IBM · suraj-metron · Oct 13, 2025
diff --git a/Community Developed/Wiz/ReadMe.md b/Community Developed/Wiz/ReadMe.md
@@ -1,6 +1,7 @@
 ## Data Types to Retrieve from Wiz
 1. **Wiz-Workflow.xml**: This file retrieves various types of Wiz issues from the Wiz server and imports them into QRadar.
 2. **Wiz-AuditLogs-Workflow.xml**: This file retrieves different categories of Wiz audit logs from the Wiz server and imports them into QRadar.
+3. **Wiz-Detections-Workflow.xml**: This file retrieves different types of Wiz Detections from the Wiz server and imports them into QRadar.
 
 ## Collect authentication info from Wiz
 
@@ -24,7 +25,7 @@ To generate a client ID and client secret:
 1. Go to <a href="https://app.wiz.io/settings/service-accounts" target="_blank">Settings > Service Accounts</a>, then click **Add Service Account**.
 2. On the New Service Account page:
    1. Give the new service account a meaningful name, e.g. "QRadar integration".
-   2. Select the permission **read:issues** and **admin:audit**.
+   2. Select the permission **read:issues** and **admin:audit** and **read:detections**.
    3. Click **Add Service Account**.
 3. From the secret credential dialog, copy the **Client ID** and **Client Secret** to a local file or secret manager for use below.
 **Note: The Client ID and Client Secret are only shown once. Do not close the dialog without copying them to a local file or secret manager.**
@@ -59,3 +60,4 @@ Parameter Values).
 5. auth_type : The Authentication type used to fetch JWT Token from Wiz.
 6. gql_query : The GraphQL query to be used while fetching the Issues from Wiz (default GraphQL query already present).
 7. audit_logs_gql_query : The GraphQL query to be used while fetching the Audit Logs from Wiz (default GraphQL query already present).
+8. detections_gql_query : The GraphQL query to be used while fetching the Detections from Wiz (default GraphQL query already present).
diff --git a/Community Developed/Wiz/Wiz-AuditLogs-Workflow.xml b/Community Developed/Wiz/Wiz-AuditLogs-Workflow.xml
@@ -9,12 +9,13 @@
         <Parameter name="auth_type" label="Authentication Type" required="true" />
         <Parameter name="audit_logs_gql_query" label="GraphQL Query" required="true" />
         <Parameter name="gql_query" label="GraphQL Query" required="false" />
+        <Parameter name="detections_gql_query" label="GraphQL Query" required="false" />
     </Parameters>
 
 
     <Actions>
         <Log type="INFO" message="WIZ: Workflow Actions started for Audit Logs..." />
-        <Initialize path="/user_agent_header" value="127fb887-6a5e-99be-c1ef-5c62031e9614/qradar/2.0.3-v2" />
+        <Initialize path="/user_agent_header" value="127fb887-6a5e-99be-c1ef-5c62031e9614/qradar/2.0.4" />
         <If condition="/audit_bookmark != null">
             <!-- Format Date to be passed in fetching events -->
             <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/audit_bookmark}" savePath="/audit_timestamp" />

diff --git a/Community Developed/Wiz/Wiz-Detections-Workflow.xml b/Community Developed/Wiz/Wiz-Detections-Workflow.xml
@@ -0,0 +1,188 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Workflow name="Wiz" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V1">
+
+    <Parameters>
+        <Parameter name="client_id" label="Client ID" required="true" />
+        <Parameter name="client_secret" label="Client Secret" required="true" secret="true" />
+        <Parameter name="token_url_domain" label="JWT Auth Endpoint" required="true" />
+        <Parameter name="host" label="API Endpoint" required="true" />
+        <Parameter name="auth_type" label="Authentication Type" required="true" />
+        <Parameter name="detections_gql_query" label="Detections GraphQL Query" required="true" />
+        <Parameter name="audit_logs_gql_query" label="GraphQL Query" required="false" />
+        <Parameter name="gql_query" label="GraphQL Query" required="false" />
+    </Parameters>
+
+
+    <Actions>
+        <Log type="INFO" message="WIZ: Workflow Actions started for Detections..." />
+        <Initialize path="/user_agent_header" value="127fb887-6a5e-99be-c1ef-5c62031e9614/qradar/2.0.4" />
