Wiz Integration – Clarification on last found not updating for active detections

Hi everyone,

I’m currently facing an issue with the Wiz integration and would like to clarify how last found (mapped from lastDetectedAt) behaves, especially in relation to auto-closure rules.

 
We have an auto-close rule that closes Vulnerable Items if:

last_found is older than 14 days

Observed issue

• We are seeing multiple cases where: The vulnerability is still ACTIVE in Wiz
• However, in ServiceNow:

                The last found field is not being updated

• As a result:

                 The Vulnerable Item becomes stale
                 It gets auto-closed, even though the issue still exists in Wiz

Example scenario

• Vulnerability still active in Wiz as of: April 21
• In ServiceNow: Last Found = April 8.
• Because last_found was not updated: The detection was marked as stale. It was auto-closed on April 23
• After that: It was reopened on May 14, 2026
• Then again marked stale and closed on May 28, 2026

What I understand so far
From initial investigation:

• last found is mapped from Wiz:
         lastDetectedAt → last_found

However, it seems like:

• Even if a detection remains active in Wiz, last found is not always refreshed in ServiceNow

Questions / Clarifications needed
I would like to confirm the following:

• Does Wiz only send detections to ServiceNow when there are changes (new, updated, or resolved)?
  If a detection is still active but unchanged, is it expected that it will not be re-sent?
• If no new payload is received, is it expected that last_found remains unchanged even if the detection is still active?