# Wiz SureCloud connects to Wiz to retrieve cloud security issues, misconfiguration findings, and vulnerability data identified by Wiz's graph-based risk assessment engine. This allows SureCloud to surface prioritised cloud risks and compliance gaps — providing evidence that cloud configuration monitoring and continuous risk assessment controls are active across your AWS, Azure, and GCP environments. ## Authentication and setup Wiz uses OAuth 2.0 client credentials for API access. SureCloud authenticates using a Wiz service account with a dedicated Client ID and Client Secret. {% stepper %} {% step %} **Create a service account in Wiz** Log in to the Wiz portal. Navigate to **Settings → Service Accounts** and click **Create Service Account**. Name it `SureCloud CCM` and assign the **Reader** role. Click **Create** and copy the **Client ID** and **Client Secret** — the secret is only shown once. {% endstep %} {% step %} **Note your Wiz API endpoint** Your Wiz tenant has a dedicated API endpoint. It can be found in **Settings → General** under **API Endpoint URL**, or in the Wiz documentation for your tenant region (e.g. `https://api.us1.app.wiz.io/graphql`). {% endstep %} {% step %} **Enter the credentials in SureCloud** Navigate to **SureCloud → Integrations → Wiz → Connect**. Enter your Wiz API endpoint URL, the Client ID, and the Client Secret. Click **Save**. {% endstep %} {% step %} **Test the connection** Click **Test Connection**. SureCloud will authenticate against the Wiz token endpoint and execute a test GraphQL query to confirm access. A green status confirms the connection is live. {% endstep %} {% endstepper %} {% hint style="warning" %} Store the Client Secret securely after copying it. SureCloud encrypts it at rest, but treat it as a sensitive credential. Rotate it every 90 days in **Wiz → Settings → Service Accounts** and update it in **SureCloud → Integrations → Wiz → Edit Connection**. {% endhint %} ## Endpoints Wiz exposes its data via a single GraphQL endpoint. SureCloud uses the following GraphQL queries: | API Call | Use Case | | ---------------------------------------------------- | ------------------------------------------------------------------------------------- | | `POST /graphql` — `issues` query | Retrieve open cloud security issues including severity, status, and affected resource | | `POST /graphql` — `cloudConfigurationFindings` query | Retrieve misconfiguration findings across cloud accounts | | `POST /graphql` — `vulnerabilityFindings` query | Retrieve vulnerability findings on cloud workloads | | `POST /graphql` — `connectedClouds` query | List connected cloud accounts to confirm coverage scope | | `POST /graphql` — `securityFrameworks` query | Retrieve compliance benchmark results (e.g. CIS, NIST) | | `POST /graphql` — `users` query | Enumerate Wiz users and their roles for access control evidence | ## Pagination Wiz GraphQL queries use cursor-based pagination. SureCloud includes `first` (page size) and `after` (cursor) arguments and uses the `pageInfo.endCursor` value from each response to retrieve subsequent pages, continuing until `pageInfo.hasNextPage` is `false`. ```json POST /graphql { "query": "query issues($after: String) { issues(first: 500, after: $after) { nodes { id } pageInfo { hasNextPage endCursor } } }", "variables": { "after": "" } } ``` ## Required permissions SureCloud requires a Wiz service account with the **Reader** role. This provides: * Read access to all cloud security issues * Read access to misconfiguration and vulnerability findings * Read access to cloud account inventory * Read access to compliance framework results * Read access to Wiz users No write, remediation, or administrative permissions are required. ## Polling frequency | Data Type | Interval | | ------------------------------------------- | -------------- | | Cloud security issues and misconfigurations | Every 4 hours | | Vulnerability findings | Every 4 hours | | Cloud account coverage | Every 24 hours | | Compliance benchmark results | Every 24 hours | | User and role inventory | Every 24 hours | ## Troubleshooting
Authentication fails with "invalid_client" or 401 error The Client ID or Client Secret is incorrect, or the service account has been deactivated. Navigate to **Wiz → Settings → Service Accounts**, confirm the account is active, and regenerate the secret if necessary. Update the credentials in **SureCloud → Integrations → Wiz → Edit Connection**.
GraphQL queries return empty results for issues or findings This can occur if the Wiz service account's Reader role is scoped to a specific project or cloud account subset rather than the full tenant. In **Wiz → Settings → Service Accounts**, confirm the SureCloud service account has tenant-wide Reader access, not project-scoped access.
API endpoint URL is incorrect or returns a 404 Wiz API endpoints are tenant- and region-specific. Using the wrong endpoint URL will result in connection failures. Retrieve the correct endpoint from **Wiz → Settings → General → API Endpoint URL** or contact your Wiz account team. Update it in **SureCloud → Integrations → Wiz → Edit Connection**.
Large issue volumes cause collection to time out For tenants with very large issue inventories, SureCloud may take longer than usual to paginate through all findings. SureCloud applies severity and status filters to prioritise active, high-severity findings. If collection consistently times out, contact SureCloud Support to apply tighter filters or split collection across multiple polling cycles.
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/wiz.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.