Stay up to date with the latest features, improvements, and fixes to the Wirespeed platform.Documentation Index
Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt
Use this file to discover all available pages before exploring further.
May 1, 2026
Features
- Settings reorganized into a tabbed layout: Account, Team Members, Your Profile, Notifications
- Detections and Cases page widgets now respect the page filters, not just the time selector
- System Log now has type, status, and date filters plus a per-entry detail view
- Users page swaps the static User Types pie for a data-driven Top Groups chart that syncs with the group filter
- Request an integration form added to the catalog: if you don’t find what you’re looking for, make a request
- First-time chat-ops setup now requires a confirmation step before sending messages
- ChatOps emails now come from no-reply so recipients can’t reply back into the thread
- Nav switcher search now finds teams under matching service provider rows
- Sibling-detection containment is attributed back to the originating detection in timelines instead of looking like a duplicate
- Group filter dropdown scrolls cleanly on tall lists
- Okta “end user reported suspicious activity” is now ingested as a detection and mapped to rejected MFA
- Jamf Protect detections use match metadata for the finding info and emit related users and processes as evidence
- LOTL AI timeline collapses to a single line with classification and confidence
ncat.exeadded to the tool catalog- Categorization updates across CrowdStrike, Defender for Office, Defender for Cloud, and SentinelOne
- Team Analytics is responsive on smaller screens
- Platform logo upload errors now name the size or format issue
- Detection user matching now checks alias emails on directory users
Apr 29, 2026
Features
- Heads up: if you use the legacy Microsoft Teams ChatOps integration, migrate to the new Microsoft Teams integration by May 31, 2026 or you’ll lose Teams ChatOps
- Group tags moved to the asset page header with inline add and remove
- Microsoft license tracking expanded to cover Microsoft 365 Business Standard and Apps for Business SKUs
- Picus simulation matching now correlates detections using relative paths, command filenames in staging directories, and cases with no agent IP
- Jamf Protect persistence tags now map to endpoint persistence
- SentinelOne STAR Office 365 DLP policy deletion now maps to data share
- CrowdStrike IDP unusual workstation network logon now maps to lateral movement
- CrowdStrike IDP protocol anomaly on valid accounts now maps to identity persistence
- Cortex “New FTP Server” is categorized as informational
- Jamf Protect categorization rules use a more reliable match field
- IP asset search no longer errors when searching URL-like or slash-containing values
- Custom attribute searches strip backslashes from keys
Apr 27, 2026
Features
- Search and group users or endpoints by any raw source attribute, with a visual query builder
- Microsoft license sync includes Office 365 licenses
- SentinelOne notes sync back to source alerts
- Check Point Harmony detections have cleaner, structured descriptions
- Google Security Command Center detections include better titles and deep links
- Jamf Protect detections highlight the blocked file, not the reporting process
- Benign shared files no longer create threat indicators
- SentinelOne D-Bus service alerts map to endpoint persistence
- Service provider integration pagination stays clickable during refreshes
- Integration log timestamps render in the right timezone
Apr 24, 2026
New Integrations
- WatchGuard Firebox integration added for syslog events
- Detections and cases can now be filtered by group
- Service provider clients can now be sorted by subscription
- CrowdStrike file deletion containment is now available
- Endpoint live status now uses vendor last-seen timestamps
- Suspicious verdict badges now show on open detection details
- WDC categorization rules updated across Okta, CrowdStrike, SentinelOne, and Microsoft
- External custom detection categorization now uses only accepted categories
- Live-off-the-land file risk now takes priority over remote management tooling
- TruffleHog is treated as discovery tooling instead of live-off-the-land
- File containment now requires ReversingLabs verification before contain or release
- SentinelOne verdict updates now only change verdicts when detections close
- Halo ITSM 401 errors now surface as critical authentication failures
- Webhook throttling and paused-queue checks now use in-memory caches for hot traffic
