regscale-cli 6.23.0.1__py3-none-any.whl → 6.24.0.1__py3-none-any.whl

regscale/integrations/commercial/wizv2/scanner.py

@@ -6,6 +6,7 @@ import logging
 import os
 import re
 from collections.abc import Iterator
+from functools import lru_cache
 from typing import Any, Dict, List, Optional, Tuple, Union
 
 from regscale.core.app.utils.app_utils import check_file_path, error_and_exit, get_current_datetime
@@ -42,15 +43,16 @@ from regscale.integrations.commercial.wizv2.utils import (
     map_category,
 )
 from regscale.integrations.commercial.wizv2.variables import WizVariables
+from regscale.integrations.variables import ScannerVariables
 from regscale.integrations.commercial.wizv2.wiz_auth import wiz_authenticate
 from regscale.integrations.scanner_integration import (
     IntegrationAsset,
     IntegrationFinding,
     ScannerIntegration,
 )
-from regscale.integrations.variables import ScannerVariables
 from regscale.models import IssueStatus, regscale_models
 from regscale.models.regscale_models.compliance_settings import ComplianceSettings
+from regscale.models.regscale_models.regscale_model import RegScaleModel
 
 logger = logging.getLogger("regscale")
 
@@ -66,11 +68,19 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         "High": regscale_models.IssueSeverity.High,
         "Medium": regscale_models.IssueSeverity.Moderate,
         "Low": regscale_models.IssueSeverity.Low,
+        "INFORMATIONAL": regscale_models.IssueSeverity.NotAssigned,
     }
     asset_lookup = "vulnerableAsset"
     wiz_token = None
     _compliance_settings = None
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        # Suppress generic asset not found errors but use enhanced diagnostics instead
+        self.suppress_asset_not_found_errors = True
+        # Track unique missing asset types for summary reporting
+        self._missing_asset_types = set()
+
     @staticmethod
     def get_variables() -> Dict[str, Any]:
         """
@@ -84,6 +94,31 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             "filterBy": {},
         }
 
+    def get_finding_identifier(self, finding) -> str:
+        """
+        Gets the finding identifier for Wiz findings.
+        For Wiz integrations, prioritize external_id since plugin_id can be non-unique.
+
+        :param finding: The finding
+        :return: The finding identifier
+        :rtype: str
+        """
+        # We could have a string truncation error platform side on IntegrationFindingId nvarchar(450)
+        prefix = f"{self.plan_id}:"
+
+        # For Wiz, prioritize external_id since plugin_id can be non-unique
+        if finding.external_id:
+            prefix += self.hash_string(finding.external_id).__str__()
+        else:
+            prefix += (
+                finding.cve or finding.plugin_id or finding.rule_id or self.hash_string(finding.external_id).__str__()
+            )
+
+        if ScannerVariables.issueCreation.lower() == "perasset":
+            res = f"{prefix}:{finding.asset_identifier}"
+            return res[:450]
+        return prefix[:450]
+
     def authenticate(self, client_id: Optional[str] = None, client_secret: Optional[str] = None) -> None:
         """
         Authenticates to Wiz using the client ID and client secret
@@ -97,14 +132,16 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         logger.info("Authenticating to Wiz...")
         self.wiz_token = wiz_authenticate(client_id, client_secret)
 
-    def get_query_types(self, project_id: str) -> List[Dict[str, Any]]:
+    def get_query_types(self, project_id: str, filter_by: Optional[Dict[str, Any]] = None) -> List[Dict[str, Any]]:
         """Get the query types for vulnerability scanning.
 
         :param str project_id: The project ID to get queries for
+        :param Optional[Dict[str, Any]] filter_by: Optional filter criteria (used by subclasses)
         :return: List of query types
         :rtype: List[Dict[str, Any]]
         """
-        return get_wiz_vulnerability_queries(project_id=project_id)
+        # Base class ignores filter_by, subclasses can override to use it
+        return get_wiz_vulnerability_queries(project_id=project_id, filter_by=filter_by)
 
     def fetch_findings(self, *args, **kwargs) -> Iterator[IntegrationFinding]:
         """
@@ -313,7 +350,9 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             # Step 2: Initialize progress tracking
             logger.info("Fetching Wiz findings using async concurrent queries...")
             self.num_findings_to_process = 0
-            query_configs = self.get_query_types(project_id=project_id)
+            # Pass filter_by_override if provided
+            filter_by = kwargs.get("filter_by_override")
+            query_configs = self.get_query_types(project_id=project_id, filter_by=filter_by)
 
             main_task = self.finding_progress.add_task(
                 "[cyan]Running concurrent GraphQL queries...", total=len(query_configs)
@@ -337,8 +376,13 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             # Step 6: Process results
             yield from self._process_query_results(results, query_configs, project_id, should_fetch_fresh)
 
-            # Step 7: Complete main task
-            self.finding_progress.advance(main_task, len(query_configs))
+            # Step 7: Complete main task - ensure it's marked as 100% complete
+            self.finding_progress.update(
+                main_task,
+                description="[green]✓ Completed processing all Wiz findings",
+                completed=len(query_configs),
+                total=len(query_configs),
+            )
 
         except Exception as e:
             logger.error(f"Error in async findings fetch: {e!s}", exc_info=True)
@@ -350,6 +394,14 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             logger.info("Falling back to synchronous query method...")
             yield from self.fetch_findings_sync(**kwargs)
 
+        # Log summary of missing asset types if any were found
+        if hasattr(self, "_missing_asset_types") and self._missing_asset_types:
+            logger.warning(
+                "Summary: Found references to missing asset types: %s. "
+                "Consider adding these to RECOMMENDED_WIZ_INVENTORY_TYPES in constants.py",
+                ", ".join(sorted(self._missing_asset_types)),
+            )
+
         logger.info(
             "Finished async fetching Wiz findings. Total findings to process: %d", self.num_findings_to_process or 0
         )
@@ -459,7 +511,9 @@ class WizVulnerabilityIntegration(ScannerIntegration):
 
         logger.info("Fetching Wiz findings using synchronous queries...")
         self.num_findings_to_process = 0
-        query_types = self.get_query_types(project_id=project_id)
+        # Pass filter_by_override if provided
+        filter_by = kwargs.get("filter_by_override")
+        query_types = self.get_query_types(project_id=project_id, filter_by=filter_by)
 
         # Create detailed progress tracking for each query type
         main_task = self.finding_progress.add_task(
@@ -530,6 +584,14 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             description=f"[green]✓ Completed fetching all Wiz findings ({self.num_findings_to_process or 0} total)",
         )
 
+        # Log summary of missing asset types if any were found
+        if hasattr(self, "_missing_asset_types") and self._missing_asset_types:
+            logger.warning(
+                "Summary: Found references to missing asset types: %s. "
+                "Consider adding these to RECOMMENDED_WIZ_INVENTORY_TYPES in constants.py",
+                ", ".join(sorted(self._missing_asset_types)),
+            )
+
         logger.info(
             "Finished synchronous fetching Wiz findings. Total findings to process: %d",
             self.num_findings_to_process or 0,
@@ -664,16 +726,218 @@ class WizVulnerabilityIntegration(ScannerIntegration):
     ) -> Iterator[IntegrationFinding]:
         """
         Parses a list of Wiz finding nodes into IntegrationFinding objects.
-
-        This is a compatibility wrapper that calls the progress-aware version.
+        Groups findings by rule and scope for consolidation when appropriate.
 
