Skip to main content
POST
/
detection
/
stats
/
category-class
Get detection statistics by category class
curl --request POST \
  --url https://api.wirespeed.co/detection/stats/category-class \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "size": 123,
  "page": 123,
  "filter": "<string>",
  "search": "<string>",
  "orderBy": "<string>",
  "orderDir": "asc",
  "days": 123,
  "startDate": "<string>",
  "endDate": "<string>",
  "caseIdOrSid": "<string>",
  "statuses": [
    "NEW"
  ],
  "verdict": "MALICIOUS",
  "assetId": "<string>",
  "assetType": "USER",
  "hideExcluded": true,
  "onlyChatOps": true,
  "onlyWasEscalated": true,
  "onlyWasContained": true,
  "hideDemoClients": true,
  "categoryClass": "ENDPOINT",
  "category": "OTHER__DIAGNOSTIC",
  "exclusionId": "<string>",
  "severity": "INFORMATIONAL",
  "integrationPlatform": "aws",
  "createdAt": {
    "gt": "<string>",
    "gte": "<string>",
    "lt": "<string>",
    "lte": "<string>"
  },
  "groupIds": [
    "<string>"
  ]
}
'
[
  {
    "categoryClass": "<string>",
    "displayName": "<string>",
    "count": 123,
    "totalCount": 123,
    "percentage": 123
  }
]

Documentation Index

Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json
size
number
page
number
filter
string
search
string
orderBy
string
orderDir
enum<string>
Available options:
asc,
desc
days
number

Number of days for time-based filtering (1-365). Used by stats/widget endpoints to set the time window.

startDate
string

Start date (inclusive, ISO8601 string)

endDate
string

End date (inclusive, ISO8601 string)

caseIdOrSid
string

Filter by case ID or case SID

statuses
enum<string>[]

Filter detections by status

Available options:
NEW,
PROCESSING,
ESCALATED,
HUNTING,
MONITORING,
CHATOPS,
CLOSED
verdict
enum<string>

Filter detections by verdict

Available options:
MALICIOUS,
SUSPICIOUS,
BENIGN
assetId
string

Filter detections involving a specific asset

assetType
enum<string>

Filter detections by asset type involved

Available options:
USER,
PROCESS,
USER_AGENT,
FILE,
ENDPOINT,
LOCATION,
IP,
DOMAIN
hideExcluded
boolean

Hide detections that have been excluded

onlyChatOps
boolean

Only show detections that were escalated

onlyWasEscalated
boolean

Only show detections that were escalated

onlyWasContained
boolean

Only show detections that resulted in containment

hideDemoClients
boolean

Hide detections from demo client teams

categoryClass
enum<string>

Filter detections by category class

Available options:
ENDPOINT,
IDENTITY,
CLOUD,
EMAIL,
NETWORK,
DATA,
POSTURE,
OTHER
category
enum<string>

Filter detections by specific category

Available options:
OTHER__DIAGNOSTIC,
OTHER__INFORMATIONAL_EVENT,
OTHER__WARNING,
OTHER__UNKNOWN,
OTHER__DECEPTION,
OTHER__CUSTOM_DETECTION,
CLOUD__INVOCATION,
CLOUD__DISCOVERY,
CLOUD__DATA_TRANSFER,
CLOUD__PERSISTENCE,
ENDPOINT__DISCOVERY,
ENDPOINT__EXECUTION,
ENDPOINT__LIVE_OFF_THE_LAND,
ENDPOINT__NUISANCE,
ENDPOINT__MALWARE_DISCOVERY,
ENDPOINT__MALWARE_EXECUTION,
ENDPOINT__LATE_STAGE,
ENDPOINT__PERSISTENCE,
ENDPOINT__REMOTE_MANAGEMENT,
ENDPOINT__LATERAL_MOVEMENT,
ENDPOINT__IMPACT,
ENDPOINT__EVASION,
ENDPOINT__EXPLOITATION,
ENDPOINT__SIMULATION,
ENDPOINT__PLANNED_CHANGE,
IDENTITY__LOGIN,
IDENTITY__REJECTED_MFA,
IDENTITY__DISCOVERY,
IDENTITY__BRUTE_FORCE,
IDENTITY__PUBLIC_CREDENTIAL_EXPOSURE,
IDENTITY__PRIVATE_CREDENTIAL_EXPOSURE,
IDENTITY__PERSISTENCE,
IDENTITY__ACCOUNT_COMPROMISE,
IDENTITY__SIMULATION,
NETWORK__INBOUND_CONNECTION,
NETWORK__OUTBOUND_CONNECTION,
NETWORK__PHISHING,
NETWORK__NOISY,
NETWORK__DISCOVERY,
EMAIL__PHISHING,
EMAIL__PHISHING_REPORTED,
EMAIL__EVASION,
EMAIL__MALWARE,
EMAIL__MALICIOUS_LINK,
EMAIL__GRAYMAIL,
EMAIL__SPAM,
EMAIL__BUSINESS_EMAIL_COMPROMISE,
DATA__DATA_TRANSFER,
DATA__DATA_SHARE,
POSTURE__POSTURE,
POSTURE__HEALTH
exclusionId
string

Filter detections by exclusion rule ID

severity
enum<string>

Filter detections by severity

Available options:
INFORMATIONAL,
LOW,
MEDIUM,
HIGH,
CRITICAL
integrationPlatform
enum<string>

Filter detections by integration platform

Available options:
aws,
axonius,
bitwarden,
box,
checkpoint-firewall,
checkpoint-harmony,
cisco-catalyst,
cisco-duo,
cisco-meraki,
cisco-secure-access,
cisco-umbrella,
connectwise-psa,
crowdstrike-falcon,
darktrace,
email,
fortianalyzer,
fortinet,
generic-json,
generic-syslog,
google-alert-center,
google-directory,
google-security-center,
halcyon,
halo-itsm,
have-i-been-pwned,
horizon3,
hyas-protect,
ipinfo,
jamf-pro,
jamf-protect,
jira-cloud,
jira-data-center,
jumpcloud,
kandji,
manage-engine-ad-audit-plus,
microsoft,
microsoft-entra,
microsoft-teams,
microsoft-teams-v2,
mimecast,
odoo-helpdesk,
okta,
one-password,
orca-security,
palo-alto-networks-cortex,
picus,
ping-one,
reversing-labs,
safebreach,
sentinel-one,
service-now,
slack,
sms,
smtp,
sonic-wall,
stairwell,
thinkst-canary,
vectra,
watchguard-firebox,
windows-event-logs,
wirespeed,
wiz,
wordfence,
zscaler-zpa
createdAt
object

Filter by creation date

groupIds
string[]

Filter detections by group IDs (OR) — matches detections whose users or endpoints belong to any of the specified groups

Response

Returns detection counts grouped by category class

categoryClass
string
required

Category class identifier

displayName
string
required

Display name for the category class

count
number
required

Number of detections in this category class in the selected timeframe

totalCount
number
required

All-time number of detections in this category class

percentage
number
required

Percentage of total detections