What Changed

The Wiz solution transitions from a legacy Azure Function (REST API pull) connector to a push-based DCR integration. Wiz service principal authenticates directly to a Data Collection Endpoint and pushes data; customers no longer host a Function App or manage workspace shared keys.

New connector: WizSentinel.json (title: “Wiz for Microsoft Sentinel”) New ARM template: azuredeploy_WizSentinelIntegration.json – provisions a custom role and RBAC assignment for the Wiz service principal

Data streams now available:

TableContent
WizIssuesV3_CLWiz Issues (was available previously)
WizDetectionsV3_CLWiz Detections – net new stream
WizAuditLogsV3_CLWiz Audit Logs (was available previously)

Note: WizVulnerabilitiesV3_CL mentioned in the PR description was dropped during CI fixes and is not included in v3.0.1.

Workbook: WizFindings.json rewritten to query V3 tables and updated column references.

Security Impact (Visibility & Fidelity)

New detection surface: WizDetectionsV3_CL is a net-new data type – customers running the prior connector had no Wiz Detections visibility in Microsoft Sentinel. Fields include detectionId, severity, and tdrSource.

Architecture change: The legacy Function App connector required a customer-hosted Azure Function with workspace shared keys. Any deployment with misconfigured or expired Function App credentials would have experienced silent ingestion failures. The new push model eliminates that dependency.

ARM Template Notes

azuredeploy_WizSentinelIntegration.json creates a custom role (WizSentinelIntegrationCustomRole) with the following permissions assigned to the Wiz service principal at resource group scope:

  • Control plane: Microsoft.Insights/DataCollectionRules/, Microsoft.OperationalInsights/workspaces/tables/, Microsoft.OperationalInsights/workspaces/sharedKeys/action, Microsoft.Insights/DataCollectionEndpoints/*
  • Data plane: Microsoft.Insights/Telemetry/Write

ARM sets principalType: ServicePrincipal on both role assignments – required for correct managed identity RBAC resolution. Note that Microsoft.OperationalInsights/workspaces/sharedKeys/action is included in the custom role despite the connector description stating no shared keys are required; review whether this permission is actually needed for your deployment.

Deployment requires Owner or User Access Administrator at the subscription level to create the custom role definition (Microsoft.Authorization/roleDefinitions/write).

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/WizAuditLogsV3_CL.json
.script/tests/KqlvalidationsTests/CustomTables/WizDetectionsV3_CL.json
.script/tests/KqlvalidationsTests/CustomTables/WizIssuesV3_CL.json
Solutions/Wiz/Data Connectors/WizSentinel.json
Solutions/Wiz/Data Connectors/azuredeploy_WizSentinelIntegration.json
Solutions/Wiz/Workbooks/WizFindings.json
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_Wiz.json, createUiDefinition.json, mainTemplate.json)