- Detection ingest does fewer duplicate team and integration lookups
- Group and group-rule deletion is faster
- Advanced event results no longer flash or rerun after streaming finishes
- Group filters now sync reliably and hide bulk actions until rows are selected
- Auto-containment is attributed to Wirespeed in case summaries and timelines
- Service provider users now lock when disabled in an operating team directory
Apr 23, 2026
Features
- Events search now supports 180-day and 365-day windows
- System logs now support richer audit-trail fields and metadata
- Check Point Harmony detection deep links now use the right tenant domain
- SentinelOne actions handle compact and dashed source IDs correctly
Apr 22, 2026
Features
- User-endpoint associations now support filtering
- Split data and count calculations across queries to improve application performance
- Okta AppInstance targets now map to the OCSF service field
- Picus detection simulation matching improved
- Verdict rules save reliably again
- Jamf Protect file names now derive from file paths when missing
- Improved integration-specific error handling
- Optimized ChatOps policy evaluation
Apr 20, 2026
Features
- OCSF query results now stream into the UI as they come back instead of waiting for the full result
- Manual detection status changes are respected even when the source alert closes
- Faster detection fetches — safe/known IP and location lookups moved to verdict time
- Team analytics copy updated to use “Resolved” wording
Apr 17, 2026
New Integrations
- Stairwell integration added for webhook-based detection events
- Identity login ChatOps messages now include the VPN service when detected
- Microsoft OAuth error page has a clearer CTA and shows more detail
- Custom detections now support
ingested_atfor accurate timeline ordering - Group rules can target by Integration Source ID
- Malware and late-stage verdicts now require ≥3 enrichment engines in consensus
- Consolidated endpoint file enrichment matches in the timeline
- Added timeline logging for the login no-user verdict rule
- Platform users are only locked when all linked directory accounts are disabled
- Jamf Pro sync reliability improved
Apr 16, 2026
Features
- Kandji endpoint containment now behaves consistently with JumpCloud
- Detection enrichment retries up to 3 times before giving up
- Peeker noise reduction excludes custom-only escalations
psexecremoved from the live-off-the-land list
- Email casing fixes across identity matching
- Reingested escalations no longer lose state
- Containment no longer logs results on already-resolved detections and cases
maxAutoContainmentsPerDayof 0 now correctly means “disabled”- Ticket updates skip detections with no case ID
Apr 15, 2026
Features
- Detection page limits default displayed assets and related detections — pages load faster
- Chat Ops verdict rules enable all sub-options by default
- AI bot prompt, tooling, and documentation improvements
- Dark mode rendering fixes for IP addresses
- Subscription expiry calculation fixed
- Detection close is deferred when containment is still pending
- Detection refresh skipped when the integration is disabled
- Demo switch validation clears correctly when toggled
Apr 14, 2026
Features
- AI → human chat handoff improvements
- Google Security Center initial mappings (also closes cloud data transfer category)
- Darktrace CrowdStrike
device_nameextracted as hostname - NetSupport Manager (
pcicl32.dll) and ZA_Connect.exe added to the tool catalog - Falcon mapping tweak
- Halo ITSM token scopes are now validated
/casesreturns 404 for invalid IDs instead of hitting the database- Exclusion Slack value formatting normalized
Apr 13, 2026
New Integrations
- Google Security Center integration for Cloud Security Command Center findings
- “Close” verdict language renamed to “Resolve” across the app
- VIP styling and group badges now shown on user hover cards
- AI chat mobile improvements: keyboard viewport, links, and chips
- Server-side custom-field validation
- Verdict tuning for MFA rejected and lateral movement alerts
- SentinelOne alert mapper updated
- Cortex gains a category group for third-party CPH detections
- AWS user email extraction fix
- Split-email matching restored for group rule email automation
- Okta cursor is preserved when requests fail
- JumpCloud docs now show up in the integrations list
- Email malware handling fixes
- Silenced a noisy Picus error
Apr 11, 2026
- Wordfence integration now exposes its webhook secret for setup
- Integration refreshes no longer error on expected integration exceptions
Apr 10, 2026
New Integrations
