This workflow template orchestrates remediation for alerts triggered by Azure VMs exposed to the internet with open access on SSH port 22. The process entails retrieving the VM's details and tags, locating the instance owner via Slack (or defaulting to a Slack channel), and then requesting the owner to modify the Network Security Group (NSG). If consent is given, a rule is added to the NSG to block access. Conversely, if the owner declines or no response is given, a Jira issue is created, and the Wiz issue is updated with relevant notes. Automate the closure of potential security vulnerabilities with this robust workflow.
Trigger
Wiz
Optional Triggers
Webhook
Use Cases
CSPM
Workflow Breakdown
Retrieve VM details including tags
Try to find the instance owner via Slack, if not, use a Slack channel
Reach out to the channel or owner and ask to modify the Network Security Group
If the user agrees, add a rule to the NSG to block the access
If the user does not agree, open a Jira issue and update the Wiz issue with a note
If any other failure occurs open a Jira issue and update the Wiz issue note
Vendors
Slack, Microsoft Azure, Utils, Wiz, Jira Cloud
Workflow Output
Slack updates, Jira ticket and Wiz notes on remediation or other outcomes.
Tips
Setup a trigger filter for the specific policy in Wiz where the alert is generated