GET
/
detection
/
{idOrSid}
Get detection by ID or SID
curl --request GET \
  --url https://api.wirespeed.co/detection/{idOrSid} \
  --header 'Authorization: Bearer <token>'
{
  "id": "<string>",
  "teamId": "<string>",
  "teamName": "<string>",
  "sourceDescription": "<string>",
  "notes": "<string>",
  "sourceName": "<string>",
  "description": "<string>",
  "status": "NEW",
  "createdAt": "<string>",
  "containments": [
    "USER"
  ],
  "testMode": true,
  "caseId": "<string>",
  "sourceIngestedAt": "<string>",
  "sourceDetectedAt": "<string>",
  "verdictedAt": "<string>",
  "updatedAt": "<string>",
  "closedAt": "<string>",
  "logs": [
    {
      "log": "<string>",
      "timestamp": "<string>",
      "debug": true
    }
  ],
  "raw": {},
  "verdict": "MALICIOUS",
  "title": "<string>",
  "integrationPlatform": "microsoft-teams",
  "integrationId": "<string>",
  "duplicateDetectionId": "<string>",
  "contained": true,
  "nextSteps": "<string>",
  "reingested": true,
  "prevented": true,
  "excludeFromMeans": true,
  "caseSid": "<string>",
  "sid": "<string>",
  "firstRun": true,
  "containOnChatOpsFailure": true,
  "wasEscalated": true,
  "ocsfDetectionFinding": {},
  "actionSlug": "<string>",
  "exclusionId": "<string>",
  "exclusionSid": "<string>",
  "autoClosed": true,
  "autoContained": true,
  "category": "OTHER__DIAGNOSTIC",
  "verdictSetting": {
    "id": "<string>",
    "stage": "TRIAGE",
    "default": true,
    "managedByWspd": true,
    "category": "OTHER__DIAGNOSTIC",
    "wspdRule": "CLOUD__INVOCATION",
    "escalate": true,
    "chatOps": true,
    "close": true,
    "disabled": true,
    "containUser": true,
    "containEndpoint": true,
    "chatOpsMFA": true,
    "monitor": true,
    "managerChatOps": true,
    "vipChatOps": true,
    "createdAt": "<string>",
    "updatedAt": "<string>",
    "teamId": "<string>",
    "chatOpsTimeoutVerdict": "MALICIOUS",
    "chatOpsTimeoutMonitor": true,
    "chatOpsUnsureVerdict": "MALICIOUS",
    "verdict": "MALICIOUS",
    "description": "<string>",
    "managedByParent": true,
    "severity": "INFORMATIONAL",
    "useSourceSeverity": true
  },
  "chatOpsTest": true,
  "severity": "INFORMATIONAL",
  "severityOrdinal": 123,
  "containsVIP": true,
  "containsHVA": true,
  "excluded": true,
  "chatOpsTestEmail": "<string>",
  "chatOpsTestPhoneNumber": "<string>",
  "customDetectionId": "<string>",
  "endpoints": [
    {
      "id": "<string>",
      "displayName": "<string>",
      "teamId": "<string>",
      "edrSourceId": "<string>",
      "mdmSourceId": "<string>",
      "name": "<string>",
      "hva": true,
      "hvaOverriddenByUser": true,
      "createdAt": "<string>",
      "privateIpAddress": "<string>",
      "live": true,
      "operatingSystem": "<string>",
      "integrationId": {},
      "contained": true,
      "managed": true,
      "publicIPs": [
        {
          "ipv4": "<string>",
          "ipv6": "<string>",
          "metadata": {
            "ip": "<string>",
            "hostname": "<string>",
            "city": "<string>",
            "region": "<string>",
            "country": "<string>",
            "loc": "<string>",
            "postal": "<string>",
            "timezone": "<string>",
            "org": "<string>",
            "asn": {
              "asn": "<string>",
              "name": "<string>",
              "domain": "<string>",
              "route": "<string>",
              "type": "<string>"
            },
            "company": {
              "name": "<string>",
              "domain": "<string>",
              "type": "<string>"
            },
            "privacy": {
              "vpn": true,
              "proxy": true,
              "tor": true,
              "relay": true,
              "hosting": true,
              "service": "<string>"
            },
            "abuse": {
              "address": "<string>",
              "country": "<string>",
              "email": "<string>",
              "name": "<string>",
              "network": "<string>",
              "phone": "<string>",
              "ofac": true,
              "adversarial": true
            },
            "domains": {
              "ip": "<string>",
              "total": 123,
              "domains": [
                "<string>"
              ]
            },
            "ofac": true,
            "adversarial": true
          },
          "displayName": "<string>",
          "id": "<string>",
          "teamId": "<string>",
          "createdAt": "<string>",
          "updatedAt": "<string>",
          "locationId": "<string>",
          "metadataLastFetchedAt": "<string>",
          "known": true,
          "safe": true,
          "detectionSid": "<string>"
        }
      ],
      "workstation": true,
      "server": true,
      "mobile": true,
      "updatedAt": "<string>",
      "raw": {}
    }
  ],
  "files": [
    {
      "id": "<string>",
      "displayName": "<string>",
      "teamId": "<string>",
      "name": "<string>",
      "path": "<string>",
      "sha256": "<string>",
      "sha1": "<string>",
      "toolName": "<string>",
      "createdAt": "<string>",
      "updatedAt": "<string>",
      "lastEnrichedAt": {},
      "nameWithPath": "<string>",
      "fileRisk": "BENIGN",
      "metadata": {
        "threatNames": [
          {
            "name": "<string>",
            "engine": "<string>",
            "excluded": true
          }
        ],
        "lastScanTime": {},
        "story": "<string>",
        "versionInfo": [
          {
            "name": "<string>",
            "value": "<string>"
          }
        ],
        "proposedFileNames": [
          "<string>"
        ]
      },
      "enrichedViaIntegration": true
    }
  ],
  "processes": [
