elastic · muskan-agarwal26 · Apr 25, 2025 · Apr 25, 2025 · Apr 28, 2025 · Apr 29, 2025
@@ -1,3 +1,3 @@
 dependencies:
   ecs:
-    reference: "git@v8.11.0"
+    reference: "git@v8.17.0"
@@ -1,10 +1,22 @@
 # Wiz
 
-Wiz continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. This [Wiz](https://www.wiz.io/) integration enables you to consume and analyze Wiz data within Elastic Security including issues, audit events, [misconfigurations](https://ela.st/cspm) and [vulnerabilities](https://ela.st/cnvm), providing you with visibility and context for your cloud environments within Elastic Security.
+[Wiz](https://www.wiz.io/) continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud.
+
+This Wiz integration enables you to consume and analyze Wiz data within Elastic Security including issues, audit events, [misconfigurations](https://ela.st/cspm) [vulnerabilities](https://ela.st/cnvm) and defend which provides real-time threat detection based on runtime signals and cloud activity—giving you visibility and context for your cloud environments within Elastic Security.
 
 ## Data streams
 
-The Wiz integration collects four types of data: Audit, Cloud Configuration Finding, Issue and Vulnerability.
+The Wiz integration collects five types of data:
+
+- **Audit** - The Audit log records key events within the Wiz platform, including logins and any mutation API calls executed in the Wiz portal (such as write, edit, delete, and save actions).
+
+- **Cloud Configuration Finding** - A Cloud Configuration Finding is a result generated when a cloud resource does not pass a specific Cloud Configuration Rule.
+
+- **Defend** - Detects and alerts on real-time cloud threats using runtime signals, logs, and Wiz’s security graph via webhook integrations.
+
+- **Issue** - Issues represent active risks or threats identified in your cloud environment.
+
+- **Vulnerability** - Vulnerabilities are weaknesses in computer systems that can be exploited by malicious attackers.
 
 ## Requirements
 
@@ -43,26 +55,14 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud
 
 ## Setup
 
-### To collect data from Wiz, the following parameters from your Wiz instance are required:
+### To collect logs (Audit, Issue, Vulnerability, Cloud Configuration Findings) via GraphQL API:
 
-1. Client ID
-2. Client Secret
-3. Token url
-4. API Endpoint url
-5. Required scopes for each data stream :
+### Get the Wiz API URL:
 
-    | Data Stream   | Scope         |
-    | ------------- | ------------- |
-    | Audit         | admin:audit   |
-    | Issue         | read:issues   |
-    | Vulnerability | read:vulnerabilities |
-    | Cloud Configuration Finding | read:cloud_configuration |
-    | Cloud Configuration Finding Full Posture | read:cloud_configuration |
-
-### To obtain the Wiz URL
-1. Navigate to your user profile and copy the API Endpoint URL.
+1. Go to your user profile.
+2. Copy the **API Endpoint URL**.
 
-### Steps to obtain Client ID and Client Secret:
+### Steps to get the Client ID and Client Secret:
 
 1. In the Wiz dashboard Navigate to Settings > Service Accounts.
 2. Click Add Service Account.
@@ -72,17 +72,51 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud
 6. Copy the Client Secret. Note that you won't be able to copy it after this stage.
 7. Copy the Client ID, which is displayed under the Service Accounts page.
 