         :param List[Dict[str, Any]] nodes: List of Wiz finding nodes
         :param WizVulnerabilityType vulnerability_type: The type of vulnerability
         :yield: IntegrationFinding objects
         :rtype: Iterator[IntegrationFinding]
         """
-        # Delegate to the progress-aware version without progress tracking
-        yield from self.parse_findings_with_progress(nodes, vulnerability_type, task_id=None)
+        logger.info(
+            f"🔍 VULNERABILITY PROCESSING ANALYSIS: Received {len(nodes)} raw Wiz vulnerabilities for processing"
+        )
+
+        # Count issues by severity for analysis
+        severity_counts = {}
+        status_counts = {}
+        for node in nodes:
+            severity = node.get("severity", "Low")
+            status = node.get("status", "OPEN")
+            severity_counts[severity] = severity_counts.get(severity, 0) + 1
+            status_counts[status] = status_counts.get(status, 0) + 1
+
+        logger.debug(f"Raw vulnerability breakdown by severity: {severity_counts}")
+        logger.debug(f"Raw vulnerability breakdown by status: {status_counts}")
+
+        # Filter nodes by minimum severity configuration
+        filtered_nodes = []
+        filtered_out_count = 0
+        for node in nodes:
+            wiz_severity = node.get("severity", "Low")
+            wiz_id = node.get("id", "unknown")
+            if self.should_process_finding_by_severity(wiz_severity):
+                filtered_nodes.append(node)
+            else:
+                filtered_out_count += 1
+                logger.info(
+                    f"🚫 FILTERED BY SEVERITY: Vulnerability {wiz_id} with severity '{wiz_severity}' filtered due to minimumSeverity configuration"
+                )
+
+        logger.info(
+            f"✅ After severity filtering: {len(filtered_nodes)} vulnerabilities kept, {filtered_out_count} filtered out"
+        )
+
+        if not filtered_nodes:
+            logger.warning(
+                "⚠️  All vulnerabilities filtered out by severity configuration - check your minimumSeverity setting"
+            )
+            return
+
+        # Apply consolidation logic for findings that support it
+        if self._should_apply_consolidation(vulnerability_type):
+            yield from self._parse_findings_with_consolidation(filtered_nodes, vulnerability_type)
+        else:
+            # Use original parsing for vulnerability types that shouldn't be consolidated
+            yield from self.parse_findings_with_progress(filtered_nodes, vulnerability_type, task_id=None)
+
+    def _should_apply_consolidation(self, vulnerability_type: WizVulnerabilityType) -> bool:
+        """
+        Determine if consolidation should be applied for this vulnerability type.
+
+        :param WizVulnerabilityType vulnerability_type: The vulnerability type
+        :return: True if consolidation should be applied
+        :rtype: bool
+        """
+        # Apply consolidation to finding types that commonly affect multiple assets
+        consolidation_types = {
+            WizVulnerabilityType.HOST_FINDING,
+            WizVulnerabilityType.DATA_FINDING,
+            WizVulnerabilityType.VULNERABILITY,
+        }
+        return vulnerability_type in consolidation_types
+
+    def _parse_findings_with_consolidation(
+        self, nodes: List[Dict[str, Any]], vulnerability_type: WizVulnerabilityType
+    ) -> Iterator[IntegrationFinding]:
+        """
+        Parse findings with consolidation logic applied.
+
+        :param List[Dict[str, Any]] nodes: List of Wiz finding nodes
+        :param WizVulnerabilityType vulnerability_type: The vulnerability type
+        :yield: Consolidated IntegrationFinding objects
+        :rtype: Iterator[IntegrationFinding]
+        """
+        # Group nodes for potential consolidation
+        grouped_nodes = self._group_findings_for_consolidation(nodes)
+
+        # Process each group
+        for group_key, group_nodes in grouped_nodes.items():
+            if len(group_nodes) > 1:
+                # Multiple nodes with same rule - attempt consolidation
+                if consolidated_finding := self._create_consolidated_scanner_finding(group_nodes, vulnerability_type):
+                    yield consolidated_finding
+            else:
+                # Single node - process normally
+                if finding := self.parse_finding(group_nodes[0], vulnerability_type):
+                    yield finding
+
+    def _group_findings_for_consolidation(self, nodes: List[Dict[str, Any]]) -> Dict[str, List[Dict[str, Any]]]:
+        """
+        Group findings by rule and appropriate scope for consolidation.
+        - Database findings: group by server
+        - App Configuration findings: group by resource group
+        - Other findings: group by full resource path
+
+        :param List[Dict[str, Any]] nodes: List of Wiz finding nodes
+        :return: Dictionary mapping group keys to lists of nodes
+        :rtype: Dict[str, List[Dict[str, Any]]]
+        """
+        groups = {}
+
+        for node in nodes:
+            # Create a grouping key based on rule and appropriate scope
+            rule_name = self._get_rule_name_from_node(node)
+            provider_id = self._get_provider_id_from_node(node)
+
+            # Determine the appropriate grouping scope based on resource type
+            grouping_scope = self._determine_grouping_scope(provider_id, rule_name)
+
+            # Group key combines rule name and scope
+            group_key = f"{rule_name}|{grouping_scope}"
+
+            if group_key not in groups:
+                groups[group_key] = []
+            groups[group_key].append(node)
+
+        return groups
+
+    def _get_rule_name_from_node(self, node: Dict[str, Any]) -> str:
+        """Get rule name from various node structures."""
+        # Try different ways to get rule name
+        if source_rule := node.get("sourceRule"):
+            return source_rule.get("name", "")
+        return node.get("name", node.get("title", ""))
+
+    def _get_provider_id_from_node(self, node: Dict[str, Any]) -> str:
+        """Get provider ID from various node structures."""
+        # Try different ways to get provider ID
+        if entity_snapshot := node.get("entitySnapshot"):
+            return entity_snapshot.get("providerId", "")
+
+        # Try other asset lookup patterns
+        asset_fields = ["vulnerableAsset", "entity", "resource", "relatedEntity", "sourceEntity", "target"]
+        for field in asset_fields:
+            if asset_obj := node.get(field):
+                if provider_id := asset_obj.get("providerId"):
+                    return provider_id
+
+        return ""
+
+    def _determine_grouping_scope(self, provider_id: str, rule_name: str) -> str:
+        """
+        Determine the appropriate grouping scope for consolidation.
+
+        :param str provider_id: The provider ID
+        :param str rule_name: The rule name
+        :return: The grouping scope (server, resource group, or full path)
+        :rtype: str
+        """
+        # For database issues, group by server
+        if "/databases/" in provider_id:
+            return provider_id.split("/databases/")[0]
+
+        # For App Configuration issues, group by resource group to consolidate multiple stores
+        if (
+            "app configuration" in rule_name.lower()
+            and "/microsoft.appconfiguration/configurationstores/" in provider_id
+        ):
+            # Extract resource group path: /subscriptions/.../resourcegroups/rg_name
+            parts = provider_id.split("/resourcegroups/")
+            if len(parts) >= 2:
+                rg_part = parts[1].split("/")[0]  # Get just the resource group name
+                return f"{parts[0]}/resourcegroups/{rg_part}"
+
+        # For other resources, use the full provider path (no consolidation)
+        return provider_id
+
+    def _create_consolidated_scanner_finding(
+        self, nodes: List[Dict[str, Any]], vulnerability_type: WizVulnerabilityType
+    ) -> Optional[IntegrationFinding]:
+        """
+        Create a consolidated finding from multiple nodes with the same rule.
+
+        :param List[Dict[str, Any]] nodes: List of nodes to consolidate
+        :param WizVulnerabilityType vulnerability_type: The vulnerability type
+        :return: Consolidated IntegrationFinding or None
+        :rtype: Optional[IntegrationFinding]
+        """
+        # Use the first node as the base
+        base_node = nodes[0]
+
+        # Collect all asset identifiers and provider IDs
+        asset_ids = []
+        provider_ids = []
+
+        for node in nodes:
+            if asset_id := self.get_asset_id_from_node(node, vulnerability_type):
+                asset_ids.append(asset_id)
+            if provider_id := self.get_provider_unique_id_from_node(node, vulnerability_type):
+                provider_ids.append(provider_id)
+
+        # If we couldn't extract asset info, fall back to normal parsing
+        if not asset_ids:
+            return self.parse_finding(base_node, vulnerability_type)
+
+        # Create the finding using normal parsing, then override asset identifiers
+        base_finding = self.parse_finding(base_node, vulnerability_type)
+        if not base_finding:
+            return None
+
+        # Override with consolidated asset information
+        base_finding.asset_identifier = asset_ids[0]  # Use first asset as primary
+        base_finding.issue_asset_identifier_value = "\n".join(provider_ids) if provider_ids else None
+
+        return base_finding
 
