Threat-315 Wiz Alert Passthrough (#1251)

* THREAT-315 Wiz Alert passthrough

* THREAT-315 Wiz Alert passthrough

* THREAT-315 Wiz Alert passthrough - fix formatting

* THREAT-315 Wiz Alert passthrough - fix formatting

* THREAT-315 Wiz Alert passthrough - updated according to comments

---------

Co-authored-by: Ariel Ropek <[email protected]>

packs/wiz.yml

@@ -0,0 +1,7 @@
+AnalysisType: pack
+PackID: PantherManaged.Wiz
+Description: Group of all Wiz detections
+DisplayName: "Panther Wiz Pack"
+PackDefinition:
+  IDs:
+    - Wiz.Alert.Passthrough

rules/wiz_rules/wiz_alert_passthrough.py

@@ -0,0 +1,44 @@
+from panther_base_helpers import deep_get
+
+
+def rule(event):
+    return event.get("status") == "OPEN"
+
+
+def title(event):
+    return (
+        f"[Wiz Alert]: "
+        f"{event.deep_get('sourceRule', 'name', default='ALERT_DESCRIPTION_NOT_FOUND')}"
+    )
+
+
+def severity(event):
+    return event.get("severity")
+
+
+def dedup(event):
+    return event.get("id")
+
+
+def description(event):
+    return event.deep_get("sourceRule", "controlDescription", default="<DESCRIPTION_NOT_FOUND>")
+
+
+def runbook(event):
+    return event.deep_get(
+        "sourceRule", "resolutionRecommendation", default="<RECOMMENDATION_NOT_FOUND>"
+    )
+
+
+def alert_context(event):
+    security_subcategories = event.deep_get("sourceRule", "securitySubCategories", default=[{}])
+    return {
+        "id": event.get("id", "<ID_NOT_FOUND>"),
+        "type": event.get("type", "<TYPE_NOT_FOUND>"),
+        "entity_snapshot": event.get("entitySnapshot", {}),
+        "mitre_attack_categories": [
+            subcategory
+            for subcategory in security_subcategories
+            if deep_get(subcategory, "category", "framework", "name") == "MITRE ATT&CK Matrix"
+        ],
+    }

rules/wiz_rules/wiz_alert_passthrough.yml

@@ -0,0 +1,126 @@
+AnalysisType: rule
+RuleID: Wiz.Alert.Passthrough
+Description: This rule enriches and contextualizes security alerts generated by Wiz.
+DisplayName: Wiz Alert Passthrough Rule
+Runbook: Review the Wiz alert details to determine what malicious behavior was detected, and whether or not it was blocked.
+Reference: https://www.wiz.io/product
+Enabled: true
+Filename: wiz_alert_passthrough.py
+Severity: Medium
+LogTypes:
+  - Wiz.Issues
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - Name: Open Alert
+    ExpectedResult: true
+    Log:
+      {
+          "createdAt": "2024-06-04 02:28:06.763277000",
+          "entitySnapshot": {
+              "cloudProviderURL": "",
+              "externalId": "someExternalId",
+              "id": "12345",
+              "name": "someName",
+              "nativeType": "",
+              "providerId": "someProviderId",
+              "region": "",
+              "resourceGroupExternalId": "",
+              "subscriptionExternalId": "",
+              "subscriptionName": "",
+              "tags": { },
+              "type": "DATA_FINDING"
+          },
+          "id": "54321",
+          "notes": [ ],
+          "projects": [
+              {
+                  "businessUnit": "",
+                  "id": "45678",
+                  "name": "Project 2",
+                  "riskProfile": {
+                      "businessImpact": "MBI"
+                  },
+                  "slug": "project-2"
+              },
+          ],
+          "serviceTickets": [ ],
+          "severity": "HIGH",
+          "sourceRule": {
+              "__typename": "Control",
+              "controlDescription": "Alert Description",
+              "id": "12345",
+              "name": "Alert Name",
+              "resolutionRecommendation": "Alert Resolution Recommendation",
+              "securitySubCategories": [
+                {
+                  "category": {
+                    "framework": {
+                      "name": "Wiz for Risk Assessment"
+                    },
+                    "name": "High Profile Threats"
+                  },
+                  "title": "High-profile vulnerability exploited in the wild"
+                },
+                {
+                  "category": {
+                    "framework": {
+                      "name": "MITRE ATT&CK Matrix"
+                    },
+                    "name": "TA0001 Initial Access"
+                  },
+                  "title": "T1190 Exploit Public-Facing Application"
+                },
+              ]
+          },
+          "status": "OPEN",
+          "statusChangedAt": "2024-06-04 02:28:06.597355000",
+          "type": "TOXIC_COMBINATION",
+          "updatedAt": "2024-06-04 02:28:06.763277000"
+      }
+  - Name: Resolved Alert
+    ExpectedResult: false
+    Log:
+      {
+          "createdAt": "2024-06-04 02:28:06.763277000",
+          "entitySnapshot": {
+              "cloudProviderURL": "",
+              "externalId": "someExternalId",
+              "id": "12345",
+              "name": "someName",
+              "nativeType": "",
+              "providerId": "someProviderId",
+              "region": "",
+              "resourceGroupExternalId": "",
+              "subscriptionExternalId": "",
+              "subscriptionName": "",
+              "tags": { },
+              "type": "DATA_FINDING"
+          },
+          "id": "54321",
+          "notes": [ ],
+          "projects": [
+              {
+                  "businessUnit": "",
+                  "id": "45678",
+                  "name": "Project 2",
+                  "riskProfile": {
+                      "businessImpact": "MBI"
+                  },
+                  "slug": "project-2"
+              },
+          ],
+          "serviceTickets": [ ],
+          "severity": "HIGH",
+          "sourceRule": {
+              "__typename": "Control",
+              "controlDescription": "Alert Description",
+              "id": "12345",
+              "name": "Alert Name",
+              "resolutionRecommendation": "Alert Resolution Recommendation"
+          },
+          "status": "RESOLVED",
+          "statusChangedAt": "2024-06-04 02:28:06.597355000",
+          "type": "TOXIC_COMBINATION",
+          "updatedAt": "2024-06-04 02:28:06.763277000"
+      }