The Top 3 Wiz and Torq Automations
One of the superpowers of the Torq Hyperautomation platform is the ability to integrate with anything. We team up with leading security vendors to combine forces to create automations that make SOC analysts’ lives easier while also improving their organizations’ security posture.
Integrating Torq and Wiz enables security teams to automate the remediation of cloud security issues, freeing up analysts’ time and giving them the ability to tend to the laundry list of low and medium issues that often go untouched. These low and medium issues still pose a threat, so creating an automation for them can help avoid a security incident. With Torq and Wiz, SecOps teams can create fully automated or human-in-the-loop remediation workflows for things like expired secrets, or unused privileged access keys. These automations are more powerful options than those available with legacy SOAR platforms.
In this post, we’ll talk about how the enterprise-grade Torq Hyperautomation platform integrates with Wiz to level up your organization’s cloud security.
Here are the top three Torq and Wiz automations:
Handle Wiz Alerts For Public AWS S3 Bucket With Sensitive Data
Looking for a simpler way to deal with Wiz alerts for when public AWS S3 buckets contain sensitive data? You’re in luck.
This workflow receives an alert from Wiz when an AWS S3 bucket is found to be exposed to the public with sensitive personal data contained in it and it triggers on Wiz ID wc-id-1264.
When the trigger is received, the workflow will pull the bucket’s public access settings and tags and look for an owner tag. If an owner tag is not found, it will set notifications to a specific Slack channel.
From there, it checks the public settings on the S3 bucket to see if the issue was resolved before the alert from Wiz was triggered, and, if it is still publicly accessible, it will ask to limit access to the bucket.
Once the user agrees, the bucket settings are updated and the Wiz alert is moved to in progress. If the user does not agree, or the question times out, a Jira issue is opened to track the issue and the issue ID will be added to the Wiz alert.
It’s important to note that this workflow will set the public block settings on the S3 bucket to “true” and block all public access. It is possible that your application will need a more granular update to the JSON policy to block the existing access; the existing policy will be provided in the Slack message
Enable AWS S3 Bucket Encryption On Alert From Wiz
This workflow is a simple and effective way to ensure that encryption is turned on for an AWS S3 bucket.
First, the workflow receives an alert from Wiz and is triggered by an event with the control name “S3 bucket default encryption disabled.” If the owner tag is found, the owner will be contacted or notified in the Slack channel about the issue.
This workflow then checks the encryption status on the bucket to see if encryption is still disabled and suggests remediation by enabling default AES256 encryption on the bucket.
If the user or Slack channel rejects the notification, the workflow collects a reason and opens a follow up ticket and updates the notes on the Wiz issue.
Remediate AWS EC2 Instance With Open SSH Access From Wiz Alert
This workflow receives an alert from Wiz and is triggered by an event with control name “Instances with open SSH to the world in AWS.”
If an owner tag is found, the user will be looked up in Slack, otherwise the Slack channel is updated. The user or channel is then asked to remediate the instance by shutting it down or removing the open SSH rule in the Security Group and by adding a specific network rule allowing SSH from a corporate owned network.
The user or channel will also have the option to open a Jira issue instead of doing the remediation. A Jira issue is opened for any issue with the process, and will be added to the issue notes in Wiz.
Those are just three of the myriad templates Torq offers with Wiz to improve cloud security. Stay tuned for more installments of our Hyperautomation Cheat Codes series where we’ll examine more integrations and automations with other key partners to help you level up your cybersecurity.