     @classmethod
     def get_issue_severity(cls, severity: str) -> regscale_models.IssueSeverity:
@@ -686,6 +950,37 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         """
         return cls.finding_severity_map.get(severity.capitalize(), regscale_models.IssueSeverity.Low)
 
+    def should_process_finding_by_severity(self, wiz_severity: str) -> bool:
+        """
+        Check if finding should be processed based on minimum severity configuration.
+
+        :param str wiz_severity: The Wiz severity level (e.g., "INFORMATIONAL", "Low", "Medium", etc.)
+        :return: True if finding should be processed, False if it should be filtered out
+        :rtype: bool
+        """
+        # Get minimum severity from configuration, default to "low"
+        min_severity = self.app.config.get("scanners", {}).get("wiz", {}).get("minimumSeverity", "low").lower()
+
+        # Log the configuration being used (only once to avoid spam)
+        if not hasattr(self, "_severity_config_logged"):
+            logger.debug(f"SEVERITY FILTER CONFIG: minimumSeverity = '{min_severity}'")
+            self._severity_config_logged = True
+
+        # Define severity hierarchy (lower index = higher severity)
+        severity_hierarchy = ["critical", "high", "medium", "low", "informational"]
+
+        try:
+            wiz_severity_lower = wiz_severity.lower()
+            min_severity_index = severity_hierarchy.index(min_severity)
+            finding_severity_index = severity_hierarchy.index(wiz_severity_lower)
+
+            # Process if finding severity is equal or higher (lower index) than minimum
+            return finding_severity_index <= min_severity_index
+        except ValueError:
+            # If severity not found in hierarchy, default to processing it
+            logger.warning(f"Unknown severity level: {wiz_severity}, processing anyway")
+            return True
+
     def process_comments(self, comments_dict: Dict) -> Optional[str]:
         """
         Processes comments from Wiz findings to match RegScale's comment format.
@@ -716,10 +1011,10 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         """
         # Define asset lookup patterns for different vulnerability types
         asset_lookup_patterns = {
-            # WizVulnerabilityType.VULNERABILITY: "vulnerableAsset",
-            # WizVulnerabilityType.CONFIGURATION: "resource",
-            # WizVulnerabilityType.HOST_FINDING: "resource",
-            # WizVulnerabilityType.DATA_FINDING: "resource",
+            WizVulnerabilityType.VULNERABILITY: "vulnerableAsset",
+            WizVulnerabilityType.CONFIGURATION: "resource",
+            WizVulnerabilityType.HOST_FINDING: "resource",
+            WizVulnerabilityType.DATA_FINDING: "resource",
             WizVulnerabilityType.SECRET_FINDING: "resource",
             WizVulnerabilityType.NETWORK_EXPOSURE_FINDING: "exposedEntity",
             WizVulnerabilityType.END_OF_LIFE_FINDING: "vulnerableAsset",
@@ -738,7 +1033,76 @@ class WizVulnerabilityIntegration(ScannerIntegration):
 
