ingest detection events filtered to WIZ_SENSOR origin.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
API Polling
RunReveal uses Wiz’s GraphQL API with OAuth client credentials to poll the DetectionsTableV2 query for new sensor detections.
You will need a Wiz Service Account with the following OAuth scopes:
read:detections, read:cloud_events_cloud, read:cloud_events_sensor, read:security_scans
Create a Wiz Service Account
- Sign in to your Wiz console.
- Navigate to Settings > Service Accounts.
- Click + Add Service Account.
- Give it a descriptive name (e.g.
RunReveal Sensor Detections). - Under Scopes, grant the following permissions:
read:detectionsread:cloud_events_cloudread:cloud_events_sensorread:security_scans
- Click Create. Copy the Client ID and Client Secret immediately — the secret will not be shown again.
Identify Your Wiz API and Auth URLs
Wiz API endpoints vary by datacenter. You will need two URLs:
- Auth URL — The OAuth token endpoint (e.g.
https://auth.app.wiz.io/oauth/token). This is the same for most tenants. - API URL — The GraphQL endpoint for your tenant (e.g.
https://api.us20.app.wiz.io/graphql). Check your Wiz console URL or Wiz documentation for the correct regional endpoint.
Add the Source in RunReveal
- Go to Sources in RunReveal.
- Click the Wiz Sensor Detections source tile.
- Give it a name and fill in the required fields:
- Client ID — From step 1
- Client Secret — From step 1
- Auth URL — From step 2 (defaults to
https://auth.app.wiz.io/oauth/token) - API URL — From step 2 (defaults to
https://api.us20.app.wiz.io/graphql)
- Click Verify Settings and then Connect Source.
Verify It’s Working
Once added, detections should begin flowing within 5 minutes. You can validate that RunReveal is receiving your detections by running the following SQL query in Log Explorer:
SELECT * FROM runreveal.wiz_sensor_detections_logs LIMIT 10Detection Data
Each detection event includes the following key information:
Detection Details
- Detection ID, type, severity, and description — Core alert metadata
- Created and updated timestamps — When the detection was first seen and last updated
- Remediation status — Whether the detection has been remediated
Resource Context
- Primary resource — The affected resource’s type, name, external ID, and region
- Cloud accounts — Associated cloud account IDs, names, and providers
- Issue correlation — Linked Wiz issue ID for threat grouping
Actor Information
- Primary actor — Name, type, email, access key ID, and decoded principal name
Triggering Events
- Up to 50 triggering events per detection, each containing:
- Actor IP address and timestamp
- Command line and runtime program details
- Raw audit log record with full process tree and eBPF event data
Rule Match
- Rule name, ID, and builtin flag — The detection rule that triggered the alert
Data Collection
- Collection Method: API polling every 5 minutes
- Pagination: Cursor-based, up to 500 results per page
- Event Format: JSON with normalized fields for cross-source querying
- Origin Filter: Only
WIZ_SENSORdetections are collected
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: wiz_sensor_detections_logs (56 columns)
wiz_sensor_detections_logs (56 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
| Column | Type |
|---|---|
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
detectionId | String |
detectionType | String |
severity | String |
description | String |
createdAt | String |
updatedAt | String |
remediated | String |
primaryResourceType | String |
primaryResourceName | String |
primaryResourceExternalId | String |
primaryResourceRegion | String |
primaryActorName | String |
primaryActorType | String |
primaryActorEmail | String |
ruleName | String |
ruleId | String |
ruleBuiltin | String |
issueId | String |
cloudAccounts | String |
triggeringEvents | String |