    {
      "id": "<string>",
      "displayName": "<string>",
      "teamId": "<string>",
      "command": "<string>",
      "sha256": "<string>",
      "sha1": "<string>",
      "createdAt": "<string>"
    }
  ],
  "locations": [
    {
      "id": "<string>",
      "displayName": "<string>",
      "teamId": "<string>",
      "lat": "<string>",
      "lon": "<string>",
      "city": "<string>",
      "state": "<string>",
      "country": "<string>",
      "countryCode": "<string>",
      "continent": "<string>",
      "continentCode": "<string>",
      "createdAt": "<string>",
      "known": true,
      "safe": true,
      "detectionSid": "<string>"
    }
  ],
  "directory": [
    {
      "id": "<string>",
      "displayName": "<string>",
      "teamId": "<string>",
      "enabled": true,
      "directoryId": "<string>",
      "name": "<string>",
      "phoneNumber": "<string>",
      "previousPhoneNumber": "<string>",
      "title": "<string>",
      "email": "<string>",
      "additionalEmails": [
        "<string>"
      ],
      "allEmails": [
        "<string>"
      ],
      "vip": true,
      "nhi": true,
      "financial": true,
      "technical": true,
      "managerDirectoryId": "<string>",
      "managerEmail": "<string>",
      "domain": "<string>",
      "department": "<string>",
      "createdAt": "<string>",
      "integrationId": {},
      "roles": [
        "<string>"
      ],
      "lastCredentialExposure": {},
      "credentialsExposed": true,
      "numberCredentialExposures": 123,
      "lastCheckedForCredentialExposures": {},
      "needsChatOpsWelcome": true,
      "contained": true,
      "username": "<string>",
      "containable": true,
      "smsConsentReceivedAt": {},
      "administrator": true,
      "updatedAt": "<string>",
      "passwordLastChangedAt": "<string>",
      "lastSignInAt": "<string>",
      "raw": {},
      "tags": [
        {
          "id": "<string>",
          "directoryUserId": "<string>",
          "tag": "VIP",
          "automationId": "<string>",
          "teamId": "<string>",
          "overriddenByUser": true,
          "enabled": true,
          "createdAt": "<string>"
        }
      ],
      "managed": true,
      "chatOpsOnboardingUser": true
    }
  ],
  "ips": [
    {
      "ipv4": "<string>",
      "ipv6": "<string>",
      "metadata": {
        "ip": "<string>",
        "hostname": "<string>",
        "city": "<string>",
        "region": "<string>",
        "country": "<string>",
        "loc": "<string>",
        "postal": "<string>",
        "timezone": "<string>",
        "org": "<string>",
        "asn": {
          "asn": "<string>",
          "name": "<string>",
          "domain": "<string>",
          "route": "<string>",
          "type": "<string>"
        },
        "company": {
          "name": "<string>",
          "domain": "<string>",
          "type": "<string>"
        },
        "privacy": {
          "vpn": true,
          "proxy": true,
          "tor": true,
          "relay": true,
          "hosting": true,
          "service": "<string>"
        },
        "abuse": {
          "address": "<string>",
          "country": "<string>",
          "email": "<string>",
          "name": "<string>",
          "network": "<string>",
          "phone": "<string>",
          "ofac": true,
          "adversarial": true
        },
        "domains": {
          "ip": "<string>",
          "total": 123,
          "domains": [
            "<string>"
          ]
        },
        "ofac": true,
        "adversarial": true
      },
      "displayName": "<string>",
      "id": "<string>",
      "teamId": "<string>",
      "createdAt": "<string>",
      "updatedAt": "<string>",
      "locationId": "<string>",
      "metadataLastFetchedAt": "<string>",
      "known": true,
      "safe": true,
      "detectionSid": "<string>"
    }
  ],
  "domains": [
    {
      "id": "<string>",
      "displayName": "<string>",
      "teamId": "<string>",
      "name": "<string>",
      "createdAt": "<string>"
    }
  ],
  "fileRisk": "BENIGN",
  "userAgents": [
    {
      "id": "<string>",
      "userAgent": "<string>",
      "userAgentAlt": "<string>",
      "teamId": "<string>",
      "createdAt": "<string>",
      "displayName": "<string>",
      "browserName": "<string>",
      "browserVersion": "<string>",
      "browserMajorVersion": "<string>",
      "cpuArchitecture": "<string>",
      "deviceModel": "<string>",
      "deviceVendor": "<string>",
      "engineName": "<string>",
      "engineVersion": "<string>",
      "osName": "<string>",
      "osVersion": "<string>"
    }
  ],
  "whatHappened": "<string>",
  "chatOpsActions": [
    {
      "id": "<string>",
      "teamId": "<string>",
      "directoryUserId": "<string>",
      "integrationId": {},
      "detectionId": "<string>",
      "caseId": "<string>",
      "mfaAttempts": 123,
      "isManager": true,
      "createdAt": "<string>",
      "message": "<string>",
      "settingsAtTimeOfAction": {},
      "respondedAt": "<string>",
      "ipAddress": "<string>",
      "verdict": "MALICIOUS",
      "isTimeout": true,
      "isRateLimited": true,
      "isMfaSuccess": true,
      "isMfaFailure": true,
      "isMfaUnavailable": true,
      "mfaRespondedAt": "<string>"
    }
  ],
  "containmentActions": [
    {
      "id": "<string>",
      "teamId": "<string>",
      "detectionId": "<string>",
      "caseId": "<string>",
      "type": "directory_user",
      "action": "contain",
      "endpointId": "<string>",
      "directoryUserId": "<string>",
      "userId": "<string>",
      "result": "success",
      "integrationResponse": {},
      "createdAt": "<string>"
    }
  ]
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