         # Standard case - direct id access
         asset_container = node.get(asset_lookup_key, {})
-        return asset_container.get("id")
+        asset_id = asset_container.get("id")
+
+        # Add debug logging to help diagnose missing assets
+        if not asset_id:
+            logger.debug(
+                f"No asset ID found for {vulnerability_type.value} using key '{asset_lookup_key}'. "
+                f"Available keys in node: {list(node.keys())}"
+            )
+            # Try alternative lookup patterns as fallback
+            fallback_keys = ["vulnerableAsset", "resource", "exposedEntity", "entitySnapshot"]
+            for fallback_key in fallback_keys:
+                if fallback_key != asset_lookup_key and fallback_key in node:
+                    fallback_asset = node.get(fallback_key, {})
+                    if fallback_id := fallback_asset.get("id"):
+                        logger.debug(
+                            f"Found asset ID using fallback key '{fallback_key}' for {vulnerability_type.value}"
+                        )
+                        return fallback_id
+
+        return asset_id
+
+    def get_provider_unique_id_from_node(
+        self, node: Dict[str, Any], vulnerability_type: WizVulnerabilityType
+    ) -> Optional[str]:
+        """
+        Get the providerUniqueId from a node based on the vulnerability type.
+        This provides more meaningful asset identification for eMASS exports.
+
+        :param Dict[str, Any] node: The Wiz finding node
+        :param WizVulnerabilityType vulnerability_type: The type of vulnerability
+        :return: The providerUniqueId or fallback to asset name/ID
+        :rtype: Optional[str]
+        """
+        # Define asset lookup patterns for different vulnerability types - aligned with get_asset_id_from_node
+        asset_lookup_patterns = {
+            WizVulnerabilityType.VULNERABILITY: "vulnerableAsset",
+            WizVulnerabilityType.CONFIGURATION: "resource",
+            WizVulnerabilityType.HOST_FINDING: "resource",
+            WizVulnerabilityType.DATA_FINDING: "resource",
+            WizVulnerabilityType.SECRET_FINDING: "resource",
+            WizVulnerabilityType.NETWORK_EXPOSURE_FINDING: "exposedEntity",
+            WizVulnerabilityType.END_OF_LIFE_FINDING: "vulnerableAsset",
+            WizVulnerabilityType.EXTERNAL_ATTACH_SURFACE: "exposedEntity",
+            WizVulnerabilityType.EXCESSIVE_ACCESS_FINDING: "scope",
+            WizVulnerabilityType.ISSUE: "entitySnapshot",
+        }
+
+        asset_lookup_key = asset_lookup_patterns.get(vulnerability_type, "entitySnapshot")
+
+        if asset_lookup_key == "scope":
+            # Handle special case for excessive access findings where ID is nested
+            scope = node.get("scope", {})
+            graph_entity = scope.get("graphEntity", {})
+            # Try providerUniqueId first, fallback to name, then id
+            return graph_entity.get("providerUniqueId") or graph_entity.get("name") or graph_entity.get("id")
+
+        # Standard case - get asset container and extract provider identifier
+        asset_container = node.get(asset_lookup_key, {})
+
+        # For Issue queries, the field is called 'providerId' instead of 'providerUniqueId'
+        if vulnerability_type == WizVulnerabilityType.ISSUE:
+            return (
+                asset_container.get("providerId")
+                or asset_container.get("providerUniqueId")
+                or asset_container.get("name")
+                or asset_container.get("id")
+            )
+
+        # For other queries, try providerUniqueId first
+        return asset_container.get("providerUniqueId") or asset_container.get("name") or asset_container.get("id")
 
     def parse_finding(
         self, node: Dict[str, Any], vulnerability_type: WizVulnerabilityType
@@ -769,28 +1133,16 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             logger.error("Error parsing Wiz finding: %s", str(e), exc_info=True)
             return None
 
-    def _parse_secret_finding(self, node: Dict[str, Any]) -> Optional[IntegrationFinding]:
+    def _get_secret_finding_data(self, node: Dict[str, Any]) -> Dict[str, Any]:
         """
-        Parse secret finding from Wiz.
+        Extract data specific to secret findings.
 
         :param Dict[str, Any] node: The Wiz finding node to parse
-        :return: The parsed IntegrationFinding or None if parsing fails
-        :rtype: Optional[IntegrationFinding]
+        :return: Dictionary containing secret-specific data
+        :rtype: Dict[str, Any]
         """
-        asset_id = node.get("resource", {}).get("id")
-        if not asset_id:
-            return None
-
-        first_seen = node.get("firstSeenAt") or get_current_datetime()
-        first_seen = format_to_regscale_iso(first_seen)
-        severity = self.get_issue_severity(node.get("severity", "Low"))
-        due_date = regscale_models.Issue.get_due_date(severity, self.app.config, "wiz", first_seen)
-
-        # Create meaningful title for secret findings
         secret_type = node.get("type", "Unknown Secret")
         resource_name = node.get("resource", {}).get("name", "Unknown Resource")
-        title = f"Secret Detected: {secret_type} in {resource_name}"
-
         # Build description with secret details
         description_parts = [
             f"Secret type: {secret_type}",
@@ -802,52 +1154,152 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         if rule := node.get("rule", {}):
             description_parts.append(f"Detection rule: {rule.get('name', 'Unknown')}")
 
-        description = "\n".join(description_parts)
-
-        return IntegrationFinding(
-            control_labels=[],
-            category="Wiz Secret Detection",
-            title=title,
-            description=description,
-            severity=severity,
-            status=self.map_status_to_issue_status(node.get("status", "Open")),
-            asset_identifier=asset_id,
-            external_id=node.get("id"),
-            first_seen=first_seen,
-            date_created=first_seen,
-            last_seen=format_to_regscale_iso(node.get("lastSeenAt") or get_current_datetime()),
-            remediation=f"Remove or properly secure the {secret_type} secret found in {resource_name}",
-            plugin_name=f"Wiz Secret Detection - {secret_type}",
-            vulnerability_type=WizVulnerabilityType.SECRET_FINDING.value,
-            due_date=due_date,
-            date_last_updated=format_to_regscale_iso(get_current_datetime()),
-            identification="Secret Scanning",
-        )
+        return {
+            "category": "Wiz Secret Detection",
+            "title": f"Secret Detected: {secret_type} in {resource_name}",
+            "description": "\n".join(description_parts),
+            "remediation": f"Remove or properly secure the {secret_type} secret found in {resource_name}",
+            "plugin_name": f"Wiz Secret Detection - {secret_type}",
+            "identification": "Secret Scanning",
+        }
 
-    def _parse_network_exposure_finding(self, node: Dict[str, Any]) -> Optional[IntegrationFinding]:
-        """Parse network exposure finding from Wiz.
+    def _parse_secret_finding(self, node: Dict[str, Any]) -> Optional[IntegrationFinding]:
+        """
+        Parse secret finding from Wiz.
 
