Add a Wiz Webhook Source for Cribl Search
Collect security events and alerts sent by Wiz via webhook so you can search them fast with Cribl Search.
What’s a Wiz Webhook Source in Cribl Search?
A Cribl Search data source that receives Wiz Defend security events and alerts via webhook over HTTP or HTTPS and stores them in a lakehouse engine for fast access.
Looking for the Wiz Webhook Source in Cribl Stream? See Wiz Webhook in Cribl Stream.
What You Need First
To set up this Source, you need:
- Cribl.Cloud Enterprise. For details, see Pricing.
- A lakehouse engine. Get one at lakehouse engines.
- Search Admin Permission, or higher. Learn who can do what at Cribl Search Permissions.
You don’t need Cribl Stream, Edge, or Lake.
Add a Wiz Webhook Source for Cribl Search
On the Cribl.Cloud top bar, select Products > Search > Data > Add Source > Wiz Webhook.
1. Describe Your Source
Under General, give your Source an ID and Description, so you and other Search Admins know what the Source is for and if it’s safe to modify.
The ID must be unique across your Workspace and can contain letters, numbers, underscores, and hyphens. Cribl Search
prefixes it with in_ on save (for example, wiz_webhook becomes in_wiz_webhook).
2. Note the Source Endpoint
Under General, note down the Address and Port. You’ll need them when configuring the webhook in Wiz.
Keep the default port unless it conflicts with another service.
3. Set Up Encryption
TLS encryption protects your data in transit between Wiz and this Source.
Under Encrypt, select Enabled, and set the Minimum TLS version you want to accept.
| TLS version | When to use |
|---|---|
| 1.3 | Recommended. Provides the best security. |
| 1.2 | Use only when connecting to older systems that don’t support TLS 1.3. |
| Older than 1.2 | Avoid if possible. These versions are no longer considered secure. |
4. Set Up Authentication
Authentication ensures only authorized senders can push data to your Source.
Under Authentication, select Add Token, and configure:
- Token secret (text secret): Select a stored text secret that holds the token, or choose Create to add a new one (see Create and Manage Secrets).
- Enable token: Turn on to require this token for incoming requests to your Source. Disable only when testing without authentication.
Next Steps
Confirm with Save. Now, you’re ready to:
- Set Datatype rules for parsing your data. See Shape Your Data.
- Set Dataset rules for organizing your data. See Organize Your Data.
- Configure the webhook in Wiz to point to the Source endpoint URL.