+        <If condition="/detection_bookmark != null">
+            <!-- Format Date to be passed in fetching events -->
+            <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/detection_bookmark}" savePath="/detection_timestamp" />
+        </If>
+
+
+        <If condition="/detection_timestamp != null">
+            <Log type="INFO" message="WIZ: Incremental Polling started for Detections. Pulling Detections from: ${/detection_timestamp}" />
+        </If>
+        <Else>
+            <!-- Set the date for 14 days before Historical Polling -->
+            <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${time() - 14 * 86400000}" savePath="/detection_timestamp" />
+            <Log type="INFO" message="WIZ: Historical Polling started. Pulling all Detections from: ${/detection_timestamp}" />
+        </Else>
+        <Set path="/detection_bookmark" value="${time()}"/>
+        <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/detection_bookmark}" savePath="/before_time" />
+        <!-- Updating the GraphQL query variable for Incremental/Historical Polling  -->
+        <Set
+            path="/detection_gql_query_variables"
+            value='{
+                "first":500,
+                "filterBy": {
+                    "createdAt":{
+                        "after": "${/detection_timestamp}"
+                    }
+                },
+                "orderBy": {
+                    "field": "CREATED_AT",
+                    "direction": "DESC"
+                }
+            }' 
+        />
+
+
+        <!-- Initialize the Audience Parameter -->
+        <Initialize path="/audience_parameter" value="wiz-api" />
+
+        <If condition="'${/auth_type}' = 'auth0'">
+            <Set path="/audience_parameter" value="beyond-api" />
+        </If>
+
+        <!-- Fetch API Token -->
+        <CallEndpoint url="https://${/token_url_domain}/oauth/token" method="POST" savePath="/get_access_token">
+            <RequestHeader name="content-type" value="application/x-www-form-urlencoded" />
+            <RequestHeader name="User-Agent" value="${/user_agent_header}" />
+            <UrlEncodedFormRequestBody>
+                <Parameter name="grant_type" value="client_credentials" />
+                <Parameter name="client_id" value="${/client_id}" />
+                <Parameter name="client_secret" value="${/client_secret}" />
+                <Parameter name="audience" value="${/audience_parameter}" />
+            </UrlEncodedFormRequestBody>
+        </CallEndpoint>
+
+        <Log type="INFO" message="WIZ: Auth Token API call status code:: ${/get_access_token/status_code}" />
+
+        <!-- Handle Errors -->
+        <If condition="/get_access_token/status_code != 200">
+            <Log type="ERROR" message="WIZ: Workflow Aborting.. API Token Failure. Error:: ${/get_access_token/body}" />
+            <Abort reason="Failed requesting API token. Error: ${/get_access_token/body}" />
+        </If>
+
+        <!-- Extract the Access Token -->
+        <Set path="/access_token" value="${/get_access_token/body/access_token}" />
+
+        <Log type="INFO" message="WIZ: First API call for Detections: Using this GraphQL variable ${/detection_gql_query_variables}" />
+
+        <!-- Fetch Events -->
+        <CallEndpoint url="https://${/host}/graphql" method="POST" savePath="/get_detections">
+            <RequestHeader name="Authorization" value="Bearer ${/access_token}" />
+            <RequestHeader name="content-type" value="application/json" />
+            <RequestHeader name="User-Agent" value="${/user_agent_header}" />
+            <RequestBody type="application/json" encoding="UTF-8">
+                {
+                    "query": "${/detections_gql_query}",
+                    "variables": ${/detection_gql_query_variables}
+                }
+            </RequestBody>
+        </CallEndpoint>
+
+        <Log type="INFO" message="WIZ: First API call for Detections status code:: ${/get_detections/status_code}" />
+
+        <!-- Handle Errors -->
+        <If condition="/get_detections/status_code != 200">
