Search and list cases
Documentation Index
Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt
Use this file to discover all available pages before exploring further.
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Body
asc, desc Number of days for time-based filtering (1-365). Used by stats/widget endpoints to set the time window.
Start date (inclusive, ISO8601 string)
End date (inclusive, ISO8601 string)
Filter cases by status
NEW, PROCESSING, ESCALATED, HUNTING, MONITORING, CHATOPS, CLOSED Filter cases by verdict
MALICIOUS, SUSPICIOUS, BENIGN Filter cases involving a specific asset
Filter cases by severity
INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL Filter cases by asset type
USER, PROCESS, USER_AGENT, FILE, ENDPOINT, LOCATION, IP, DOMAIN Filter cases by exclusion rule
Only include cases that were escalated
Only include cases that were contained
Only include cases that involve mobile devices
Only include cases that had a monitor
Only include cases that involved chat ops
Filter cases by integration platform
aws, axonius, bitwarden, box, checkpoint-firewall, checkpoint-harmony, cisco-catalyst, cisco-duo, cisco-meraki, cisco-secure-access, cisco-umbrella, connectwise-psa, crowdstrike-falcon, darktrace, email, fortianalyzer, fortinet, generic-json, generic-syslog, google-alert-center, google-directory, google-security-center, halcyon, halo-itsm, have-i-been-pwned, horizon3, hyas-protect, ipinfo, jamf-pro, jamf-protect, jira-cloud, jira-data-center, jumpcloud, kandji, manage-engine-ad-audit-plus, microsoft, microsoft-entra, microsoft-teams, microsoft-teams-v2, mimecast, odoo-helpdesk, okta, one-password, orca-security, palo-alto-networks-cortex, picus, ping-one, reversing-labs, safebreach, sentinel-one, service-now, slack, sms, smtp, sonic-wall, stairwell, thinkst-canary, vectra, watchguard-firebox, windows-event-logs, wirespeed, wiz, wordfence, zscaler-zpa ENDPOINT, IDENTITY, CLOUD, EMAIL, NETWORK, DATA, POSTURE, OTHER OTHER__DIAGNOSTIC, OTHER__INFORMATIONAL_EVENT, OTHER__WARNING, OTHER__UNKNOWN, OTHER__DECEPTION, OTHER__CUSTOM_DETECTION, CLOUD__INVOCATION, CLOUD__DISCOVERY, CLOUD__DATA_TRANSFER, CLOUD__PERSISTENCE, ENDPOINT__DISCOVERY, ENDPOINT__EXECUTION, ENDPOINT__LIVE_OFF_THE_LAND, ENDPOINT__NUISANCE, ENDPOINT__MALWARE_DISCOVERY, ENDPOINT__MALWARE_EXECUTION, ENDPOINT__LATE_STAGE, ENDPOINT__PERSISTENCE, ENDPOINT__REMOTE_MANAGEMENT, ENDPOINT__LATERAL_MOVEMENT, ENDPOINT__IMPACT, ENDPOINT__EVASION, ENDPOINT__EXPLOITATION, ENDPOINT__SIMULATION, ENDPOINT__PLANNED_CHANGE, IDENTITY__LOGIN, IDENTITY__REJECTED_MFA, IDENTITY__DISCOVERY, IDENTITY__BRUTE_FORCE, IDENTITY__PUBLIC_CREDENTIAL_EXPOSURE, IDENTITY__PRIVATE_CREDENTIAL_EXPOSURE, IDENTITY__PERSISTENCE, IDENTITY__ACCOUNT_COMPROMISE, IDENTITY__SIMULATION, NETWORK__INBOUND_CONNECTION, NETWORK__OUTBOUND_CONNECTION, NETWORK__PHISHING, NETWORK__NOISY, NETWORK__DISCOVERY, EMAIL__PHISHING, EMAIL__PHISHING_REPORTED, EMAIL__EVASION, EMAIL__MALWARE, EMAIL__MALICIOUS_LINK, EMAIL__GRAYMAIL, EMAIL__SPAM, EMAIL__BUSINESS_EMAIL_COMPROMISE, DATA__DATA_TRANSFER, DATA__DATA_SHARE, POSTURE__POSTURE, POSTURE__HEALTH Filter by creation date
Filter cases by group IDs (OR) — matches cases with detections whose users or endpoints belong to any of the specified groups