         :param Dict[str, Any] node: The Wiz finding node to parse
         :return: The parsed IntegrationFinding or None if parsing fails
         :rtype: Optional[IntegrationFinding]
         """
-        asset_id = node.get("exposedEntity", {}).get("id")
+        finding_data = self._get_secret_finding_data(node)
+        return self._create_integration_finding(node, WizVulnerabilityType.SECRET_FINDING, finding_data)
+
+    def _create_integration_finding(
+        self, node: Dict[str, Any], vulnerability_type: WizVulnerabilityType, finding_data: Dict[str, Any]
+    ) -> Optional[IntegrationFinding]:
+        """
+        Unified method to create IntegrationFinding objects from Wiz data.
+
+        :param Dict[str, Any] node: The Wiz finding node to parse
+        :param WizVulnerabilityType vulnerability_type: The type of vulnerability
+        :param Dict[str, Any] finding_data: Finding-specific data (title, description, etc.)
+        :return: The parsed IntegrationFinding or None if parsing fails
+        :rtype: Optional[IntegrationFinding]
+        """
+        # Get asset identifier
+        asset_id = self.get_asset_id_from_node(node, vulnerability_type)
         if not asset_id:
+            logger.warning(
+                f"Skipping {vulnerability_type.value} finding '{node.get('name', 'Unknown')}' "
+                f"(ID: {node.get('id', 'Unknown')}) - no asset identifier found"
+            )
             return None
 
-        first_seen = node.get("firstSeenAt") or get_current_datetime()
-        first_seen = format_to_regscale_iso(first_seen)
+        # Get meaningful asset identifier for eMASS exports
+        provider_unique_id = self.get_provider_unique_id_from_node(node, vulnerability_type)
 
-        # Network exposures typically don't have explicit severity, assume Medium
-        severity = regscale_models.IssueSeverity.Moderate
+        # Parse dates
+        first_seen = self._get_first_seen_date(node)
+        last_seen = self._get_last_seen_date(node, first_seen)
+        # Get severity and calculate due date
+        severity = self.get_issue_severity(finding_data.get("severity") or node.get("severity", "Low"))
         due_date = regscale_models.Issue.get_due_date(severity, self.app.config, "wiz", first_seen)
 
-        # Create meaningful title for network exposure
+        # Get status with diagnostic logging
+        wiz_status = node.get("status", "Open")
+        logger.debug(f"Processing Wiz finding {node.get('id', 'Unknown')}: raw status from node = '{wiz_status}'")
+        status = self.map_status_to_issue_status(wiz_status)
+
+        # Add diagnostic logging for unexpected issue closure
+        if status == regscale_models.IssueStatus.Closed and wiz_status.upper() not in ["RESOLVED", "REJECTED"]:
+            logger.warning(
+                f"Unexpected issue closure: Wiz status '{wiz_status}' mapped to Closed status "
+                f"for finding {node.get('id', 'Unknown')} - '{finding_data.get('title', 'Unknown')}'. "
+                f"This may indicate a mapping configuration issue."
+            )
+
+        # Process comments if available
+        comments_dict = node.get("commentThread", {})
+        formatted_comments = self.process_comments(comments_dict) if comments_dict else None
+
+        # Build IntegrationFinding with unified data structure
+        integration_finding_data = {
+            "control_labels": [],
+            "category": finding_data.get("category", "Wiz Vulnerability"),
+            "title": finding_data.get("title", node.get("name", "Unknown vulnerability")),
+            "description": finding_data.get("description", node.get("description", "")),
+            "severity": severity,
+            "status": status,
+            "asset_identifier": asset_id,
+            "issue_asset_identifier_value": provider_unique_id,
+            "external_id": finding_data.get("external_id", node.get("id")),
+            "first_seen": first_seen,
+            "date_created": first_seen,
+            "last_seen": last_seen,
+            "remediation": finding_data.get("remediation", node.get("description", "")),
+            "plugin_name": finding_data.get("plugin_name", node.get("name", "Unknown")),
+            "vulnerability_type": vulnerability_type.value,
+            "due_date": due_date,
+            "date_last_updated": format_to_regscale_iso(get_current_datetime()),
+            "identification": finding_data.get("identification", "Vulnerability Assessment"),
+        }
+
+        # Add optional fields if present
+        if formatted_comments:
+            integration_finding_data["comments"] = formatted_comments
+            integration_finding_data["poam_comments"] = formatted_comments
+
+        # Add CVE-specific fields for generic findings
+        if finding_data.get("cve"):
+            integration_finding_data["cve"] = finding_data["cve"]
+        if finding_data.get("cvss_score"):
+            integration_finding_data["cvss_score"] = finding_data["cvss_score"]
+            integration_finding_data["cvss_v3_base_score"] = finding_data["cvss_score"]
+        if finding_data.get("source_rule_id"):
+            integration_finding_data["source_rule_id"] = finding_data["source_rule_id"]
+
+        return IntegrationFinding(**integration_finding_data)
+
+    def _get_first_seen_date(self, node: Dict[str, Any]) -> str:
+        """
+        Get the first seen date from a Wiz node, with fallbacks.
+
+        :param Dict[str, Any] node: The Wiz finding node
+        :return: ISO formatted first seen date
+        :rtype: str
+        """
+        first_seen = node.get("firstSeenAt") or node.get("firstDetectedAt") or get_current_datetime()
+        return format_to_regscale_iso(first_seen)
+
+    def _get_last_seen_date(self, node: Dict[str, Any], first_seen_fallback: str) -> str:
+        """
+        Get the last seen date from a Wiz node, with fallbacks.
+
+        :param Dict[str, Any] node: The Wiz finding node
+        :param str first_seen_fallback: Fallback date if no last seen available
+        :return: ISO formatted last seen date
+        :rtype: str
+        """
+        last_seen = (
+            node.get("lastSeenAt")
+            or node.get("lastDetectedAt")
+            or node.get("analyzedAt")
+            or first_seen_fallback
+            or get_current_datetime()
+        )
+        return format_to_regscale_iso(last_seen)
+
+    def _get_network_exposure_finding_data(self, node: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Extract data specific to network exposure findings.
+
+        :param Dict[str, Any] node: The Wiz finding node to parse
+        :return: Dictionary containing network exposure-specific data
+        :rtype: Dict[str, Any]
+        """
         exposed_entity = node.get("exposedEntity", {})
         entity_name = exposed_entity.get("name", "Unknown Entity")
         port_range = node.get("portRange", "Unknown Port")
-        title = f"Network Exposure: {entity_name} on {port_range}"
-
         # Build description with network details
         description_parts = [
             f"Exposed entity: {entity_name} ({exposed_entity.get('type', 'Unknown Type')})",
@@ -861,52 +1313,37 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         if net_protocols := node.get("networkProtocols"):
             description_parts.append(f"Network protocols: {', '.join(net_protocols)}")
 
