PATCH
/
detection
/
{id}
Update detection details
curl --request PATCH \
  --url https://api.wirespeed.co/detection/{id} \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{
  "status": "NEW",
  "handledCorrectly": true,
  "verdict": "MALICIOUS",
  "notes": "<string>"
}'
{
  "id": "<string>",
  "teamId": "<string>",
  "teamName": "<string>",
  "sourceDescription": "<string>",
  "notes": "<string>",
  "sourceName": "<string>",
  "description": "<string>",
  "status": "NEW",
  "createdAt": "<string>",
  "containments": [
    "USER"
  ],
  "testMode": true,
  "caseId": "<string>",
  "sourceIngestedAt": "<string>",
  "sourceDetectedAt": "<string>",
  "verdictedAt": "<string>",
  "updatedAt": "<string>",
  "closedAt": "<string>",
  "logs": [
    {
      "log": "<string>",
      "timestamp": "<string>",
      "debug": true
    }
  ],
  "raw": {},
  "verdict": "MALICIOUS",
  "title": "<string>",
  "integrationPlatform": "microsoft-teams",
  "integrationId": "<string>",
  "duplicateDetectionId": "<string>",
  "contained": true,
  "nextSteps": "<string>",
  "reingested": true,
  "prevented": true,
  "excludeFromMeans": true,
  "caseSid": "<string>",
  "sid": "<string>",
  "firstRun": true,
  "containOnChatOpsFailure": true,
  "wasEscalated": true,
  "ocsfDetectionFinding": {},
  "actionSlug": "<string>",
  "exclusionId": "<string>",
  "exclusionSid": "<string>",
  "autoClosed": true,
  "autoContained": true,
  "category": "OTHER__DIAGNOSTIC",
  "verdictSetting": {
    "id": "<string>",
    "stage": "TRIAGE",
    "default": true,
    "managedByWspd": true,
    "category": "OTHER__DIAGNOSTIC",
    "wspdRule": "CLOUD__INVOCATION",
    "escalate": true,
    "chatOps": true,
    "close": true,
    "disabled": true,
    "containUser": true,
    "containEndpoint": true,
    "chatOpsMFA": true,
    "monitor": true,
    "managerChatOps": true,
    "vipChatOps": true,
    "createdAt": "<string>",
    "updatedAt": "<string>",
    "teamId": "<string>",
    "chatOpsTimeoutVerdict": "MALICIOUS",
    "chatOpsTimeoutMonitor": true,
    "chatOpsUnsureVerdict": "MALICIOUS",
    "verdict": "MALICIOUS",
    "description": "<string>",
    "managedByParent": true,
    "severity": "INFORMATIONAL",
    "useSourceSeverity": true
  },
  "chatOpsTest": true,
  "severity": "INFORMATIONAL",
  "severityOrdinal": 123,
  "containsVIP": true,
  "containsHVA": true,
  "excluded": true,
  "chatOpsTestEmail": "<string>",
  "chatOpsTestPhoneNumber": "<string>",
  "customDetectionId": "<string>"
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

id
string
required

Detection identifier

Body

application/json
status
enum<string>

New status for the detection

Available options:
NEW,
PROCESSING,
ESCALATED,
HUNTING,
MONITORING,
CLOSED
handledCorrectly
boolean

Whether the detection was handled correctly

verdict
enum<string>

Verdict assigned to the detection

Available options:
MALICIOUS,
SUSPICIOUS,
BENIGN
notes
string | null

Notes or comments about the detection (max 100,000 characters)

Response

id
string
required

Unique identifier for the detection

teamId
string
required

ID of the team that owns this detection

status
enum<string>
required

Current status of the detection

Available options:
NEW,
PROCESSING,
ESCALATED,
HUNTING,
MONITORING,
CLOSED
createdAt
string
required

Timestamp when the detection was created

containments
enum<string>[]
required

Types of containment actions performed

testMode
boolean
required

Whether this detection is in test mode

sourceIngestedAt
string
required

Timestamp when the detection was ingested by Wirespeed

sourceDetectedAt
string
required

Timestamp when the detection was originally detected by source

logs
object[]
required

Chronological log entries for this detection

raw
object
required

Raw detection data from the source system

verdict
enum<string>
required

Final verdict assigned to the detection

Available options:
MALICIOUS,
SUSPICIOUS,
BENIGN
title
string
required

Display title for the detection

integrationPlatform
enum<string>
required

Source integration platform that generated this detection

Available options:
microsoft-teams,
google-alert-center,
reversing-labs,
jamf-protect,
jamf-pro,
thinkst-canary,
generic-json,
box,
hyas-protect,
checkpoint-harmony,
wirespeed,
wiz,
microsoft,
ipinfo,
cisco-umbrella,
jira-data-center,
windows-event-logs,
crowdstrike-falcon,
cisco-duo,
cisco-meraki,
fortianalyzer,
jira-cloud,
microsoft-entra,
have-i-been-pwned,
manage-engine-ad-audit-plus,
google-directory,
okta,
sentinel-one,
slack,
aws,
kandji,
wordfence,
generic-syslog,
cisco-catalyst,
connectwise-psa,
email,
fortinet
contained
boolean
required

