Skip to main content
POST
/
cases
Search and list cases
curl --request POST \
  --url https://api.wirespeed.co/cases \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "size": 123,
  "page": 123,
  "filter": "<string>",
  "search": "<string>",
  "orderBy": "<string>",
  "orderDir": "asc",
  "statuses": [
    "NEW"
  ],
  "verdict": "MALICIOUS",
  "assetId": "<string>",
  "severity": "INFORMATIONAL",
  "assetType": "USER",
  "exclusionId": "<string>",
  "onlyWasEscalated": true,
  "onlyWasContained": true,
  "onlyWasMobile": true,
  "onlyChatOps": true,
  "integrationPlatform": "microsoft-teams",
  "hideDemoClients": true,
  "categoryClass": "ENDPOINT",
  "category": "OTHER__DIAGNOSTIC",
  "createdAt": {
    "gt": "<string>",
    "gte": "<string>",
    "lt": "<string>",
    "lte": "<string>"
  }
}
'
{
  "data": [
    {
      "id": "<string>",
      "sid": "<string>",
      "teamId": "<string>",
      "lastNotifiedClientAt": {},
      "status": "NEW",
      "createdAt": "<string>",
      "detectionSids": [
        "<string>"
      ],
      "testMode": true,
      "firstDetectionSourceIngestedAt": "<string>",
      "firstDetectionSourceDetectedAt": "<string>",
      "logs": [
        {
          "log": "<string>",
          "timestamp": "<string>",
          "debug": true
        }
      ],
      "contained": true,
      "reingested": true,
      "verdict": "MALICIOUS",
      "title": "<string>",
      "categories": [
        "OTHER__DIAGNOSTIC"
      ],
      "excludeFromMeans": true,
      "firstRun": true,
      "containsVIP": true,
      "containsHVA": true,
      "containsMobile": true,
      "severity": "<string>",
      "severityOrdinal": 123,
      "name": "<string>",
      "updatedAt": "<string>",
      "closedAt": "<string>",
      "verdictedAt": "<string>",
      "detectionCount": 123,
      "mttr": 123,
      "teamName": "<string>",
      "externalTicketId": "<string>",
      "externalTicketIntegrationId": "<string>",
      "autoContained": true,
      "respondedAt": "<string>",
      "platforms": [
        "<string>"
      ],
      "notes": "<string>",
      "clientNotified": true,
      "summary": "<string>",
      "hasPassedAql": true
    }
  ],
  "totalCount": 123
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json
size
number
page
number
filter
string
search
string
orderBy
string
orderDir
enum<string>
Available options:
asc,
desc
statuses
enum<string>[]

Filter cases by status

Available options:
NEW,
PROCESSING,
ESCALATED,
HUNTING,
MONITORING,
CHATOPS,
CLOSED
verdict
enum<string>

Filter cases by verdict

Available options:
MALICIOUS,
SUSPICIOUS,
BENIGN
assetId
string

Filter cases involving a specific asset

severity
enum<string>

Filter cases by severity

Available options:
INFORMATIONAL,
LOW,
MEDIUM,
HIGH,
CRITICAL
assetType
enum<string>

Filter cases by asset type

Available options:
USER,
PROCESS,
USER_AGENT,
FILE,
ENDPOINT,
LOCATION,
IP,
DOMAIN
exclusionId
string

Filter cases by exclusion rule

onlyWasEscalated
boolean

Only include cases that were escalated

onlyWasContained
boolean

Only include cases that were contained

onlyWasMobile
boolean

Only include cases that involve mobile devices

onlyChatOps
boolean

Only include cases that involved chat ops

integrationPlatform
enum<string>

Filter cases by integration platform

Available options:
microsoft-teams,
google-alert-center,
reversing-labs,
jamf-protect,
jamf-pro,
thinkst-canary,
generic-json,
box,
hyas-protect,
checkpoint-harmony,
sms,
safebreach,
wirespeed,
vectra,
wiz,
microsoft,
ipinfo,
cisco-umbrella,
jira-data-center,
windows-event-logs,
crowdstrike-falcon,
cisco-duo,
cisco-meraki,
fortianalyzer,
jira-cloud,
microsoft-entra,
have-i-been-pwned,
manage-engine-ad-audit-plus,
google-directory,
mimecast,
okta,
sentinel-one,
slack,
aws,
kandji,
wordfence,
generic-syslog,
cisco-catalyst,
connectwise-psa,
email,
fortinet
hideDemoClients
boolean
categoryClass
enum<string>
Available options:
ENDPOINT,
IDENTITY,
CLOUD,
EMAIL,
NETWORK,
DATA,
POSTURE,
OTHER
category
enum<string>
Available options:
OTHER__DIAGNOSTIC,
OTHER__INFORMATIONAL_EVENT,
OTHER__WARNING,
OTHER__UNKNOWN,
OTHER__DECEPTION,
OTHER__CUSTOM_DETECTION,
CLOUD__INVOCATION,
CLOUD__DISCOVERY,
CLOUD__DATA_TRANSFER,
CLOUD__PERSISTENCE,
ENDPOINT__DISCOVERY,
ENDPOINT__EXECUTION,
ENDPOINT__LIVE_OFF_THE_LAND,
ENDPOINT__NUISANCE,
ENDPOINT__MALWARE_DISCOVERY,
ENDPOINT__MALWARE_EXECUTION,
ENDPOINT__LATE_STAGE,
ENDPOINT__PERSISTENCE,
ENDPOINT__REMOTE_MANAGEMENT,
ENDPOINT__LATERAL_MOVEMENT,
ENDPOINT__IMPACT,
ENDPOINT__EVASION,
ENDPOINT__EXPLOITATION,
ENDPOINT__SIMULATION,
IDENTITY__LOGIN,
IDENTITY__REJECTED_MFA,
IDENTITY__DISCOVERY,
IDENTITY__BRUTE_FORCE,
IDENTITY__PUBLIC_CREDENTIAL_EXPOSURE,
IDENTITY__PRIVATE_CREDENTIAL_EXPOSURE,
IDENTITY__PERSISTENCE,
IDENTITY__ACCOUNT_COMPROMISE,
NETWORK__INBOUND_CONNECTION,
NETWORK__OUTBOUND_CONNECTION,
NETWORK__PHISHING,
NETWORK__NOISY,
EMAIL__PHISHING,
EMAIL__PHISHING_REPORTED,
EMAIL__EVASION,
EMAIL__MALWARE,
EMAIL__MALICIOUS_LINK,
EMAIL__GRAYMAIL,
EMAIL__SPAM,
EMAIL__BUSINESS_EMAIL_COMPROMISE,
DATA__DATA_TRANSFER,
DATA__DATA_SHARE,
POSTURE__POSTURE
createdAt
object

Filter by creation date

Response

200 - application/json
data
object[]
required
totalCount
number
required