-        description = "\n".join(description_parts)
-
-        return IntegrationFinding(
-            control_labels=[],
-            category="Wiz Network Exposure",
-            title=title,
-            description=description,
-            severity=severity,
-            status=IssueStatus.Open,
-            asset_identifier=asset_id,
-            external_id=node.get("id"),
-            first_seen=first_seen,
-            date_created=first_seen,
-            last_seen=first_seen,  # Network exposures may not have lastSeen
-            remediation=f"Review and restrict network access to {entity_name} on {port_range}",
-            plugin_name=f"Wiz Network Exposure - {port_range}",
-            vulnerability_type=WizVulnerabilityType.NETWORK_EXPOSURE_FINDING.value,
-            due_date=due_date,
-            date_last_updated=format_to_regscale_iso(get_current_datetime()),
-            identification="Network Security Assessment",
-        )
+        return {
+            "category": "Wiz Network Exposure",
+            "title": f"Network Exposure: {entity_name} on {port_range}",
+            "description": "\n".join(description_parts),
+            "severity": "Medium",  # Network exposures typically don't have explicit severity
+            "remediation": f"Review and restrict network access to {entity_name} on {port_range}",
+            "plugin_name": f"Wiz Network Exposure - {port_range}",
+            "identification": "Network Security Assessment",
+        }
 
-    def _parse_external_attack_surface_finding(self, node: Dict[str, Any]) -> Optional[IntegrationFinding]:
-        """Parse external attack surface finding from Wiz.
+    def _parse_network_exposure_finding(self, node: Dict[str, Any]) -> Optional[IntegrationFinding]:
+        """Parse network exposure finding from Wiz.
 
         :param Dict[str, Any] node: The Wiz finding node to parse
         :return: The parsed IntegrationFinding or None if parsing fails
         :rtype: Optional[IntegrationFinding]
         """
-        asset_id = node.get("exposedEntity", {}).get("id")
-        if not asset_id:
-            return None
+        finding_data = self._get_network_exposure_finding_data(node)
+        return self._create_integration_finding(node, WizVulnerabilityType.NETWORK_EXPOSURE_FINDING, finding_data)
 
-        first_seen = node.get("firstSeenAt") or get_current_datetime()
-        first_seen = format_to_regscale_iso(first_seen)
-
-        # External attack surface findings are typically high severity
-        severity = regscale_models.IssueSeverity.High
-        due_date = regscale_models.Issue.get_due_date(severity, self.app.config, "wiz", first_seen)
+    def _get_external_attack_surface_finding_data(self, node: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Extract data specific to external attack surface findings.
 
-        # Create meaningful title for external attack surface
+        :param Dict[str, Any] node: The Wiz finding node to parse
+        :return: Dictionary containing external attack surface-specific data
+        :rtype: Dict[str, Any]
+        """
         exposed_entity = node.get("exposedEntity", {})
         entity_name = exposed_entity.get("name", "Unknown Entity")
         port_range = node.get("portRange", "Unknown Port")
-        title = f"External Attack Surface: {entity_name} exposed on {port_range}"
-
         # Build description with attack surface details
         description_parts = [
             f"Externally exposed entity: {entity_name} ({exposed_entity.get('type', 'Unknown Type')})",
@@ -920,49 +1357,34 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             endpoint_names = [ep.get("name", "Unknown") for ep in endpoints[:3]]  # Limit to first 3
             description_parts.append(f"Application endpoints: {', '.join(endpoint_names)}")
 
-        description = "\n".join(description_parts)
-
-        return IntegrationFinding(
-            control_labels=[],
-            category="Wiz External Attack Surface",
-            title=title,
-            description=description,
-            severity=severity,
-            status=IssueStatus.Open,
-            asset_identifier=asset_id,
-            external_id=node.get("id"),
-            first_seen=first_seen,
-            date_created=first_seen,
-            last_seen=first_seen,
-            remediation=f"Review external exposure of {entity_name} and implement proper access controls",
-            plugin_name=f"Wiz External Attack Surface - {port_range}",
-            vulnerability_type=WizVulnerabilityType.EXTERNAL_ATTACH_SURFACE.value,
-            due_date=due_date,
-            date_last_updated=format_to_regscale_iso(get_current_datetime()),
-            identification="External Attack Surface Assessment",
-        )
+        return {
+            "category": "Wiz External Attack Surface",
+            "title": f"External Attack Surface: {entity_name} exposed on {port_range}",
+            "description": "\n".join(description_parts),
+            "severity": "High",  # External attack surface findings are typically high severity
+            "remediation": f"Review external exposure of {entity_name} and implement proper access controls",
+            "plugin_name": f"Wiz External Attack Surface - {port_range}",
+            "identification": "External Attack Surface Assessment",
+        }
 
-    def _parse_excessive_access_finding(self, node: Dict[str, Any]) -> Optional[IntegrationFinding]:
-        """Parse excessive access finding from Wiz.
+    def _parse_external_attack_surface_finding(self, node: Dict[str, Any]) -> Optional[IntegrationFinding]:
+        """Parse external attack surface finding from Wiz.
 
         :param Dict[str, Any] node: The Wiz finding node to parse
         :return: The parsed IntegrationFinding or None if parsing fails
         :rtype: Optional[IntegrationFinding]
         """
-        scope = node.get("scope", {})
-        asset_id = scope.get("graphEntity", {}).get("id")
-        if not asset_id:
-            return None
+        finding_data = self._get_external_attack_surface_finding_data(node)
+        return self._create_integration_finding(node, WizVulnerabilityType.EXTERNAL_ATTACH_SURFACE, finding_data)
 
-        first_seen = get_current_datetime()  # Excessive access findings may not have firstSeen
-        first_seen = format_to_regscale_iso(first_seen)
-        severity = self.get_issue_severity(node.get("severity", "Medium"))
-        due_date = regscale_models.Issue.get_due_date(severity, self.app.config, "wiz", first_seen)
-
-        # Use the finding name directly as it's descriptive
-        title = node.get("name", "Excessive Access Detected")
-        description = node.get("description", "")
+    def _get_excessive_access_finding_data(self, node: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Extract data specific to excessive access findings.
 