Whether containment actions were performed on this detection

reingested
boolean
required

Whether this detection was reprocessed after initial ingestion

prevented
boolean
required

Whether the detected threat was successfully prevented

excludeFromMeans
boolean
required

Whether to exclude this detection from MTTR and other metrics calculations

sid
string
required

Short identifier for this detection

firstRun
boolean
required

Whether this is the first time this detection has been processed

containOnChatOpsFailure
boolean
required

Whether to automatically contain if ChatOps workflow fails

wasEscalated
boolean
required

Whether this detection was escalated to external systems

ocsfDetectionFinding
object
required

OCSF standardized detection finding data

category
enum<string>
required

Security category classification for this detection

Available options:
OTHER__DIAGNOSTIC,
OTHER__INFORMATIONAL_EVENT,
OTHER__WARNING,
OTHER__UNKNOWN,
OTHER__DECEPTION,
OTHER__CUSTOM_DETECTION,
CLOUD__INVOCATION,
CLOUD__DISCOVERY,
CLOUD__DATA_TRANSFER,
CLOUD__PERSISTENCE,
ENDPOINT__DISCOVERY,
ENDPOINT__EXECUTION,
ENDPOINT__LIVE_OFF_THE_LAND,
ENDPOINT__NUISANCE,
ENDPOINT__MALWARE_DISCOVERY,
ENDPOINT__MALWARE_EXECUTION,
ENDPOINT__LATE_STAGE,
ENDPOINT__PERSISTENCE,
ENDPOINT__REMOTE_MANAGEMENT,
ENDPOINT__LATERAL_MOVEMENT,
ENDPOINT__IMPACT,
ENDPOINT__EVASION,
IDENTITY__LOGIN,
IDENTITY__REJECTED_MFA,
IDENTITY__DISCOVERY,
IDENTITY__BRUTE_FORCE,
IDENTITY__PUBLIC_CREDENTIAL_EXPOSURE,
IDENTITY__PRIVATE_CREDENTIAL_EXPOSURE,
IDENTITY__PERSISTENCE,
IDENTITY__ACCOUNT_COMPROMISE,
NETWORK__INBOUND_CONNECTION,
NETWORK__OUTBOUND_CONNECTION,
NETWORK__PHISHING,
NETWORK__NOISY,
EMAIL__PHISHING,
EMAIL__PHISHING_REPORTED,
EMAIL__MALWARE,
EMAIL__MALICIOUS_LINK,
EMAIL__GRAYMAIL,
EMAIL__SPAM,
EMAIL__BUSINESS_EMAIL_COMPROMISE,
DATA__DATA_TRANSFER,
DATA__DATA_SHARE,
POSTURE__POSTURE
chatOpsTest
boolean
required

Whether this detection is part of a ChatOps test scenario

severity
enum<string>
required

Severity level of the detection

Available options:
INFORMATIONAL,
LOW,
MEDIUM,
HIGH,
CRITICAL
severityOrdinal
number
required

Numeric representation of severity for sorting purposes

containsVIP
boolean
required

Whether this detection involves VIP users

containsHVA
boolean
required

Whether this detection involves high-value assets

excluded
boolean
required

Whether this detection is excluded by an exclusion rule

teamName
string

Name of the team that owns this detection

sourceDescription
string

Description from the source system

notes
string

User-added notes about the detection

sourceName
string

Name of the source that generated this detection

description
string

Detailed description of the detection

caseId
string

ID of the case this detection belongs to

verdictedAt
string

Timestamp when the detection verdict was assigned

updatedAt
string

Timestamp when the detection was last updated

closedAt
string

Timestamp when the detection was closed

integrationId
string

ID of the integration instance that generated this detection

duplicateDetectionId
string

ID of the original detection if this is a duplicate

nextSteps
string

AI-generated recommended next steps for this detection

caseSid
string

Short identifier for the case this detection belongs to

actionSlug
string

Slug identifier for the action taken on this detection

exclusionId
string

ID of the exclusion rule that matches this detection

exclusionSid
string

Short identifier for the exclusion rule that matches this detection

autoClosed
boolean

Whether this detection was automatically contained by the system

autoContained
boolean
verdictSetting
object

Verdict rule configuration that was applied to this detection

chatOpsTestEmail
string

Email address for ChatOps testing notifications

chatOpsTestPhoneNumber
string

Phone number for ChatOps testing notifications

customDetectionId
string

ID of the custom detection that detected this detection