+### Required scopes:
+
+    | Data Stream   | Scope         |
+    | ------------- | ------------- |
+    | Audit         | admin:audit   |
+    | Issue         | read:issues   |
+    | Vulnerability | read:vulnerabilities |
+    | Cloud Configuration Finding | read:cloud_configuration |
+    | Cloud Configuration Finding Full Posture | read:cloud_configuration |
+
+### To collect logs (Defend) via HTTP Endpoint:
+
+1. Obtain the webhook URL
+- Generate a webhook URL for the third-party product.
+- (Recommended) Obtain or generate authentication info for the third-party product, either a username/password or an authentication token.
+
+2. Add a webhook Integration in Wiz
+- In Wiz, go to the Settings > Integrations page, then click Add Integration.
+- Under SIEM & Automation Tools, click Webhook.
+- On the New Integration page:
+  - Enter a meaningful Name.
+  - Set the Project Scope.
+  - Paste the URL you generated earlier.
+  - (Optional) Click Add Header, then enter the name and value of a custom header to add to every webhook.
+  - Choose the type of Authentication to use:
+    - None—Not recommended at all, but hey, it's your data.
+    - Basic—Provide the Username and Password associated with your HTTP endpoint.
+    - Token—Enter an authentication token generated by the application that will be called from the webhook.
+  - For a more secure connection, enter a Client Certificate Authority and/or a Client Certificate to use in addition to whatever Authentication method was selected in the previous step.
+- Click Add Integration.
+- For more details, go to this [link](https://docs.wiz.io/docs/webhook-integration).
+
 ### Enabling the integration in Elastic:
 
 1. In Kibana go to Management > Integrations
 2. In "Search for integrations" search bar, type Wiz
 3. Click on the "Wiz" integration from the search results.
 4. Click on the "Add Wiz" button to add the integration.
-5. Add all the required integration configuration parameters, such as Client ID, Client Secret, URL, and Token URL. For all data streams, these parameters must be provided in order to retrieve logs.
-6. Save the integration.
+5. Enable the input type corresponding to the log source you wish to collect from.
+6. Configure all the required integration parameters, including the listen address, listen port, and authentication method along with its corresponding required fields for the HTTP Endpoint input type. For the CEL input type, ensure you provide the Client ID, Client Secret, URL, and Token URL to successfully retrieve logs.
+7. Save the integration.
 
 **Note:**
-  - Vulnerability data_stream pulls vulnerabilities from the previous day.
+  - Vulnerability data is fetched for the previous day.
+  - Custom headers are not supported in this integration. Only the standard Authorization header (e.g., Bearer token) is used for API requests.
 
 ## Logs Reference
 
@@ -116,6 +150,16 @@ This is the `Cloud Configuration Finding Full Posture` dataset.
 
 {{fields "cloud_configuration_finding_full_posture"}}
 
+### Defend
+
+This is the `Defend` dataset.
+
+#### Example
+
+{{event "defend"}}
+
+{{fields "defend"}}
+
 ### Issue
 
 This is the `Issue` dataset.