- JumpCloud integration for directory events, user/endpoint sync, and containment
- Severity filter added to cases and detections
- Containment failure reasons now surface in timeline logs with the integration’s logo
- Email phishing default verdict changed to auto-close
- Low-confidence verdict handling added for email phishing (informational through medium)
- AWS GuardDuty detections now extract user email from PrincipalId
Apr 9, 2026
New Integrations
- Picus Security integration for attack simulation validation
- Detection refresh syncs verdict and status from SentinelOne & Microsoft
- Microsoft integration supports custom user directory fields
- Various improvements to improve accuracy of AI bot
- Palo Alto Networks Cortex is out of beta
- SSO-only users now get a database profile created automatically
- Email evasion categorization for Microsoft XDR
- Live-off-the-land mapping now covers processes, not just files
- Malicious verdict set for escalated malware and identity contain/escalate rules
- Low-severity cloud verdict rules for informational and low findings
- Noise reduction metrics exclude low/info severity escalations
- Escalated AQL batch restricted to medium+ severities
- Microsoft Tor alerts mapped to network categories
- “Posture - Health” category renamed to “Health”
- Identity/Login no-user fallback rule added
- Warning escalation and AQL recategorization tuned
- 20+ new categorization rules across integrations
- Fewer false “unhealthy” integration alerts from transient polling failures
- Events count no longer shows NaN in Team Analytics
- AI chat handles responses with multiple code blocks correctly
- AI chat queries now time out instead of hanging on large data sets
Apr 7, 2026
Features
- Team Analytics page with time-series charts and breakdowns by category, integration, and group
- The AI chat bot can filter by time for cases and detections
- New “Was Monitored” filter on the cases list
- Compressed timeline UI fits more entries on screen
- Searchable, grouped-by-class category dropdown on the Detections page
- Timestamps are now DST-aware with richer hover details
- ChatOps responses now show responder IP and user agent in the timeline
- Integration name shown in permission-error timeline logs
- “Detection added” timeline events use actual discovery time, not system time
- Containment history detection SIDs are now clickable links
- Session revocation and file quarantine skip the 15-minute containment cooldown
- External rules import button becomes “Update” for already-imported rules
- SonicWall device auth events mapped to OCSF Authentication
- SentinelOne unified alerts get Microsoft prevented parity for quarantine/removed-after-delivery
- SentinelOne file path extraction from command-line arguments
- SentinelOne lateral movement matching fixed for dynamic alert name prefixes
- Mailbox-rule monitors now revoke sessions by default
- Live-off-the-land file risk no longer overrides discovery/persistence categories
- Identity login low-confidence rule adjusted to informational
- Endpoint lateral movement low-confidence rule now includes medium severity
- 30+ new categorization rules across integrations
Apr 1, 2026
New Integrations
- PingOne identity integration added for audit activities and risk evaluations (beta)
- Axonius endpoint integration added for asset inventory
- Containment is now fine grained, allowing you to select the exact actions you want to perform
- New containment options: File quarantining and unquarantining
- Brand new onboarding checklist walks new teams through setup steps
- AI chat is now full-page on mobile with scroll lock and safe-area support
- “Chat” button now opens Ask Wirespeed first, with a link to human support
- Timeline timestamps now show seconds
- Endpoints table supports searching by EDR/MDM ID
- Endpoints and users support custom attribute filtering from Axonius
- AiTM detection timelines now link directly to the suspicious events
- Integration page filters can now be reset
- Apple Private Relay and Zscaler trusted proxy IPs are now synced and used in login verdicts
- Imported external rules now match incoming detections automatically
- Login detections get a dedicated low-confidence verdict rule
- Defender for Identity credential-access alerts mapped to identity login
- SentinelOne enumeration alerts mapped to endpoint discovery
- Cortex XDR domain extraction expanded to firewall miscellaneous fields
- Sign-in logs now preferred over UAL for authentication lookups
- Simulation detections can now recategorize on trusted mappings
- Our API has been rewritten in Rust…April Fools!
