Skip to main content
POST
/
detection
Search and list detections
curl --request POST \
  --url https://api.wirespeed.co/detection \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "size": 123,
  "page": 123,
  "filter": "<string>",
  "search": "<string>",
  "orderBy": "<string>",
  "orderDir": "asc",
  "caseIdOrSid": "<string>",
  "statuses": [
    "NEW"
  ],
  "verdict": "MALICIOUS",
  "assetId": "<string>",
  "assetType": "USER",
  "hideExcluded": true,
  "onlyChatOps": true,
  "onlyWasEscalated": true,
  "onlyWasContained": true,
  "hideDemoClients": true,
  "categoryClass": "ENDPOINT",
  "category": "OTHER__DIAGNOSTIC",
  "exclusionId": "<string>",
  "severity": "INFORMATIONAL",
  "integrationPlatform": "microsoft-teams",
  "createdAt": {
    "gt": "<string>",
    "gte": "<string>",
    "lt": "<string>",
    "lte": "<string>"
  }
}
'
{
  "data": [
    {
      "id": "<string>",
      "teamId": "<string>",
      "status": "NEW",
      "createdAt": "<string>",
      "containments": [
        "USER"
      ],
      "testMode": true,
      "sourceIngestedAt": "<string>",
      "sourceDetectedAt": "<string>",
      "logs": [
        {
          "log": "<string>",
          "timestamp": "<string>",
          "debug": true
        }
      ],
      "raw": {},
      "verdict": "MALICIOUS",
      "title": "<string>",
      "integrationPlatform": "microsoft-teams",
      "contained": true,
      "reingested": true,
      "prevented": true,
      "excludeFromMeans": true,
      "sid": "<string>",
      "firstRun": true,
      "containOnChatOpsFailure": true,
      "wasEscalated": true,
      "ocsfDetectionFinding": {},
      "category": "OTHER__DIAGNOSTIC",
      "chatOpsTest": true,
      "severity": "INFORMATIONAL",
      "severityOrdinal": 123,
      "containsVIP": true,
      "containsHVA": true,
      "excluded": true,
      "teamName": "<string>",
      "sourceDescription": "<string>",
      "notes": "<string>",
      "sourceName": "<string>",
      "description": "<string>",
      "caseId": "<string>",
      "verdictedAt": "<string>",
      "updatedAt": "<string>",
      "closedAt": "<string>",
      "integrationId": "<string>",
      "duplicateDetectionId": "<string>",
      "nextSteps": "<string>",
      "caseSid": "<string>",
      "actionSlug": "<string>",
      "exclusionId": "<string>",
      "exclusionSid": "<string>",
      "autoClosed": true,
      "autoContained": true,
      "verdictSetting": {
        "stage": "TRIAGE",
        "default": true,
        "managedByWspd": true,
        "category": "OTHER__DIAGNOSTIC",
        "wspdRule": "CLOUD__INVOCATION",
        "retired": true,
        "escalate": true,
        "chatOps": true,
        "close": true,
        "disabled": true,
        "containUser": true,
        "containEndpoint": true,
        "chatOpsMFA": true,
        "monitor": true,
        "managerChatOps": true,
        "vipChatOps": true,
        "chatOpsUnsureVerdict": "MALICIOUS",
        "description": "<string>",
        "severity": "INFORMATIONAL",
        "id": "<string>",
        "monitorFallbackPreset": "ESCALATE",
        "createdAt": "<string>",
        "updatedAt": "<string>",
        "teamId": "<string>",
        "chatOpsTimeoutVerdict": "MALICIOUS",
        "chatOpsTimeoutMonitor": true,
        "verdict": "MALICIOUS",
        "managedByParent": true,
        "useSourceSeverity": true
      },
      "chatOpsTestEmail": "<string>",
      "chatOpsTestPhoneNumber": "<string>",
      "customDetectionId": "<string>"
    }
  ],
  "totalCount": 123
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json
size
number
page
number
filter
string
search
string
orderBy
string
orderDir
enum<string>
Available options:
asc,
desc
caseIdOrSid
string

Filter by case ID or case SID

statuses
enum<string>[]

Filter detections by status

Available options:
NEW,
PROCESSING,
ESCALATED,
HUNTING,
MONITORING,
CHATOPS,
CLOSED
verdict
enum<string>