+        :param Dict[str, Any] node: The Wiz finding node to parse
+        :return: Dictionary containing excessive access-specific data
+        :rtype: Dict[str, Any]
+        """
         # Add remediation details
         remediation_parts = [node.get("description", "")]
         if remediation_instructions := node.get("remediationInstructions"):
@@ -970,42 +1392,34 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         if policy_name := node.get("builtInPolicyRemediationName"):
             remediation_parts.append(f"Built-in policy: {policy_name}")
 
-        remediation = "\n".join(filter(None, remediation_parts))
-
-        return IntegrationFinding(
-            control_labels=[],
-            category="Wiz Excessive Access",
-            title=title,
-            description=description,
-            severity=severity,
-            status=self.map_status_to_issue_status(node.get("status", "Open")),
-            asset_identifier=asset_id,
-            external_id=node.get("id"),
-            first_seen=first_seen,
-            date_created=first_seen,
-            last_seen=first_seen,
-            remediation=remediation,
-            plugin_name=f"Wiz Excessive Access - {node.get('remediationType', 'Unknown')}",
-            vulnerability_type=WizVulnerabilityType.EXCESSIVE_ACCESS_FINDING.value,
-            due_date=due_date,
-            date_last_updated=format_to_regscale_iso(get_current_datetime()),
-            identification="Access Control Assessment",
-        )
+        return {
+            "category": "Wiz Excessive Access",
+            "title": node.get("name", "Excessive Access Detected"),
+            "description": node.get("description", ""),
+            "remediation": "\n".join(filter(None, remediation_parts)),
+            "plugin_name": f"Wiz Excessive Access - {node.get('remediationType', 'Unknown')}",
+            "identification": "Access Control Assessment",
+        }
 
-    def _parse_end_of_life_finding(self, node: Dict[str, Any]) -> Optional[IntegrationFinding]:
-        """Parse end of life finding from Wiz."""
-        asset_id = node.get("vulnerableAsset", {}).get("id")
-        if not asset_id:
-            return None
+    def _parse_excessive_access_finding(self, node: Dict[str, Any]) -> Optional[IntegrationFinding]:
+        """Parse excessive access finding from Wiz.
 
-        first_seen = node.get("firstDetectedAt") or get_current_datetime()
-        first_seen = format_to_regscale_iso(first_seen)
-        severity = self.get_issue_severity(node.get("severity", "High"))
-        due_date = regscale_models.Issue.get_due_date(severity, self.app.config, "wiz", first_seen)
+        :param Dict[str, Any] node: The Wiz finding node to parse
+        :return: The parsed IntegrationFinding or None if parsing fails
+        :rtype: Optional[IntegrationFinding]
+        """
+        finding_data = self._get_excessive_access_finding_data(node)
+        return self._create_integration_finding(node, WizVulnerabilityType.EXCESSIVE_ACCESS_FINDING, finding_data)
+
+    def _get_end_of_life_finding_data(self, node: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Extract data specific to end of life findings.
 
-        # Create meaningful title for end-of-life findings
+        :param Dict[str, Any] node: The Wiz finding node to parse
+        :return: Dictionary containing end of life-specific data
+        :rtype: Dict[str, Any]
+        """
         name = node.get("name", "Unknown Technology")
-        title = f"End of Life: {name}"
 
         # Build description with EOL details
         description_parts = [node.get("description", "")]
@@ -1014,42 +1428,30 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         if recommended_version := node.get("recommendedVersion"):
             description_parts.append(f"Recommended version: {recommended_version}")
 
-        description = "\n".join(filter(None, description_parts))
-
-        return IntegrationFinding(
-            control_labels=[],
-            category="Wiz End of Life",
-            title=title,
-            description=description,
-            severity=severity,
-            status=self.map_status_to_issue_status(node.get("status", "Open")),
-            asset_identifier=asset_id,
-            external_id=node.get("id"),
-            first_seen=first_seen,
-            date_created=first_seen,
-            last_seen=format_to_regscale_iso(node.get("lastDetectedAt") or get_current_datetime()),
-            remediation=f"Upgrade {name} to a supported version",
-            plugin_name=f"Wiz End of Life - {name}",
-            vulnerability_type=WizVulnerabilityType.END_OF_LIFE_FINDING.value,
-            due_date=due_date,
-            date_last_updated=format_to_regscale_iso(get_current_datetime()),
-            identification="Technology Lifecycle Assessment",
-        )
+        return {
+            "category": "Wiz End of Life",
+            "title": f"End of Life: {name}",
+            "description": "\n".join(filter(None, description_parts)),
+            "severity": "High",  # End of life findings are typically high severity
+            "remediation": f"Upgrade {name} to a supported version",
+            "plugin_name": f"Wiz End of Life - {name}",
+            "identification": "Technology Lifecycle Assessment",
+        }
 
-    def _parse_generic_finding(
-        self, node: Dict[str, Any], vulnerability_type: WizVulnerabilityType
-    ) -> Optional[IntegrationFinding]:
-        """Generic parsing method for fallback cases."""
-        asset_id = self.get_asset_id_from_node(node, vulnerability_type)
-        if not asset_id:
-            return None
+    def _parse_end_of_life_finding(self, node: Dict[str, Any]) -> Optional[IntegrationFinding]:
+        """Parse end of life finding from Wiz."""
+        finding_data = self._get_end_of_life_finding_data(node)
+        return self._create_integration_finding(node, WizVulnerabilityType.END_OF_LIFE_FINDING, finding_data)
 
-        first_seen = node.get("firstDetectedAt") or node.get("firstSeenAt") or get_current_datetime()
-        first_seen = format_to_regscale_iso(first_seen)
-        severity = self.get_issue_severity(node.get("severity", "Low"))
-        due_date = regscale_models.Issue.get_due_date(severity, self.app.config, "wiz", first_seen)
+    def _get_generic_finding_data(self, node: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Extract data specific to generic findings.
 
-        status = self.map_status_to_issue_status(node.get("status", "Open"))
+        :param Dict[str, Any] node: The Wiz finding node to parse
+        :param WizVulnerabilityType vulnerability_type: The type of vulnerability
+        :return: Dictionary containing generic finding-specific data
+        :rtype: Dict[str, Any]
+        """
         name: str = node.get("name", "")
         cve = (
             name
@@ -1057,36 +1459,25 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             else node.get("cve", name)
         )
 