Mar 29, 2026
Features
- CSV export for Events — available in both Basic and Advanced search
- AI chatbot can now refresh endpoint and user details live from the source integration
- Case activity timeline shows exact timestamps by default (relative time on hover)
- Reopened detections create a case and esclate
- Inherited exclusions show properly in hover cards and entity chips
- Reopened detections create a case and escalate
- Zscaler ZPA authentication events now mapped to OCSF
- Cortex alerts extract and dedupe domains from raw alert fields
- SocGholish and command-and-control late-stage mappings added
- Google One VPN recognized in trusted relay hunt
- Containment blocked by policy now escalates instead of closing
- CrowdStrike credential-access tactic mapped to identity category
- IP detail breadcrumbs show the actual IP instead of a UUID
- Fixed detection summary contradicting chat ops timeline
- Onboarding logo stays visible across slide transitions
- Source Details hidden on user detail page when empty
Mar 21, 2026
Features
- Child teams now see inherited provider exclusions with a read-only “Inherited” badge
- Entra custom security attribute syncing
- Events queries now show result count and execution stats
- Service provider members can no longer be removed or demoted by child team members
- System log now records admin credential resets
- Cisco Umbrella now ingests audit logs alongside DNS logs
- Cortex action process fields mapped to process evidence
- Microsoft “connection to remote” alerts mapped to outbound connections
- SentinelOne Impact custom rules mapped to endpoint impact
- Palo Alto Cortex credential access mapped to private credential exposure
- CrowdStrike ignored detections now correctly set to suppressed status
- Fixed SentinelOne unified-alert indicator file extraction
- Fixed EntityChip text overflow
- Fixed Cortex causality actor SHA256 file evidence mapping
Mar 20, 2026
Features
- Groups — source system updates: Under Advanced Options when editing a group (above Group Rules), Update Source System is on by default. Turn it off to stop pushing verdict, status, notes, and comments back to the integration for detections involving assets in that group. Learn more
- Microsoft Defender for Cloud Apps alerts now ingested and categorized
- Closure comments to source systems now include a resolution reason (exclusion name, automation rule, etc.)
- AI case summaries now highlight automated containment actions
- Exclusions can now suppress source system status changes
- Entity chip hover cards redesigned
- Comment box now shows “Ask Wirespeed” support link
- OAuth error “View Documentation” button moved into the error details box for visibility
- “Back To Service Provider” link hidden for users without parent team access
- Microsoft mailbox forwarding rule creation now categorized
- SentinelOne admin remediation alerts mapped to informational
- Cortex domain-qualified usernames normalized for user extraction
- Cortex persistence remapped
- CrowdStrike
policy_disablednow respected when determining blocked detections - “Authentication Methods Changed for Privileged Account” remapped to Identity > Persistence
- Fixed verdict not forwarding to source integration on detection close
- Fixed events page URLs generated by AI chatbot
- AI case summaries no longer include hallucinated asset links
- Okta error messages now surface instead of “Unknown error”
- Fixed hover card crashes on invalid entity references
- Fixed endpoint table OS filter mapping
- Fixed MSP Clients table sorting
Mar 17, 2026
Features
- Comments & Timelines: Cases and detections now use a unified timeline where you can add, edit, and delete comments, attach images (drag-and-drop or paste), and review system activity alongside discussion
- Custom Groups: Create your own user or endpoint groups with per-group Chat Ops and Containment controls. Learn more
- Case details card updated with new layout and consistent MTTV/MTTD/MTTC thresholds across case and home dashboards
- AI chatbot now renders markdown tables with horizontal scrolling in chat responses
- System log now records group modification events
- Team settings members table now shows phone numbers
Mar 13, 2026
Features
- Integrations now receive richer closure comments when cases or detections are closed — verdict, summary, actor, MTTV, and details link
