elastic · chrisberkhout · May 27, 2026 · May 22, 2026 · May 22, 2026 · May 22, 2026
@@ -98,16 +98,18 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud
   - Vulnerability data is fetched for the previous day.
   - Custom headers are not supported in this integration. Only the standard Authorization header (for example, Bearer token) is used for API requests.
 
-### Troubleshooting
+### Transforms
 
-The transforms used in the Wiz integration depend on the presence of the `event.ingested` field to function correctly.
+The Wiz integration creates transforms to support [CDR](https://www.elastic.co/what-is/cloud-detection-response), for the following data streams:
 
-When using Fleet-managed Elastic Agents, the `.fleet_final_pipeline-1` is automatically executed and ensures that the `event.ingested` field is added to all events.
+| Data stream name                                      | Transform destination alias                     |
+|-------------------------------------------------------|-------------------------------------------------|
+| `logs-wiz.vulnerability-*`                            | `security_solution-wiz.vulnerability_latest`    |
+| `logs-wiz.cloud_configuration_finding_full_posture-*` | `security_solution-wiz.misconfiguration_latest` |
 
-However, when using standalone Elastic Agents, this pipeline is not applied, and the `event.ingested` field is not automatically added.
+The source data streams contain historical events and are suitable for most uses, while the aliased transform destination indexes provide a view of the current state of Wiz findings to support Elastic Security CDR workflows. The dashboards included in the Wiz integration use the source data streams.
 
-📌 Action Required (for standalone agents):
-You must manually add the `event.ingested` field, preferably via a custom ingest pipeline (e.g., using the @custom pipeline).
+The transforms use `event.ingested` as their sync field. Fleet-managed Elastic Agents add this field automatically but for other setups this field might need to be added separately.
 
 ## Logs reference
 

@@ -20,7 +20,7 @@ rules:
           Content-Type:
             - application/json
         body: |
-          {"data": {"configurationFindings": {"nodes": [{"analyzedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id <value>\n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"}],"pageInfo": {"hasNextPage": true,"endCursor": "eyJmaWVsZHMiOlt7IkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}}
+          {"data": {"configurationFindings": {"nodes": [{"analyzedAt":"2024-08-07T12:55:52.012378Z","updatedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id <value>\n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"}],"pageInfo": {"hasNextPage": true,"endCursor": "eyJmaWVsZHMiOlt7IkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}}
   - path: /graphql
     methods: ['POST']
     request_headers:
@@ -33,4 +33,4 @@ rules:
           Content-Type:
             - application/json
         body: |-
-          {"data": {"configurationFindings": {"nodes": [{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-vm","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"PASS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate\n```","shortId":"VirtualMachines-021"},"severity":"LOW","evidence":{"cloudConfigurationLink":"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing","configurationPath":null,"currentValue":"The VM is stopped(allocated) since 2024-08-15","expectedValue":"The VM should be used or deallocated"}}],"pageInfo": {"hasNextPage": false,"endCursor": "eMJmaWVsZIkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}}
+          {"data": {"configurationFindings": {"nodes": [{"analyzedAt":"2024-08-15T11:41:17.517926Z","updatedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-vm","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"PASS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate\n```","shortId":"VirtualMachines-021"},"severity":"LOW","evidence":{"cloudConfigurationLink":"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing","configurationPath":null,"currentValue":"The VM is stopped(allocated) since 2024-08-15","expectedValue":"The VM should be used or deallocated"}}],"pageInfo": {"hasNextPage": false,"endCursor": "eMJmaWVsZIkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}}
@@ -27,6 +27,7 @@ rules:
                 "nodes": [
                   {
                     "analyzedAt": "2024-08-07T12:55:52.012378Z",
+                    "updatedAt": "2024-08-07T12:55:52.012378Z",
                     "id": "1243196d-a365-589a-a8aa-13817c9877b2",
                     "remediation": null,
                     "resource": {
@@ -83,6 +84,7 @@ rules:
               "nodes": [
                 {
                 "analyzedAt": "2024-08-15T11:41:17.517926Z",
+                "updatedAt": "2024-08-15T11:41:17.517926Z",
                 "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae",
                 "remediation": null,
                 "resource": {

@@ -1,4 +1,30 @@
 # newer versions go on top
+- version: "4.3.0"
+  changes:
+    - description: |
+        Server interaction fix: Set the right User-Agent header value.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/19203
+    - description: |
+        Server interaction fix: use `updatedAt` rather than `analyzedAt` in queries for cloud configuration finding data.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/19203
+    - description: |
+        Server interaction improvements: Set a static request rate of 0.5 rps per data stream, increase retries.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/19203
+    - description: |
+        Settings improvements: Clear the URL default value, tolerate URLs with a `/graphql` path, make `cloud_configuration_finding_full_posture`'s 24h interval an advanced option for potential use in debugging or workarounds, make Token URL a non-advanced settings since it can vary, inform the user the interval settings must be 5m or longer.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/19203
+    - description: |
+        Dashboard improvements: Use panel-level filters, fix the navigation/overview panel formatting.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/19203
+    - description: |
+        Documentation improvements: Explain transforms better in the README, chang to a vector logo file, add a screenshot of the config UI.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/19203
 - version: "4.2.0"
   changes:
     - description: Add timestamp range filter and storage tier exclusion to latest transform source queries to reduce scan scope and improve performance.

@@ -13,6 +13,8 @@ resource.ssl: {{ssl}}
 {{#if http_client_timeout}}
 resource.timeout: {{http_client_timeout}}
 {{/if}}
+resource.rate_limit.limit: {{resource_rate_limit_limit}}
+resource.retry.max_attempts: {{resource_retry_max_attempts}}
 resource.url: {{url}}
 auth.oauth2:
   client.id: {{client_id}}
@@ -59,9 +61,9 @@ max_executions: {{max_executions}}
 {{/if}}
 program: |
   state.with(
-    post_request(
-      state.url.trim_right("/") + "/graphql",
-      "application/json",
+    request(
+      "POST",
+      state.url.trim_right("/").trim_suffix("/graphql") + "/graphql",
       {
         "query": state.query,
         "variables": {
@@ -77,7 +79,12 @@ program: |
           }
         }
       }.encode_json()
-    ).do_request().as(resp, resp.StatusCode == 200 ?
+    ).with({
+      "Header": {
+        "Content-Type": ["application/json"],
+        "User-Agent": [useragent],
+      },
+    }).do_request().as(resp, resp.StatusCode == 200 ?
         bytes(resp.Body).decode_json().as(body, body.?data.auditLogEntries.nodes.orValue(null) != null ?
           {
             "events": body.data.auditLogEntries.nodes.map(e, {

@@ -18,7 +18,7 @@ streams:
       - name: interval
         type: text
         title: Interval
-        description: Duration between requests to the Wiz API. Supported units for this parameter are h/m/s.
+        description: Duration between requests to the Wiz API. Must be 5m or longer. Supported units for this parameter are h/m/s.
         default: 5m
         multi: false
         required: true
@@ -39,6 +39,22 @@ streams:
         required: true
         show_user: false
         default: 30s
+      - name: resource_rate_limit_limit
+        type: text
+        title: Resource Rate Limit
+        description: The maximum request rate for the HTTP client, in requests per second.
+        multi: false
+        required: false
+        show_user: false
+        default: "0.5"
+      - name: resource_retry_max_attempts
+        type: text
+        title: Resource Retry Max Attempts
+        description: Maximum number of retries for the HTTP client.
+        multi: false
+        required: false
+        show_user: false
+        default: "10"
       - name: max_executions
         type: integer
         title: Maximum Pages Per Interval