Today we're excited to announce Panther's Wiz Integration. Our strategic integration addresses a critical challenge in modern cloud security operations where context about assets, configurations, and security findings often lives in silos separate from detection and response workflows.

By integrating Wiz's comprehensive cloud security context into Panther's real-time detection and analytics capabilities, security teams can streamline their investigation and response processes without switching between multiple tools.

The integration enables Panther to receive and analyze rich cloud security context from Wiz, enhancing security teams' ability to detect and respond at Enterprise scale.

Panther's Wiz Integration has transformed how we operate, providing a unified source of truth with extreme scalability—invaluable for centralizing our visibility for total cloud threat coverage.

Ryan K., Monte Carlo's Head of Security and Compliance

Understanding The Integration

Security teams using Panther as their SIEM can now leverage Wiz's deep visibility into cloud assets and security posture directly within their correlation and alerting workflows. The integration automatically pulls, normalizes, and analyzes critical context from Wiz, including cloud asset security findings, compliance status, risk exposure data, and admin logs.

For example, when investigating a potential identity-based attack, security analysts can immediately see if the targeted cloud resources have any critical misconfigurations or excessive permissions identified by Wiz by writing a search in Panther. This context helps teams make faster, more informed decisions about incident severity and required response actions.

Unified Detection Across Your Security Stack

Panther now ingests policy violation alerts from Wiz alongside data from EDR solutions, network sensors, and cloud infrastructure logs. This enables security teams to write Python-based detection rules that correlate security signals across their entire stack. By adding cloud security posture context from Wiz, teams gain another critical layer of security visibility and enrichment data.

Real-World Example 1: Detecting Access to Exposed Resources

Consider this scenario: A developer accidentally modifies a security group rule, exposing an EC2 instance to the internet. Within minutes, attackers begin SSH brute force attempts against the newly exposed host. Here's how Panther's detection-as-code approach combines Wiz asset exposure findings with VPC Flow Logs to detect potential compromises:

Detection:
  - Sequence:
      - ID: WizIssue
        RuleID: Wiz.Alert.Passthrough
      - ID: VPCFlow
        RuleID: AWS.VPCFlow.AcceptedSSH
    Transitions:
      - ID: WizAlert followed by VPC Flow
        From: WizAlert
        To: VPCFlow
        WithinTimeFrameMinutes: 60
        Match:
          - From: entitySnapshot.externalId
            To: instanceId
    Schedule:
      RateMinutes: 60
      TimeoutMinutes: 5

This identifies when a Wiz finding about a newly internet-exposed EC2 instance is followed by successful SSH connections to that same instance. The correlation rule leverages Wiz's continuous asset monitoring to detect security group changes and combines it with real-time VPC Flow Log analysis.

The power of this approach comes from:

• Immediate detection of security posture changes through Wiz

• Real-time visibility into network activity through production VPC Flow Logs

• Precise correlation based on instance identifiers

• Customizable time windows to catch opportunistic attacks

• Ability to distinguish between expected and suspicious SSH access

Real-World Example #2: Detecting Defense Evasion

Another critical use case is detecting when attackers attempt to disable or evade security controls. Consider an attacker who has compromised administrative credentials for Wiz and attempts to disable rules or add exclusions to hide activities. Here's how Panther can detect this using Python:

SENSITIVE_RULE_CHANGES = [
    "CreateIgnoreRule",
    "CreateMalwareExclusion",
    "DeleteAutomationRule",
    "DeleteCloudConfigurationRule",
    "DeleteCloudEventRule",
    "DeleteHostConfigurationRule",
    "DeleteIgnoreRule",
    ...
]
def rule(event):
		# Only analyze successful events
    if event.get("status") != "SUCCESS":
        return False
		# Alert if any sensitive action is executed

This detection showcases the power of Python-based rules in Panther:

• Custom logic using familiar Python syntax and data structures

• Easy maintenance and version control of detection code

• Unit testing support for validation

• Ability to import external libraries for complex analysis

• Simple extension to correlation rules like Example #1

Security teams can build on this atomic detection by creating correlation rules that look for patterns of evasive behavior across multiple security tools, or by adding context from change management systems to reduce false positives.

Empowering AI-Driven Analysis

This integration also enhances AI-powered response capabilities. When investigating alerts, Panther's AI now has access to comprehensive asset context from Wiz, enabling more informed and efficient triage paths to drive down response times. This context helps Panthers AI better understand:

• Attack Surface Context: Current security posture, misconfigurations, and vulnerabilities

• Asset Criticality: Business impact and sensitivity of affected resources

• Historical Patterns: Previous security findings and compliance status

• Exposure Risk: Network accessibility and potential blast radius

Getting Started

The Panther + Wiz integration is available now for all customers. Our technical documentation provides detailed implementation steps. You can also access the Panther + Wiz ruleset on GitHub. Get a demo of Panther today to see how the Wiz integration can transform your security operations.

Join the Webinar on March 6th

Register for our upcoming webinar to get insights from security teams using the integration to centralize visibility and safeguard their cloud environments. Wiz Senior Security Engineer James Cleverley-Prance and other leading security practitioners will discuss how the integration provides a critical layer of cloud visibility for their security monitoring workflows.