@@ -65,3 +65,30 @@ services:
       - http-server
       - --addr=:8090
       - --config=/files/config-vulnerability.yml
+  wiz-defend-no-auth:
+    image: docker.elastic.co/observability/stream:v0.17.1
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    environment:
+      - STREAM_PROTOCOL=webhook
+      - STREAM_ADDR=http://elastic-agent:9588/
+    command: log --start-signal=SIGHUP --delay=5s /sample_logs/defend.log
+  wiz-defend-basic:
+    image: docker.elastic.co/observability/stream:v0.17.1
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    environment:
+      - STREAM_PROTOCOL=webhook
+      - STREAM_ADDR=http://elastic-agent:9589/
+      - STREAM_USERNAME=testuser
+      - STREAM_PASSWORD=xxxx
+    command: log --start-signal=SIGHUP  --webhook-username=testuser --webhook-password=xxxx --delay=5s /sample_logs/defend.log
+  wiz-defend-token:
+    image: docker.elastic.co/observability/stream:v0.17.1
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    environment:
+      - STREAM_PROTOCOL=webhook
+      - STREAM_ADDR=http://elastic-agent:9590/
+      - STREAM_WEBHOOK_HEADER=testheader=abc123
+    command: log --start-signal=SIGHUP --delay=5s /sample_logs/defend.log
@@ -0,0 +1 @@
+{"trigger":{"source":"DETECTIONS","type":"Created","ruleId":"a08fe977-3f54-48bf-adcf-f76994739c1f","ruleName":"Detections Webhook Test Rule"},"id":"6a440e9b-c8d8-5482-a0e9-da714359aecf","threatId":"733edfe5-db25-5b14-ac58-dc69d6005c81","threatURL":"https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)","title":"Timestomping technique was detected","description":"Process executed the touch binary with the relevant command line flag used to modify files date information such as creation time, and last modification time. This could indicate the presence of a threat actor achieving defense evasion using the Timestomping technique.","severity":"MEDIUM","createdAt":"2025-01-21T18:52:16.819883668Z","tdrId":"46fd0cdc-252e-5e69-be6e-66e4851d7ae4","tdrSource":"WIZ_SENSOR","mitreTactics":["TA0005"],"mitreTechniques":["T1070.006"],"cloudAccounts":[{"cloudPlatform":"AWS","externalId":"134653897021","id":"5d67ed02-738e-5217-b065-d93642dd2629"}],"cloudOrganizations":[],"timeframe":{"start":"2025-01-21T18:52:15.838Z","end":"2025-01-21T18:52:15.838Z"},"actors":[{"externalId":"test-actor","id":"4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e","name":"test-actor","nativeType":"Microsoft Entra ID Application Service Principal","type":"SERVICE_ACCOUNT"},{"externalId":"test-actor","id":"4e1bd57f-49b2-47a8-a4a7-0e66fe89770e","name":"test-actor","nativeType":"Microsoft Entra ID Application Service Principal","type":"SERVICE_ACCOUNT"}],"resources":[{"cloudAccount":{"cloudPlatform":"AWS","externalId":"134653897021","id":"5d67ed02-738e-5217-b065-d93642dd2629"},"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"}],"primaryResource":{"cloudAccount":{"cloudPlatform":"AWS","externalId":"134653897021","id":"5d67ed02-738e-5217-b065-d93642dd2629"},"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"},"triggeringEventsCount":2,"triggeringEvents":[{"actor":{"id":"4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e"},"actorIP":"81.2.69.192","actorIPMeta":{"autonomousSystemNumber":8075,"autonomousSystemOrganization":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"United States","isForeign":true,"reputation":"Benign","reputationSource":"Recorded Future"},"category":"Detection","cloudPlatform":"AWS","cloudProviderUrl":"https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","description":"The program /usr/bin/bash executed the program /usr/bin/touch on container test-container","eventTime":"2025-01-21T18:52:15.838Z","externalId":"Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","id":"2b46aa0d-9f46-5cb9-a6ae-e83ca514144a","name":"Timestomping technique was detected","origin":"WIZ_SENSOR","resources":[{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"}],"runtimeDetails":{"processTree":[{"command":"touch -r /usr/bin /tmp/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6","id":"1560","path":"/usr/bin/touch","size":109616,"userId":"0","username":"root"},{"command":"/bin/bash -x -c touch -r /usr/bin /tmp/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"91fbd9d8c65de48dc82a1064b8a4fc89f5651778","id":"1560","path":"/usr/bin/bash","size":1265648,"userId":"0","username":"root"}]},"source":"WizSensorAlert##RuleEngine","status":"Success"},{"actor":{"id":"4e1bd57f-49b2-47a8-a4a7-0e66fe89770e"},"actorIP":"81.2.69.192","actorIPMeta":{"autonomousSystemNumber":8075,"autonomousSystemOrganization":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"United States","isForeign":true,"reputation":"Benign","reputationSource":"Recorded Future"},"category":"Detection","cloudPlatform":"AWS","cloudProviderUrl":"https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","description":"The program /usr/bin/bash executed the program /usr/bin/touch on container test-container","eventTime":"2025-01-21T18:52:15.838Z","externalId":"Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","id":"2b46aa0d-9f46-5cb9-a6ae-e83ca514144a","name":"Timestomping technique was detected","origin":"WIZ_SENSOR","resources":[{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"}],"runtimeDetails":{"processTree":[{"command":"touch -r /usr/bin /tmp/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6","id":"1560","path":"/usr/bin/touch","size":109616,"userId":"0","username":"root"},{"command":"/bin/bash -x -c touch -r /usr/bin /tmp/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"91fbd9d8c65de48dc82a1064b8a4fc89f5651778","id":"1560","path":"/usr/bin/bash","size":1265648,"userId":"0","username":"root"}]},"source":"WizSensorAlert##RuleEngine","status":"Success"}]}
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.2.0"
+  changes:
+    - description: Add support for Wiz Defend datastream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13688
 - version: "3.1.0"
   changes:
     - description: Add support of Event URL to investigate the wiz events.