idOrSid
string
required

Detection ID or SID

Response

id
string
required

Unique identifier for the detection

teamId
string
required

ID of the team that owns this detection

status
enum<string>
required

Current status of the detection

Available options:
NEW,
PROCESSING,
ESCALATED,
HUNTING,
MONITORING,
CLOSED
createdAt
string
required

Timestamp when the detection was created

containments
enum<string>[]
required

Types of containment actions performed

testMode
boolean
required

Whether this detection is in test mode

sourceIngestedAt
string
required

Timestamp when the detection was ingested by Wirespeed

sourceDetectedAt
string
required

Timestamp when the detection was originally detected by source

logs
object[]
required

Chronological log entries for this detection

raw
object
required

Raw detection data from the source system

verdict
enum<string>
required

Final verdict assigned to the detection

Available options:
MALICIOUS,
SUSPICIOUS,
BENIGN
title
string
required

Display title for the detection

integrationPlatform
enum<string>
required

Source integration platform that generated this detection

Available options:
microsoft-teams,
google-alert-center,
reversing-labs,
jamf-protect,
jamf-pro,
thinkst-canary,
generic-json,
box,
hyas-protect,
checkpoint-harmony,
wirespeed,
wiz,
microsoft,
ipinfo,
cisco-umbrella,
jira-data-center,
windows-event-logs,
crowdstrike-falcon,
cisco-duo,
cisco-meraki,
fortianalyzer,
jira-cloud,
microsoft-entra,
have-i-been-pwned,
manage-engine-ad-audit-plus,
google-directory,
okta,
sentinel-one,
slack,
aws,
kandji,
wordfence,
generic-syslog,
cisco-catalyst,
connectwise-psa,
email,
fortinet
contained
boolean
required