- Webhook-only integrations (Wiz, Darktrace, Wordfence): webhook modal auto-opens on first connect with “View setup instructions” link
- IP details page now shows Related Users based on private IP address associations
- Cortex XDR: enriched detection context with process fields, hardware ID, and causality actor — reduces over-escalation
- Palo Alto Cortex: Rare RDP session remapped to Lateral Movement, Uncommon SSH session to Outbound Connection
- Suspicious Kerberos authentication remapped to Lateral Movement
- SentinelOne: late stage lateral movement categorization additions
- CrowdStrike: user threatgraph metadata fetched in detection enrichment
- Okta: actor extraction from authentication logs
- CIR custom detections: detections starting with [CIR] categorized as custom
- Microsoft: improved license selection
- Tightened categorization group filters to prevent wrong rule matches
- AI summary now uses “related detection” instead of “threat indicator”
- Password reset errors now surface to users instead of failing silently
- Fixed team switching
- Fixed OFAC evaluation
Mar 12, 2026
New & Updated Integrations
- New ServiceNow Change Requests collaboration integration (beta). Checks recent change requests during endpoint triage and automatically recategorizes detections tied to planned changes, reducing noise from authorized admin activity
- New Zscaler ZPA (Syslog) network integration. Forward ZPA logs to Wirespeed via syslog with dedicated branding and attribution in the integrations catalog
- AI chatbot is now generally available
- IP detail page reorders sections for private IPs — Related Endpoints and Related Users are promoted above Cases and Detections
- “Add Integration” buttons are now hidden for non-admin users
- Microsoft UAL
UserLoggedInandUserLoginFailedevents now mapped as OCSF Authentication with full enrichment matching sign-in logs - Defender XDR: map “Suspicious PowerShell-driven file creation and deletion” alerts to Endpoint Evasion
- CrowdStrike
SuspiciousPrivEscremapped from Live Off The Land to Endpoint Persistence - CrowdStrike asset extraction now checks both target endpoint and domain controller hostnames
- Palo Alto Cortex XDR detections now show associated users in the asset list
- Orca Security detections now prefer
DetailsoverDescriptionfor source description, fixing empty narratives - AI summary no longer incorrectly classifies non-managed users (root, cron, service accounts) as technical/non-technical
- SafeBreach simulation matching improved with multi-node evaluation, run deduplication, and IP extraction from OCSF evidences
- Fixed team settings inbox input dark mode styling
- Fixed Halcyon integration fetching when no tenant ID is present
- Fixed user deletion failing when user had created custom detections
Mar 05, 2026
Features
- Integrations now track license usage and display a summary on the integration’s details page
- Containment settings show a posture summary banner with status and quick links to Identity/Endpoint sections
- Containment banner contrast improved in dark mode
- Fixed LOTL masquerade reasoning for endpoint detections when file names include full paths
- Restored contain user/endpoint actions for non-technical LOTL scenarios
- Fixed escalation emails not saving in the team settings form
- Fixed service provider csv exports
Feb 27, 2026
New & Updated Integrations
- New Halcyon anti-ransomware endpoint integration. Import alerts and manage endpoints from Halcyon, with detection enrichment, artifact extraction, and OCSF-mapped evidence for ransomware-related threats
- New Halo ITSM ticketing integration (beta). Create and sync incident tickets bi-directionally — cases and detections in Wirespeed automatically create Halo tickets, and status changes sync back via webhook. Supports configurable ticket categories, teams, and custom fields
- New Horizon3 NodeZero simuliation integration. Validates detections against active pentest/simulation activity — correlates escalated detections with Horizon3 ops to reduce noise from authorized security testing
- Updated Cisco Duo now supports user syncing and containment: disable and re-enable users in Duo directly from Wirespeed when containing or uncontaining identities.