@@ -3,6 +3,7 @@ type: logs
 streams:
   - input: cel
     title: Audit logs
+    enabled: false
     description: Collect Audit logs from Wiz.
     template_path: cel.yml.hbs
     vars:

@@ -1,24 +1,24 @@
 {
     "@timestamp": "2023-07-21T07:07:21.105Z",
     "agent": {
-        "ephemeral_id": "5c3096ee-b490-4b19-a848-bfed150c1bca",
-        "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "ea58853f-b6e9-4a45-86ba-9551c6aec28f",
+        "id": "83d115a5-188d-46b5-95ce-7c8e49e04018",
+        "name": "elastic-agent-37311",
         "type": "filebeat",
-        "version": "8.10.1"
+        "version": "8.18.0"
     },
     "data_stream": {
         "dataset": "wiz.audit",
-        "namespace": "ep",
+        "namespace": "68164",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf",
-        "snapshot": false,
-        "version": "8.10.1"
+        "id": "83d115a5-188d-46b5-95ce-7c8e49e04018",
+        "snapshot": true,
+        "version": "8.18.0"
     },
     "event": {
         "action": "login",
@@ -28,7 +28,7 @@
         ],
         "dataset": "wiz.audit",
         "id": "hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4",
-        "ingested": "2023-10-03T10:35:48Z",
+        "ingested": "2025-04-22T09:53:49Z",
         "kind": "event",
         "original": "{\"action\":\"Login\",\"actionParameters\":{\"clientID\":\"afsdafasmdgj5c\",\"groups\":null,\"name\":\"example\",\"products\":[\"*\"],\"role\":\"\",\"scopes\":[\"read:issues\",\"read:reports\",\"read:vulnerabilities\",\"update:reports\",\"create:reports\",\"admin:audit\"],\"userEmail\":\"\",\"userID\":\"afsafasdghbhdfg5t35fdgs\",\"userpoolID\":\"us-east-2_GQ3gwvxsQ\"},\"id\":\"hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4\",\"requestId\":\"hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4\",\"serviceAccount\":{\"id\":\"mlipebtwsndhxdmnzdwrxzmiolvzt6topjvv4nugzctcsyarazrhg\",\"name\":\"elastic\"},\"sourceIP\":null,\"status\":\"SUCCESS\",\"timestamp\":\"2023-07-21T07:07:21.105685Z\",\"user\":null,\"userAgent\":null}",
         "outcome": "success",
@@ -88,4 +88,4 @@
             "timestamp": "2023-07-21T07:07:21.105Z"
         }
     }
-}
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"trigger":{"source":"DETECTIONS","type":"Created","ruleId":"a08fe977-3f54-48bf-adcf-f76994739c1f","ruleName":"Detections Webhook Test Rule"},"id":"6a440e9b-c8d8-5482-a0e9-da714359aecf","threatId":"733edfe5-db25-5b14-ac58-dc69d6005c81","threatURL":"https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)","title":"Timestomping technique was detected","description":"Process executed the touch binary with the relevant command line flag used to modify files date information such as creation time, and last modification time. This could indicate the presence of a threat actor achieving defense evasion using the Timestomping technique.","severity":"MEDIUM","createdAt":"2025-01-21T18:52:16.819883668Z","tdrId":"46fd0cdc-252e-5e69-be6e-66e4851d7ae4","tdrSource":"WIZ_SENSOR","mitreTactics":["TA0005"],"mitreTechniques":["T1070.006"],"cloudAccounts":[{"cloudPlatform":"AWS","externalId":"134653897021","id":"5d67ed02-738e-5217-b065-d93642dd2629"}],"cloudOrganizations":[],"timeframe":{"start":"2025-01-21T18:52:15.838Z","end":"2025-01-21T18:52:15.838Z"},"actors":[{"externalId":"test-actor","id":"4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e","name":"test-actor","nativeType":"Microsoft