Whether containment actions were performed on this detection

reingested
boolean
required

Whether this detection was reprocessed after initial ingestion

prevented
boolean
required

Whether the detected threat was successfully prevented

excludeFromMeans
boolean
required

Whether to exclude this detection from MTTR and other metrics calculations

sid
string
required

Short identifier for this detection

firstRun
boolean
required

Whether this is the first time this detection has been processed

containOnChatOpsFailure
boolean
required

Whether to automatically contain if ChatOps workflow fails

wasEscalated
boolean
required

Whether this detection was escalated to external systems

ocsfDetectionFinding
object
required

OCSF standardized detection finding data

category
enum<string>
required

Security category classification for this detection

Available options:
OTHER__DIAGNOSTIC,
OTHER__INFORMATIONAL_EVENT,
OTHER__WARNING,
OTHER__UNKNOWN,
OTHER__DECEPTION,
OTHER__CUSTOM_DETECTION,
CLOUD__INVOCATION,
CLOUD__DISCOVERY,
CLOUD__DATA_TRANSFER,
CLOUD__PERSISTENCE,
ENDPOINT__DISCOVERY,
ENDPOINT__EXECUTION,
ENDPOINT__LIVE_OFF_THE_LAND,
ENDPOINT__NUISANCE,
ENDPOINT__MALWARE_DISCOVERY,
ENDPOINT__MALWARE_EXECUTION,
ENDPOINT__LATE_STAGE,
ENDPOINT__PERSISTENCE,
ENDPOINT__REMOTE_MANAGEMENT,
ENDPOINT__LATERAL_MOVEMENT,
ENDPOINT__IMPACT,
ENDPOINT__EVASION,
IDENTITY__LOGIN,
IDENTITY__REJECTED_MFA,
IDENTITY__DISCOVERY,
IDENTITY__BRUTE_FORCE,
IDENTITY__PUBLIC_CREDENTIAL_EXPOSURE,
IDENTITY__PRIVATE_CREDENTIAL_EXPOSURE,
IDENTITY__PERSISTENCE,
IDENTITY__ACCOUNT_COMPROMISE,
NETWORK__INBOUND_CONNECTION,
NETWORK__OUTBOUND_CONNECTION,
NETWORK__PHISHING,
NETWORK__NOISY,
EMAIL__PHISHING,
EMAIL__PHISHING_REPORTED,
EMAIL__MALWARE,
EMAIL__MALICIOUS_LINK,
EMAIL__GRAYMAIL,
EMAIL__SPAM,
EMAIL__BUSINESS_EMAIL_COMPROMISE,
DATA__DATA_TRANSFER,
DATA__DATA_SHARE,
POSTURE__POSTURE
chatOpsTest
boolean
required

Whether this detection is part of a ChatOps test scenario

severity
enum<string>
required

Severity level of the detection

Available options:
INFORMATIONAL,
LOW,
MEDIUM,
HIGH,
CRITICAL
severityOrdinal
number
required

Numeric representation of severity for sorting purposes

containsVIP
boolean
required

Whether this detection involves VIP users

containsHVA
boolean
required

Whether this detection involves high-value assets

excluded
boolean
required

Whether this detection is excluded by an exclusion rule

endpoints
object[]
required

Endpoints involved in this detection

files
object[]
required

Files involved in this detection

processes
object[]
required

Processes involved in this detection

locations
object[]
required

Geographic locations involved in this detection

directory
object[]
required

Directory users involved in this detection

ips
object[]
required

IP addresses involved in this detection

domains
object[]
required

Domains involved in this detection

fileRisk
enum<string>
required

Highest risk level among all files in this detection

Available options:
BENIGN,
MALWARE,
LATE_STAGE,
NUISANCE,
LIVE_OFF_THE_LAND,
REMOTE_MANAGEMENT,
UNKNOWN
userAgents
object[]
required

User agents involved in this detection

whatHappened
string
required

AI-generated summary of what happened in this detection

chatOpsActions
object[]
required

ChatOps actions performed on this detection

containmentActions
object[]
required

Containment actions performed on this detection

teamName
string

Name of the team that owns this detection

sourceDescription
string

Description from the source system

notes
string

User-added notes about the detection

sourceName
string

Name of the source that generated this detection

description
string

Detailed description of the detection

caseId
string

ID of the case this detection belongs to

verdictedAt
string

Timestamp when the detection verdict was assigned

updatedAt
string

Timestamp when the detection was last updated

closedAt
string

Timestamp when the detection was closed

integrationId
string

ID of the integration instance that generated this detection

duplicateDetectionId
string

ID of the original detection if this is a duplicate

nextSteps
string

AI-generated recommended next steps for this detection

caseSid
string

Short identifier for the case this detection belongs to

actionSlug
string

Slug identifier for the action taken on this detection

exclusionId
string

ID of the exclusion rule that matches this detection

exclusionSid
string

Short identifier for the exclusion rule that matches this detection

autoClosed
boolean

Whether this detection was automatically contained by the system

autoContained
boolean
verdictSetting
object

Verdict rule configuration that was applied to this detection

chatOpsTestEmail
string

Email address for ChatOps testing notifications

chatOpsTestPhoneNumber
string

Phone number for ChatOps testing notifications

customDetectionId
string

ID of the custom detection that detected this detection