# Wiz CSPM Integration (CSPM Ingestion) The Wiz CSPM integration enables Sprinto to ingest cloud security posture data directly from Wiz using OAuth 2.0 client credentials. Once connected, Sprinto can: * Pull vulnerabilities and security findings from Wiz. * Create and retrieve reports using the Wiz GraphQL API. * Sync issues into Sprinto for compliance tracking. * Trigger programmable monitors for high-severity findings. This integration uses the Wiz GraphQL API and requires a service account with appropriate scopes. *** ### Available Automation Capabilities After configuration, Sprinto can: * Fetch security issues and findings. * Retrieve vulnerability data. * Create and access reports via Wiz GraphQL API. * Continuously ingest CSPM data for monitoring. *** ### Before You Begin Ensure the following prerequisites are met: * You are logged in to the Sprinto Admin Portal. * You have administrator access to your Wiz tenant. * You can create Service Accounts in Wiz. * You have access to Sprinto’s Integrations or Credentials Manager section. *** ### Step 1: Generate Wiz OAuth Client Credentials To connect Wiz with Sprinto, you must first create a Service Account in Wiz. #### Create a Service Account in Wiz 1. Log in to your Wiz portal. 2. Navigate to: * **Settings > Access Management > Service Accounts**\ (Alternatively: **User Settings > Integrations**, depending on your Wiz setup.) 3. Click **Add Service Account**. 4. Provide a name (for example: *Sprinto CSPM Integration*). 5. Assign the required scopes. #### Required Scopes At a minimum, include: * `read:issues` * `read:vulnerabilities` * `read:reports` * `create:reports` These permissions allow Sprinto to: * Fetch issues and vulnerability data. * Generate and retrieve reports via the GraphQL API. 6. Click **Add Service Account**. Immediately copy and securely store: * **Client ID** * **Client Secret** (shown only once) #### Note the Wiz API Endpoint Also note your Wiz API endpoint URL. For example:\ `https://api.us.app.wiz.io/graphql` Your endpoint may differ based on region. You can confirm this under **Tenant Info** or **User Settings** in Wiz. *** ### Step 2: Add Credentials in Sprinto After generating the credentials in Wiz: 1. Log in to Sprinto. 2. Navigate to the **Wiz CSPM integration** section (or Credentials Manager). 3. Select **OAuth2 Client Credentials** as the credential type. 4. Enter: * **Client ID** * **Client Secret** 5. If prompted, enter the **API Endpoint URL**\ (This is often pre-filled with the default regional endpoint.) 6. Save the credential. The credential status should display as **Active**. *** ### Step 3: Use the Wiz CSPM Ingestion Template Once credentials are active: 1. Navigate to **Automation / Ingestion Plans / Templates** in Sprinto. 2. Select or create the **Wiz CSPM** ingestion plan. 3. Attach the OAuth credential created earlier. The ingestion template will: * Create reports via the Wiz GraphQL API. * Pull security findings into Sprinto. * Sync vulnerabilities and issues. 4. Run or test the ingestion plan to verify successful data ingestion. *** ### Post-Connection Flow After data ingestion begins: * Security findings from Wiz will start appearing in Sprinto. * You can configure **Programmable Monitors** to: * Alert on high-severity issues. * Track compliance violations. * Monitor specific risk categories. This enables continuous cloud security monitoring directly within Sprinto. *** ### Required Permissions To successfully connect Wiz CSPM with Sprinto: #### Minimum Role Requirement * A user capable of creating Service Accounts in Wiz. #### Required Scopes * `read:issues` * `read:vulnerabilities` * `read:reports` * `create:reports` Ensure the Service Account is configured with these scopes before generating credentials. *** ### Troubleshooting #### Credential shows as inactive in Sprinto * Verify that the Client ID and Client Secret were copied correctly. * Confirm that the secret was not regenerated after initial creation. * Ensure the correct regional API endpoint is used. #### No findings appear after ingestion * Confirm the ingestion plan is attached to an active credential. * Verify the Service Account has all required scopes. * Run a manual test of the ingestion plan. #### API authentication errors * Confirm that the endpoint matches your Wiz region. * Regenerate the Client Secret if needed and reattach it in Sprinto.