> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a Wiz Insights connector
> C1 provides identity governance and security posture visibility for Wiz. Integrate your Wiz instance with C1 to sync security insights related to user and service accounts, enabling identity-aware cloud security posture visibility.
**There are TWO Wiz connectors.** The instructions below set up the Wiz Insights connector that syncs security issues from Wiz as [external insights](https://www.conductorone.com/docs/product/admin/external-insights), surfacing identity risk scores alongside access decisions in C1.
There is also a [Wiz IAM connector](/baton/wiz), which syncs users, roles, and projects from Wiz so that you can review and manage access.
## Capabilities
| Resource | Sync | Provision |
| :---------------- | :------------------------------------------------------------ | :-------- |
| Security Insights | | |
**Notes:**
* The Wiz Insights connector syncs security issues from Wiz that are related to `USER_ACCOUNT` and `SERVICE_ACCOUNT` entity types.
* This connector does not support provisioning. It is a read-only connector that syncs security insights.
* The connector supports incremental sync via an event feed that polls for issues with updated statuses.
## Gather Wiz credentials
To configure the Wiz Insights connector, you need API access in Wiz with permission to read issues. You also need to know the GraphQL API URL and OAuth2 token endpoint for your Wiz region.
Log in to Wiz and navigate to **Settings** > **Service Accounts**.
Create a new service account with OAuth2 credentials:
1. Click **Add Service Account**
2. Enter a name: `C1`
3. Select the following scope:
* `read:issues` - Allows syncing security issues as insights
4. Click **Create**
5. Copy and save the **Client ID** and **Client Secret** securely
Determine your Wiz API endpoints:
* **GraphQL API URL**: The regional API endpoint for your Wiz tenant (e.g., `https://api.us17.app.wiz.io/graphql`)
* **Auth Endpoint**: The OAuth2 token endpoint (e.g., `https://auth.app.wiz.io/oauth/token`)
You can find these in the Wiz documentation or your Wiz tenant settings.
For more information, see [Wiz API documentation](https://docs.wiz.io/).
## Configure the Wiz Insights connector
Follow these instructions to use a built-in, no-code connector hosted by C1.
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Wiz Insights** and click **Add**.
Choose how to set up the new Wiz Insights connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that are not yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Enter the required configuration:
* **Wiz API URL** (required): The Wiz GraphQL API endpoint for your region
* **Client ID** (required): OAuth2 client ID from your Wiz service account
* **Client Secret** (required): OAuth2 client secret from your Wiz service account
* **Auth Endpoint** (required): OAuth2 token endpoint for authentication
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Wiz Insights connector is now pulling security insights into C1.
Follow these instructions to use the [Wiz Insights](https://github.com/conductorone/baton-wiz-insights) connector, hosted and run in your own environment.
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Step 1: Set up a new Wiz Insights connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Wiz Insights connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that are not yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. They are used in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Wiz Insights connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-wiz-insights-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-wiz-insights-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Wiz credentials
BATON_WIZ_API_URL:
BATON_WIZ_CLIENT_ID:
BATON_WIZ_CLIENT_SECRET:
BATON_WIZ_AUTH_ENDPOINT:
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-wiz-insights.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-wiz-insights
labels:
app: baton-wiz-insights
spec:
selector:
matchLabels:
app: baton-wiz-insights
template:
metadata:
labels:
app: baton-wiz-insights
baton: true
baton-app: wiz-insights
spec:
containers:
- name: baton-wiz-insights
image: ghcr.io/conductorone/baton-wiz-insights:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-wiz-insights
envFrom:
- secretRef:
name: baton-wiz-insights-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Applications**. On the **Managed apps** tab, locate and click the name of the application you added the Wiz Insights connector to. Wiz security insights should be found on the application page.
**Done.** Your Wiz Insights connector is now pulling security insights into C1.