Skip to main content
GET
/
detection
/
{id}
/
aql-questions
Get AQL questions for detection
curl --request GET \
  --url https://api.wirespeed.co/detection/{id}/aql-questions \
  --header 'Authorization: Bearer <token>'
[
  {
    "id": "<string>",
    "aqlSampleId": "<string>",
    "question": "ESCALATED_CORRECTLY",
    "aqlBatchId": "<string>",
    "detectionId": "<string>",
    "defect": true,
    "defectReason": "SHOULD_HAVE_BEEN_ESCALATED",
    "reviewedBy": "<string>",
    "defectLevel": "NONE",
    "comment": "<string>",
    "internalComment": "<string>",
    "userEmail": "<string>",
    "overrideCategory": "OTHER__DIAGNOSTIC"
  }
]

Documentation Index

Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

id
string
required

Detection identifier

Response

id
string
required

Unique identifier for the AQL question

aqlSampleId
string
required

ID of the AQL sample this question belongs to

question
enum<string>
required

The specific AQL question being asked

Available options:
ESCALATED_CORRECTLY,
CATEGORIZED_CORRECTLY,
DESCRIPTION_CORRECT,
NEXT_STEPS_CORRECT,
TIMELINE_CORRECT,
ASSETS_EXTRACTED_CORRECTLY,
OTHER_DEFECTS
aqlBatchId
string
required

ID of the AQL batch this question belongs to

detectionId
string
required

ID of the detection being reviewed

defect
boolean
required

Whether this sample has a defect

defectReason
enum<string>

Reason for the defect if one exists

Available options:
SHOULD_HAVE_BEEN_ESCALATED,
SHOULD_NOT_HAVE_BEEN_ESCALATED,
INCORRECT_CATEGORY,
INCORRECT_DESCRIPTION,
INCORRECT_TIMELINE,
INCORRECT_NEXT_STEPS,
INCORRECT_EXTRACTIONS,
OTHER
reviewedBy
string

User ID who reviewed this question

defectLevel
enum<string>

Severity level of the defect

Available options:
NONE,
CRITICAL,
MAJOR,
MINOR
comment
string

Additional comments about the inspection

internalComment
string

Internal notes visible only to reviewers in the AQL modal (not sent to customer)

userEmail
string

Email of the user who reviewed this question

overrideCategory
enum<string>

Correct category suggested when marking categorization as incorrect

Available options:
OTHER__DIAGNOSTIC,
OTHER__INFORMATIONAL_EVENT,
OTHER__WARNING,
OTHER__UNKNOWN,
OTHER__DECEPTION,
OTHER__CUSTOM_DETECTION,
CLOUD__INVOCATION,
CLOUD__DISCOVERY,
CLOUD__DATA_TRANSFER,
CLOUD__PERSISTENCE,
ENDPOINT__DISCOVERY,
ENDPOINT__EXECUTION,
ENDPOINT__LIVE_OFF_THE_LAND,
ENDPOINT__NUISANCE,
ENDPOINT__MALWARE_DISCOVERY,
ENDPOINT__MALWARE_EXECUTION,
ENDPOINT__LATE_STAGE,
ENDPOINT__PERSISTENCE,
ENDPOINT__REMOTE_MANAGEMENT,
ENDPOINT__LATERAL_MOVEMENT,
ENDPOINT__IMPACT,
ENDPOINT__EVASION,
ENDPOINT__EXPLOITATION,
ENDPOINT__SIMULATION,
ENDPOINT__PLANNED_CHANGE,
IDENTITY__LOGIN,
IDENTITY__REJECTED_MFA,
IDENTITY__DISCOVERY,
IDENTITY__BRUTE_FORCE,
IDENTITY__PUBLIC_CREDENTIAL_EXPOSURE,
IDENTITY__PRIVATE_CREDENTIAL_EXPOSURE,
IDENTITY__PERSISTENCE,
IDENTITY__ACCOUNT_COMPROMISE,
IDENTITY__SIMULATION,
NETWORK__INBOUND_CONNECTION,
NETWORK__OUTBOUND_CONNECTION,
NETWORK__PHISHING,
NETWORK__NOISY,
NETWORK__DISCOVERY,
EMAIL__PHISHING,
EMAIL__PHISHING_REPORTED,
EMAIL__EVASION,
EMAIL__MALWARE,
EMAIL__MALICIOUS_LINK,
EMAIL__GRAYMAIL,
EMAIL__SPAM,
EMAIL__BUSINESS_EMAIL_COMPROMISE,
DATA__DATA_TRANSFER,
DATA__DATA_SHARE,
POSTURE__POSTURE,
POSTURE__HEALTH