- Calendar date picker now has year and month dropdown selectors for faster navigation
- SentinelOne now ingests unified alerts for broader detection coverage and richer enrichment data
- Linux endpoint detections are now automatically recategorized to Live Off The Land (LOTL) when all associated endpoints are Linux
- Removed noisy RMM detections from Darktrace
- CrowdStrike file matching now checks
OriginalFilenamefrom version info for more accurate file risk classification - Fixed null host grouping incorrectly clustering unrelated detections
- Fixed private credential exposure classification for theft-of-passwords detections
- External users are now excluded from ChatOps notifications
- Fixed button overlap on ChatOps settings page
- Fixed “Learn More” animation in Manage Exclusions
- Fixed FortiAnalyzer syslog ingestion
Feb 25, 2026
Features
- Service provider dashboard now displays a stacked bar chart for Cases by Client, breaking down case counts by severity (Critical, High, and Other) with tooltips and period filtering for 7, 30, 90, and 365-day windows
- New “External” user category automatically identifies third-party contractors, vendors, and external guests in your directory. External users can also be tagged manually from the user detail page or directory table actions menu
- Have I Been Pwned (HIBP) detections now automatically match to existing open or escalated cases by integration and category, reducing duplicate case creation for ongoing breach monitoring
- New verdict rule automatically closes VPN login alerts for external users — contractors and guests typically authenticate from uncontrolled locations, and this rule reduces noise from expected behavior
- Improved user identity correlation with bidirectional username-to-email matching — when only a username or email is available, Wirespeed now resolves the corresponding identity from your directory for more accurate alert attribution
Feb 24, 2026
UI/UX Improvements
- Team Analytics page now loads progressively — each section renders independently with skeleton loading for a significantly faster experience
- Integrations browse page now shows available integrations first when no filters are active, making it easier to find and add new integrations
- Home dashboard metric thresholds now match the Cases dashboard for consistent performance color-coding
- Navigation sidebar on mobile now properly closes when navigating to a new page
- Login hunts now close detections when failed logins are identified, reducing noise from unsuccessful authentication attempts
- Microsoft risk dismissals are no longer automatically trusted — Wirespeed continues its own independent analysis for more thorough threat detection
- Fixed RMM verdict rule incorrectly classifying detections with no associated files as admin-installed tools
- Fixed containment alerts incorrectly firing during cooldown periods or duplicate containment attempts
- Fixed team analytics statistics endpoint returning incorrect data
Feb 22, 2026
Features
- Test Mode is now indicated by a prominent full-width banner with an inline toggle to disable it directly, replacing the previous header pill
- Okta
threatSuspectedevents are now ingested and classified as login detections, expanding identity threat visibility for suspicious authentication activity - Monitors now correctly respect disabled verdict rules, ensuring your customized verdict configurations are honored during automated analysis
- Detections page loads significantly faster — results render immediately while total counts load in the background
- Added 1-day and 7-day timeframe options to Cases and Detections dropdowns for more granular filtering
- Password fields on login and registration pages now include a show/hide toggle for easier input verification
- Endpoint details page now displays the integration platform source
- Updated MTTV thresholds on the Cases dashboard for more accurate performance color-coding (green < 3 min, yellow 3–10 min, red > 10 min)
- Updated registration page with revised Terms of Service and Privacy Policy language
- Expanded detection categorization mappings with new low-confidence triage rules across network, lateral movement, discovery, and custom detection categories
- CrowdStrike detections tagged as “ignored” are now automatically closed as benign
- System log now shows the specific reason when a user is locked due to being disabled in a linked integration
- Fixed “Was Contained” filter on Cases and Detections to include both manually and automatically contained items
- Fixed stale case auto-close logic incorrectly closing new detections when creating replacement cases
- Fixed bulk close ChatOps filter not properly filtering by detection criteria
Feb 19, 2026
Features
- Stale cases older than 5 days are now automatically closed and replaced with a new case when a fresh detection arrives, keeping case queues current and reducing analyst fatigue from outdated investigations