-        comments_dict = node.get("commentThread", {})
-        formatted_comments = self.process_comments(comments_dict)
-
-        return IntegrationFinding(
-            control_labels=[],
-            category="Wiz Vulnerability",
-            title=node.get("name", "Unknown vulnerability"),
-            description=node.get("description", ""),
-            severity=severity,
-            status=status,
-            asset_identifier=asset_id,
-            external_id=f"{node.get('sourceRule', {'id': cve}).get('id')}",
-            first_seen=first_seen,
-            date_created=first_seen,
-            last_seen=format_to_regscale_iso(
-                node.get("lastDetectedAt") or node.get("analyzedAt") or get_current_datetime()
-            ),
-            remediation=node.get("description", ""),
-            cvss_score=node.get("score"),
-            cve=cve,
-            plugin_name=cve,
-            cvss_v3_base_score=node.get("score"),
-            source_rule_id=node.get("sourceRule", {}).get("id"),
-            vulnerability_type=vulnerability_type.value,
-            due_date=due_date,
-            date_last_updated=format_to_regscale_iso(get_current_datetime()),
-            identification="Vulnerability Assessment",
-            comments=formatted_comments,
-            poam_comments=formatted_comments,
-        )
+        return {
+            "category": "Wiz Vulnerability",
+            "title": node.get("name", "Unknown vulnerability"),
+            "description": node.get("description", ""),
+            "external_id": f"{node.get('sourceRule', {'id': cve}).get('id')}",
+            "remediation": node.get("description", ""),
+            "plugin_name": cve,
+            "identification": "Vulnerability Assessment",
+            "cve": cve,
+            "cvss_score": node.get("score"),
+            "source_rule_id": node.get("sourceRule", {}).get("id"),
+        }
+
+    def _parse_generic_finding(
+        self, node: Dict[str, Any], vulnerability_type: WizVulnerabilityType
+    ) -> Optional[IntegrationFinding]:
+        """Generic parsing method for fallback cases."""
+        finding_data = self._get_generic_finding_data(node)
+        return self._create_integration_finding(node, vulnerability_type, finding_data)
 
     def get_compliance_settings(self):
         """
@@ -1164,12 +1555,22 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         """
         label_lower = label.lower()
 
-        # Check for open status mappings
-        if status_lower == "open" and label_lower in ["open", "active", "new"]:
+        logger.debug(f"Checking compliance label matching: status='{status_lower}', label='{label_lower}'")
+
+        # Check for open status mappings (including IN_PROGRESS)
+        if status_lower in ["open", "in_progress"] and label_lower in [
+            "open",
+            "active",
+            "new",
+            "in progress",
+            "in_progress",
+        ]:
+            logger.debug(f"Matched status '{status_lower}' with label '{label_lower}' -> IssueStatus.Open")
             return IssueStatus.Open
 
         # Check for closed status mappings
         if status_lower in ["resolved", "rejected"] and label_lower in ["closed", "resolved", "rejected", "completed"]:
+            logger.debug(f"Matched status '{status_lower}' with label '{label_lower}' -> IssueStatus.Closed")
             return IssueStatus.Closed
 
         return None
@@ -1184,10 +1585,19 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         """
         status_lower = status.lower()
 
-        if status_lower == "open":
+        # Add debug logging to trace status mapping
+        logger.debug(f"Mapping Wiz status: original='{status}', lowercase='{status_lower}'")
+
+        # Map open and in-progress statuses to Open
+        if status_lower in ["open", "in_progress"]:
+            logger.debug(f"Wiz status '{status}' mapped to IssueStatus.Open")
             return IssueStatus.Open
+        # Map resolved and rejected statuses to Closed
         if status_lower in ["resolved", "rejected"]:
+            logger.debug(f"Wiz status '{status}' mapped to IssueStatus.Closed")
             return IssueStatus.Closed
+        # Default to Open for any unknown status
+        logger.debug(f"Unknown Wiz status '{status}' encountered, defaulting to Open")
         return IssueStatus.Open
 
     def fetch_assets(self, *args, **kwargs) -> Iterator[IntegrationAsset]:
@@ -1298,6 +1708,13 @@ class WizVulnerabilityIntegration(ScannerIntegration):
 
         return software_version, software_vendor, software_name
 
+    @lru_cache()
+    def get_user_id(self) -> str:
+        """Function to return the default user ID
+        :return: The default user ID as a string
+        """
+        return RegScaleModel.get_user_id()
+
     def parse_asset(self, node: Dict[str, Any]) -> Optional[IntegrationAsset]:
         """
         Parses Wiz assets
@@ -1306,8 +1723,9 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         :return: The parsed IntegrationAsset
         :rtype: Optional[IntegrationAsset]
         """
-        name = node.get("name", "")
+
         wiz_entity = node.get("graphEntity", {})
+        name = wiz_entity.get("providerUniqueId") or node.get("name", "")
         if not wiz_entity:
             logger.warning("No graph entity found for asset %s", name)
             return None
@@ -1336,7 +1754,7 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             other_tracking_number=node.get("id", ""),
             identifier=node.get("id", ""),
             asset_type=create_asset_type(node.get("type", "")),
-            asset_owner_id=ScannerVariables.userId,
+            asset_owner_id=self.get_user_id(),
             parent_id=self.plan_id,
             parent_module=regscale_models.SecurityPlan.get_module_slug(),
             asset_category=map_category(node),
@@ -1572,7 +1990,11 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         :param str identifier: The missing asset identifier
         :rtype: None
         """
-        logger.info("🔍 Analyzing missing asset: %s", identifier)
+        # Only log detailed diagnostics for the first occurrence of each asset
+        if identifier in self.alerted_assets:
+            return
+
+        logger.debug("Analyzing missing asset: %s", identifier)
 
         # Define inventory files to search (constant moved up for clarity)
         inventory_files = (
@@ -1647,10 +2069,13 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         asset_type = self._extract_asset_type_from_node(asset_info)
         asset_name = self._extract_asset_name_from_node(asset_info)
 
-        logger.warning(
-            "🚨 MISSING ASSET FOUND: ID=%s, Type=%s, Name='%s', Source=%s\n"
-            "   💡 SOLUTION: Add '%s' to RECOMMENDED_WIZ_INVENTORY_TYPES in constants.py\n"
-            "   📍 Then re-run: regscale wiz inventory -id <plan_id> -p <project_id>",
+        # Track missing asset types for summary reporting
+        self._missing_asset_types.add(asset_type)
+
+        logger.info(
+            "Missing asset found in cached data - ID: %s, Type: %s, Name: '%s', Source: %s\n"
+            "   Action: Consider adding '%s' to RECOMMENDED_WIZ_INVENTORY_TYPES in constants.py\n"
+            "   Then re-run: regscale wiz inventory --wiz_project_id <project_id> -id <plan_id>",
             identifier,
             asset_type,
             asset_name,
@@ -1665,13 +2090,11 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         :param str identifier: Asset identifier
         :rtype: None
         """
-        logger.warning(
-            "❓ MISSING ASSET ANALYSIS: ID=%s\n"
-            "   Asset not found in any cached data files.\n"
-            "   This may indicate:\n"
-            "   - Asset from different Wiz project\n"
-            "   - Asset type not included in current queries\n"
-            "   - Asset deleted from Wiz but finding still exists",
+        logger.debug(
+            "Asset not found in cached data - ID: %s. Possible reasons: "
+            "(1) Asset from different Wiz project, "
+            "(2) Asset type not included in queries, "
+            "(3) Asset deleted from Wiz",
             identifier,
         )