[New Rule] Wiz Defend Promotion Alerts

rules/promotions/wiz_defend_alert_external_alerts.toml

@@ -0,0 +1,114 @@
+[metadata]
+creation_date = "2025/12/04"
+integration = ["wiz"]
+maturity = "production"
+promotion = true
+updated_date = "2025/12/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert for each Wiz Defend alert written to the configured indices. Enabling this rule allows you
+to immediately begin investigating Wiz Defend alerts in the app.
+"""
+from = "now-2m"
+index = ["logs-wiz.defend-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Wiz Defend Alert External Alerts"
+note = """## Triage and analysis
+
+### Investigating Wiz Defend Alert External Alerts
+
+Wiz Defend is a cloud-native application protection platform (CNAPP) that provides real-time threat detection and response for cloud workloads, containers, and serverless applications. The rule identifies threats by monitoring specific alert events from Wiz Defend, enabling analysts to swiftly investigate and mitigate potential security incidents in cloud environments.
+
+### Possible investigation steps
+
+- Correlate the alert with recent activity on the affected cloud resource or workload to identify any unusual or suspicious behavior patterns.
+- Check for any additional alerts or logs related to the same resource, container, or cloud account to determine if this is part of a broader attack or isolated incident.
+- Investigate the source and destination IP addresses involved in the alert to assess if they are known to be malicious or associated with previous threats.
+- Analyze any processes, files, or network connections flagged in the alert to determine if they are legitimate or potentially malicious, using threat intelligence sources if necessary.
+- Review the Wiz Defend alert details including severity, affected resources, and recommended remediation actions.
+- Check the cloud resource configuration and security posture to identify any misconfigurations that may have contributed to the alert.
+
+### False positive analysis
+
+- Alerts triggered by routine cloud infrastructure changes or deployments can be false positives. Review the context of the alert to determine if it aligns with scheduled maintenance or deployment activities.
+- Legitimate administrative tools or automation scripts may trigger alerts. Identify and whitelist these tools if they are verified as non-threatening.
+- Development or testing environments may generate alerts for behaviors that are expected in non-production contexts. Consider creating exceptions for these environments if appropriate.
+- Security scanning or monitoring tools used by cloud operations teams might be flagged. Ensure these tools are documented and excluded from triggering alerts if they are part of regular operations.
+- Cloud-native application behaviors that are consistent with their design but trigger alerts should be reviewed. If deemed non-malicious, adjust the rule to exclude these specific behaviors.
+
+### Response and remediation
+
+- Isolate the affected cloud resource or workload immediately to prevent lateral movement and further compromise within the cloud environment.
+- Analyze the specific alert details to identify the nature of the threat and any associated indicators of compromise (IOCs).
+- Remove or quarantine any malicious processes, files, or containers identified by the Wiz Defend alert to neutralize the threat.
+- Apply relevant security patches or updates to address any exploited vulnerabilities on the affected resource.
+- Review and update cloud security group rules, network policies, and IAM permissions to prevent similar attacks.
+- Conduct a thorough scan of the cloud environment to identify any additional resources that may have been compromised or are exhibiting similar behavior.
+- Document the incident and escalate to the appropriate security team or management if the threat is part of a larger attack campaign or if additional resources are needed for remediation.
+- Review and update cloud security policies and configurations to enhance detection and prevention capabilities against similar threats in the future.
+"""
+references = ["https://www.wiz.io/platform/wiz-defend", "https://www.elastic.co/docs/reference/integrations/wiz"]
+risk_score = 47
+rule_id = "f8c9e3a1-4b2d-4e5f-9a1c-6d8b0e3f4a8e"
+rule_name_override = "rule.name"
+setup = """## Setup
+
+### Wiz Defend Integration
+This rule is designed to capture alert events generated by the Wiz Defend integration and promote them as Elastic detection alerts.
+
+To capture Wiz Defend alerts, install and configure the Wiz integration to ingest alert events into the `logs-wiz.defend-*` index pattern.
+
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Wiz Defend events. Consider adding a rule exception for the External Alert rule to exclude event.dataset: wiz.defend to avoid receiving duplicate alerts.
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = [
+    "Data Source: Wiz",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Promotion: External Alerts",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind: event and event.dataset: wiz.defend
+'''
+
+
+[[rule.risk_score_mapping]]
+field = "event.risk_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "low"
+value = "21"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "medium"
+value = "47"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "high"
+value = "73"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"