+            <Log type="ERROR" message="WIZ: Workflow Aborting.. Failure while fetching Detections. Error:: ${/get_detections/body}" />
+            <Abort reason="Failed while fetching Wiz Detections. Error:: ${/get_detections/body}" />
+        </If>
+
+        <Log type="INFO" message="WIZ: First API call fetched ${count(/get_detections/body/data/detections/nodes)}  Wiz Detections" />
+
+        <!-- Post Events, if any -->
+        <If condition="count(/get_detections/body/data/detections/nodes) > 0">            
+            <PostEvents path="/get_detections/body/data/detections/nodes" source="${/host}__Detection" />
+            <Log type="INFO" message="WIZ: First API call for Detections is done. Sent ${count(/get_detections/body/data/detections/nodes)} Wiz Detection Events to QRadar" />
+
+        </If>
+
+
+        <!-- Fetch remaining events -->
+        <While condition="/get_detections/body/data/detections/pageInfo/hasNextPage">
+
+            <Set
+                path="/detection_gql_query_variables"
+                value='{
+                    "first":500,
+                    "filterBy": {
+                        "createdAt":{
+                            "after": "${/detection_timestamp}"
+                        }   
+                    },
+                    "orderBy": {
+                        "field": "CREATED_AT",
+                        "direction": "DESC"
+                    },
+                    "after": "${/get_detections/body/data/detections/pageInfo/endCursor}"
+                }' 
+            />
+
+
+
+            <Log type="INFO" message="WIZ: Paginated API call for Detections: Using this GraphQL variable : ${/detection_gql_query_variables}" />
+
+            <!-- Fetch events -->
+            <CallEndpoint url="https://${/host}/graphql" method="POST" savePath="/get_detections">
+                <RequestHeader name="Authorization" value="Bearer ${/access_token}" />
+                <RequestHeader name="content-type" value="application/json" />
+                <RequestHeader name="User-Agent" value="${/user_agent_header}" />
+                <RequestBody type="application/json" encoding="UTF-8">
+                    {
+                        "query": "${/detections_gql_query}",
+                        "variables": ${/detection_gql_query_variables}
+                    }
+                </RequestBody>
+            </CallEndpoint>
+
+            <Log type="INFO" message="WIZ: Paginated API call for Detections status code: ${/get_detections/status_code}" />
+
+            <!-- Handle Errors -->
+            <If condition="/get_detections/status_code != 200">
+                <Log type="ERROR" message="WIZ: Workflow Aborting.. Failure while fetching Detections. Error:: ${/get_detections/body}" />
+                <Abort reason="Failed while fetching Wiz Detections. Error:: ${/get_detections/body}" />
+            </If>
+
+            <Log type="INFO" message="WIZ: Paginated API call for Detections. Fetched ${count(/get_detections/body/data/detections/nodes)} Wiz Detections" />
+
+            <!-- Post Events, if any -->
+            <If condition="count(/get_detections/body/data/detections/nodes) > 0">
+                <PostEvents path="/get_detections/body/data/detections/nodes" source="${/host}__Detection" />                
+                <Log type="INFO" message="WIZ: Paginated API call for Detections is done. Sent ${count(/get_detections/body/data/detections/nodes)} Wiz Detections to QRadar" />
+            </If>
+
+
+        </While>
+        <Set path="/detection_bookmark" value="${/detection_bookmark + 1000}"/>
+        <Log type="INFO" message="WIZ: Updated the bookmark for Detections ${/detection_bookmark}." />
+        <Log type="INFO" message="WIZ: All Actions for Detections are completed." />
+
+
+    </Actions>
+
+    <Tests>
+        <DNSResolutionTest host="${/host}" />
+        <TCPConnectionTest host="${/host}" />
+        <SSLHandshakeTest host="${/host}" />
+        <DNSResolutionTest host="${/token_url_domain}" />
+        <TCPConnectionTest host="${/token_url_domain}" />
+        <SSLHandshakeTest host="${/token_url_domain}" />
+    </Tests>
+
+
+</Workflow>