Ingest data from Wiz Audit Logs
This feature is in Beta. Workspace admins can control access to this feature from the Previews page. See Manage Databricks previews.
This page shows how to create a managed Wiz Audit Logs ingestion pipeline using Lakeflow Connect.
Requirements
-
To create an ingestion pipeline, you must first meet the following requirements:
-
Your workspace must be enabled for Unity Catalog.
-
Serverless compute must be enabled for your workspace. See Serverless compute requirements.
-
If you plan to create a new connection: You must have
CREATE CONNECTIONprivileges on the metastore. See Manage privileges in Unity Catalog.If the connector supports UI-based pipeline authoring, an admin can create the connection and the pipeline at the same time by completing the steps on this page. However, if the users who create pipelines use API-based pipeline authoring or are non-admin users, an admin must first create the connection in Catalog Explorer. See Connect to managed ingestion sources.
-
If you plan to use an existing connection: You must have
USE CONNECTIONprivileges orALL PRIVILEGESon the connection object. -
You must have
USE CATALOGprivileges on the target catalog. -
You must have
USE SCHEMAandCREATE TABLEprivileges on an existing schema orCREATE SCHEMAprivileges on the target catalog.
-
-
To ingest from Wiz, you must first configure authentication from Databricks and create a connection. See Configure authentication to Wiz and Create a Wiz Audit Logs connection.
Create an ingestion pipeline
For the list of supported source tables, see Supported source tables.
- Databricks UI
- Declarative Automation Bundles
- Databricks notebook
- In the sidebar of the Databricks workspace, click Data Ingestion.
- On the Add data page, under Databricks connectors, click Wiz Audit Logs.
- On the Connection page of the ingestion wizard, select the connection that stores your Wiz credentials. If you have the
CREATE CONNECTIONprivilege on the metastore, you can click
Create connection to create a connection with the credentials from Configure authentication to Wiz. - Click Next.
- On the Ingestion setup page, enter a name for the pipeline.
- Select a catalog and a schema to write data to. If you have
USE CATALOGandCREATE SCHEMAprivileges on the catalog, you can click Create schema in the drop-down menu to create a schema. - Click Create pipeline and continue.
- On the Source page, select the tables to ingest.
- Click Save and continue.
- On the Destination page, select a catalog and a schema to load data into. If you have
USE CATALOGandCREATE SCHEMAprivileges on the catalog, you can click Create schema in the drop-down menu to create a schema. - Click Save and continue.
- (Optional) On the Schedules and notifications page, click Create schedule. Set the frequency to refresh the destination tables.
- (Optional) Click Add notification to set email notifications for pipeline operation success or failure.
- Click Save and run pipeline.
Use Declarative Automation Bundles to manage Wiz Audit Logs pipelines as code. Bundles can contain YAML definitions of jobs and tasks, are managed using the Databricks CLI, and can be shared and run in different target workspaces (such as development, staging, and production). For more information, see What are Declarative Automation Bundles?.
-
Create a bundle using the Databricks CLI:
Bashdatabricks bundle init -
Add two new resource files to the bundle:
- A pipeline definition file (for example,
resources/wiz_audit_logs_pipeline.yml). See pipeline.ingestion_definition and Examples. - A job definition file that controls the frequency of data ingestion (for example,
resources/wiz_audit_logs_job.yml).
- A pipeline definition file (for example,
-
Deploy the pipeline using the Databricks CLI:
Bashdatabricks bundle deploy
-
Import the following notebook into your Databricks workspace:
-
Leave cells one and two as they are. Do not modify.
-
Modify cell three with your pipeline configuration details. See pipeline.ingestion_definition and Examples.
-
Optionally configure advanced pipeline settings. See Common patterns for managed ingestion pipelines.
-
Click Run all.
Examples
The Wiz Audit Logs connector makes available audit log, issue, and vulnerability finding tables in the default source schema. For the full list, see Supported source tables. Ingest individual tables or the entire schema.
Ingest specific tables
Use this option to ingest a specific subset of tables, or to customize destination naming per table.
resources:
pipelines:
wiz_audit_logs_pipeline:
name: wiz_audit_logs_pipeline
catalog: 'main'
target: 'wiz_audit_logs_data'
ingestion_definition:
connection_name: wiz_audit_logs_connection
objects:
- table:
source_schema: 'default'
source_table: 'audit_log_entries'
destination_catalog: 'main'
destination_schema: 'wiz_audit_logs_data'
destination_table: 'audit_log_entries'
- table:
source_schema: 'default'
source_table: 'vulnerability_findings'
destination_catalog: 'main'
destination_schema: 'wiz_audit_logs_data'
destination_table: 'vulnerability_findings'
Ingest the entire schema
Use this option to ingest all Wiz Audit Logs source tables into a single destination schema with one declaration.
resources:
pipelines:
wiz_audit_logs_pipeline:
name: wiz_audit_logs_pipeline
catalog: 'main'
target: 'wiz_audit_logs_data'
ingestion_definition:
connection_name: wiz_audit_logs_connection
objects:
- schema:
source_schema: 'default'
destination_catalog: 'main'
destination_schema: 'wiz_audit_logs_data'
Declarative Automation Bundles job definition file
The following is an example job definition file for use with Declarative Automation Bundles. The job runs daily.
resources:
jobs:
wiz_audit_logs_job:
name: wiz_audit_logs_job
schedule:
quartz_cron_expression: '0 0 0 * * ?'
timezone_id: 'UTC'
tasks:
- task_key: wiz_audit_logs_ingestion
pipeline_task:
pipeline_id: ${resources.pipelines.wiz_audit_logs_pipeline.id}
Common patterns
For advanced pipeline configurations, see Common patterns for managed ingestion pipelines.
Next steps
Start, schedule, and set alerts on your pipeline. See Common pipeline maintenance tasks.