Filter detections by verdict

Available options:
MALICIOUS,
SUSPICIOUS,
BENIGN
assetId
string

Filter detections involving a specific asset

assetType
enum<string>

Filter detections by asset type involved

Available options:
USER,
PROCESS,
USER_AGENT,
FILE,
ENDPOINT,
LOCATION,
IP,
DOMAIN
hideExcluded
boolean

Hide detections that have been excluded

onlyChatOps
boolean

Only show detections that were escalated

onlyWasEscalated
boolean

Only show detections that were escalated

onlyWasContained
boolean

Only show detections that resulted in containment

hideDemoClients
boolean

Hide detections from demo client teams

categoryClass
enum<string>

Filter detections by category class

Available options:
ENDPOINT,
IDENTITY,
CLOUD,
EMAIL,
NETWORK,
DATA,
POSTURE,
OTHER
category
enum<string>

Filter detections by specific category

Available options:
OTHER__DIAGNOSTIC,
OTHER__INFORMATIONAL_EVENT,
OTHER__WARNING,
OTHER__UNKNOWN,
OTHER__DECEPTION,
OTHER__CUSTOM_DETECTION,
CLOUD__INVOCATION,
CLOUD__DISCOVERY,
CLOUD__DATA_TRANSFER,
CLOUD__PERSISTENCE,
ENDPOINT__DISCOVERY,
ENDPOINT__EXECUTION,
ENDPOINT__LIVE_OFF_THE_LAND,
ENDPOINT__NUISANCE,
ENDPOINT__MALWARE_DISCOVERY,
ENDPOINT__MALWARE_EXECUTION,
ENDPOINT__LATE_STAGE,
ENDPOINT__PERSISTENCE,
ENDPOINT__REMOTE_MANAGEMENT,
ENDPOINT__LATERAL_MOVEMENT,
ENDPOINT__IMPACT,
ENDPOINT__EVASION,
ENDPOINT__EXPLOITATION,
ENDPOINT__SIMULATION,
IDENTITY__LOGIN,
IDENTITY__REJECTED_MFA,
IDENTITY__DISCOVERY,
IDENTITY__BRUTE_FORCE,
IDENTITY__PUBLIC_CREDENTIAL_EXPOSURE,
IDENTITY__PRIVATE_CREDENTIAL_EXPOSURE,
IDENTITY__PERSISTENCE,
IDENTITY__ACCOUNT_COMPROMISE,
NETWORK__INBOUND_CONNECTION,
NETWORK__OUTBOUND_CONNECTION,
NETWORK__PHISHING,
NETWORK__NOISY,
EMAIL__PHISHING,
EMAIL__PHISHING_REPORTED,
EMAIL__EVASION,
EMAIL__MALWARE,
EMAIL__MALICIOUS_LINK,
EMAIL__GRAYMAIL,
EMAIL__SPAM,
EMAIL__BUSINESS_EMAIL_COMPROMISE,
DATA__DATA_TRANSFER,
DATA__DATA_SHARE,
POSTURE__POSTURE
exclusionId
string

Filter detections by exclusion rule ID

severity
enum<string>

Filter detections by severity

Available options:
INFORMATIONAL,
LOW,
MEDIUM,
HIGH,
CRITICAL
integrationPlatform
enum<string>

Filter detections by integration platform

Available options:
microsoft-teams,
google-alert-center,
reversing-labs,
jamf-protect,
jamf-pro,
thinkst-canary,
generic-json,
box,
hyas-protect,
checkpoint-harmony,
sms,
safebreach,
wirespeed,
vectra,
wiz,
microsoft,
ipinfo,
cisco-umbrella,
jira-data-center,
windows-event-logs,
crowdstrike-falcon,
cisco-duo,
cisco-meraki,
fortianalyzer,
jira-cloud,
microsoft-entra,
have-i-been-pwned,
manage-engine-ad-audit-plus,
google-directory,
mimecast,
okta,
sentinel-one,
slack,
aws,
kandji,
wordfence,
generic-syslog,
cisco-catalyst,
connectwise-psa,
email,
fortinet
createdAt
object

Filter by creation date

Response

data
object[]
required

Array of detection objects

totalCount
number
required

Total number of detections matching the query