KQL Search

Query Details

HomeAI ToolsDevice Query

Parsing Wiz Detections

Query

WizDetectionsV3_CL
| project
    TimeGenerated,
    CreatedAt = createdAt,
    StartedAt = todatetime(timeFrame["startedAt"]),
    EndedAt = todatetime(timeFrame["endedAt"]),
    TimeFrame = timeFrame,
    Severity = severity,
    RuleSourceType = tdrSource,
    RuleId = tdrId,
    ThreatId = threatId,
    DetectionId = detectionId,
    DetectionTitle = tostring(detectionTitle),
    Description = tostring(description),
    IssueUrl = strcat(@"https://app.wiz.io/issues#~(issue~'", threatId, ")"),
    ThreatUrl = strcat(@"https://app.wiz.io/threats#~(issue~'", threatId, ")"),
    DetectionUrl = strcat(@"https://app.wiz.io/findings/detections#~(detectionId~'", detectionId, ")"),
    MitreTactis = mitreTactics,
    MitreTechniques = mitreTechniques,
    PrimaryActor = primaryActor,
    Actors = actors,
    TriggeringEventsCount = triggeringEventsCount,
    TriggeringEvents = triggeringEvents,
    ResourceType = tostring(primaryResource["type"]),
    ResourceRegion = tostring(primaryResource["region"]),
    ResourceNativeType = tostring(primaryResource["nativeType"]),
    ResourceName = tostring(primaryResource["name"]),
    ResourceStatus = tostring(primaryResource["status"]),
    ResourceCloudProviderUrl = tostring(primaryResource["cloudProviderURL"]),
    ResourceExternalId = tostring(primaryResource["externalId"]),
    ResourceProviderId = tostring(primaryResource["providerUniqueId"]),
    ResourceId = tostring(primaryResource["id"]),
    ResourceCloudAccount = primaryResource["cloudAccount"],
    ResourceCloudOrganization = primaryResource["cloudOrganization"],
    ResourceKubernetesNamespace = primaryResource["kubernetesNamespace"],
    ResourceKubernetesCluster = primaryResource["kubernetesCluster"],
    ResourcerVCSRepository = primaryResource["VCSRepository"],
    PrimaryResource = primaryResource,
    Resources = resources,
    CloudAccounts = cloudAccounts,
    CloudOrganizations = cloudOrganizations

Explanation

This query is extracting and organizing specific information from a data table called WizDetectionsV3_CL. Here's a simple breakdown of what it does:

  1. Selects Columns: It selects various columns from the table, renaming some of them for clarity or convenience. For example, createdAt is renamed to CreatedAt.

  2. Converts Data Types: It converts certain fields into specific data types, such as converting startedAt and endedAt into datetime format.

  3. Constructs URLs: It creates URLs for issues, threats, and detections by concatenating strings with specific IDs from the data.

  4. Maps Data: It maps data from nested structures within the primaryResource field to more accessible columns, such as ResourceType, ResourceRegion, and ResourceName.

  5. Organizes Data: It organizes the data into a structured format, making it easier to analyze or visualize. This includes details about threats, resources, actors, and cloud accounts.

Overall, the query is designed to extract detailed detection and resource information, format it appropriately, and make it accessible for further analysis or reporting.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: May 6, 2025

Tables

WizDetectionsV3_CL

Keywords

WizDetectionsTimeThreatDetectionMitreResourceCloudKubernetesVCSRepository

Operators

projecttodatetimetostringstrcat

Actions