Entra ID Application Service Principal","type":"SERVICE_ACCOUNT"},{"externalId":"test-actor","id":"4e1bd57f-49b2-47a8-a4a7-0e66fe89770e","name":"test-actor","nativeType":"Microsoft Entra ID Application Service Principal","type":"SERVICE_ACCOUNT"}],"resources":[{"cloudAccount":{"cloudPlatform":"AWS","externalId":"134653897021","id":"5d67ed02-738e-5217-b065-d93642dd2629"},"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"}],"primaryResource":{"cloudAccount":{"cloudPlatform":"AWS","externalId":"134653897021","id":"5d67ed02-738e-5217-b065-d93642dd2629"},"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"},"triggeringEventsCount":2,"triggeringEvents":[{"actor":{"id":"4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e"},"actorIP":"81.2.69.192","actorIPMeta":{"autonomousSystemNumber":8075,"autonomousSystemOrganization":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"United States","isForeign":true,"reputation":"Benign","reputationSource":"Recorded Future"},"category":"Detection","cloudPlatform":"AWS","cloudProviderUrl":"https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","description":"The program /usr/bin/bash executed the program /usr/bin/touch on container test-container","eventTime":"2025-01-21T18:52:15.838Z","externalId":"Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","id":"2b46aa0d-9f46-5cb9-a6ae-e83ca514144a","name":"Timestomping technique was detected","origin":"WIZ_SENSOR","resources":[{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"}],"runtimeDetails":{"processTree":[{"command":"touch -r /usr/bin /tmp/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6","id":"1560","path":"/usr/bin/touch","size":109616,"userId":"0","username":"root"},{"command":"/bin/bash -x -c touch -r /usr/bin /tmp/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"91fbd9d8c65de48dc82a1064b8a4fc89f5651778","id":"1560","path":"/usr/bin/bash","size":1265648,"userId":"0","username":"root"}]},"source":"WizSensorAlert##RuleEngine","status":"Success"},{"actor":{"id":"4e1bd57f-49b2-47a8-a4a7-0e66fe89770e"},"actorIP":"81.2.69.192","actorIPMeta":{"autonomousSystemNumber":8075,"autonomousSystemOrganization":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"United States","isForeign":true,"reputation":"Benign","reputationSource":"Recorded Future"},"category":"Detection","cloudPlatform":"AWS","cloudProviderUrl":"https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","description":"The program /usr/bin/bash executed the program /usr/bin/touch on container test-container","eventTime":"2025-01-21T18:52:15.838Z","externalId":"Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","id":"2b46aa0d-9f46-5cb9-a6ae-e83ca514144a","name":"Timestomping technique was detected","origin":"WIZ_SENSOR","resources":[{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"}],"runtimeDetails":{"processTree":[{"command":"touch -r /usr/bin /tmp/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6","id":"1560","path":"/usr/bin/touch","size":109616,"userId":"0","username":"root"},{"command":"/bin/bash -x -c touch -r /usr/bin /tmp/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"91fbd9d8c65de48dc82a1064b8a4fc89f5651778","id":"1560","path":"/usr/bin/bash","size":1265648,"userId":"0","username":"root"}]},"source":"WizSensorAlert##RuleEngine","status":"Success"}]}