- New lateral movement verdict rule automatically closes detections with low or informational source severity, reducing noise from benign lateral movement events
- New Network Discovery verdict category under Network automatically closes routine network discovery activity as benign, reducing noise from expected scanning behavior
- Trial teams now see a persistent banner displaying remaining trial days with a direct “Upgrade Now” link
- Hovering over automated user tags (e.g., VIP, NHI) now displays a tooltip showing the automation rule and matching pattern that applied the tag
- Integrations are now organized into refined categories — Endpoint, Identity, Network, Cloud, SaaS, Email, and Remote Access — for easier browsing and clearer subscription entitlement mapping
- Noise reduction statistics now display with proper decimal rounding for more accurate reporting
Feb 18, 2026
Features
- Service provider clients page redesigned with a stats panel showing aggregated metrics and advanced filtering by containment status, HVA/VIP flags, demo/test mode, and escalation email source
- Custom detection test queries now support configurable timeframes (1, 7, 14, 30, or 90 days) for more flexible backtesting
- Added “Copy link” button on the Events page to share direct URLs to the current query, including search filters and team context
- Improved verdict time accuracy by measuring actual processing duration rather than queue time
- Navigation counts between 1M and 10M now display one decimal place (e.g., “2.7m” instead of “3m”) and pagination totals are comma-formatted
- Integration custom fields can now be edited directly from the connected integrations list
- New entity chips in detection descriptions for users, endpoints, and integrations with inline logos
- Fixed Events page search not persisting in URL when switching between basic and advanced query modes
- Fixed duplicate verdict categories and misaligned search on the Verdicts settings page
- Improved CrowdStrike detection enrichment with better file path extraction and macro file hash support
- New Darktrace detection category mappings
- New Orca Security detection category mappings
- Mimecast blocked URL events now correctly categorized as blocked actions
- Improved AITM session hunt accuracy by grouping authentication events by session ID
- Fixed VIP title matching to prevent false positives (e.g., “Onboarding Coordinator” no longer incorrectly tagged as a board member VIP)
- Fixed boolean and JSON custom fields not saving correctly in the integration update form
Feb 13, 2026
Integrations
- New Custom SMTP integration allows customers to use their own SMTP server for ChatOps notification emails
- Improved email directionality tagging across Vectra, Google, Mimecast, and Checkpoint Harmony integrations
- Subscription tier system (Identity, Core, Unlimited) to manage integration entitlements per account
- Service provider clients page now displays team member counts per client
- ChatOps messages are now suppressed for actively contained users
- File path risk assessment for living-off-the-land binary detection
- New verdict rules for low-severity outbound network connections and VIP phishing scenarios
- Significantly improved Endpoints page performance for large datasets with optimized queries and debounced search
- Added Endpoints by Source card to the endpoints dashboard with source filtering
- Consolidated duplicate integration sources in endpoint and user stats
- Shortened number formatting in Users and Endpoint stats panels (e.g., 1.3M)
- Improved OAuth integration connection pages with clearer success and error states
- Fixed bulk case closure not properly updating detection status
- Fixed CrowdStrike IOC domain detections being miscategorized as Endpoint Execution
- Fixed integration enable/disable toggle not working correctly
- Fixed double scrollbar on Endpoints and Users list views
- Fixed filter dropdowns closing on first checkbox selection
- Fixed containment modal text clipping for long names
Feb 10, 2026
Integrations
- Palo Alto Networks Cortex integration added for importing alerts and managing endpoints from Cortex XDR/XSIAM
- Cisco Secure Access integration added for log ingestion
- Cases can refresh the notes and logs from CrowdStrike Falcon alerts
- Improved SentinelOne endpoint sync with UUID support
- User and endpoint tables now support billable filter for service provider billing
- SMS ChatOps invite reset allows admins to resend enrollment emails to users who previously reached max attempts
- System log now has Security Events Only filter for quick filtering of security-related events
- Integration logs view now supports pagination for better performance with large datasets
- Users page redesigned with stats panel, type filters, and source filtering
- Endpoints can now be tagged automatically as Domain Controllers
- Account activity emails will alert you when an integration needs your attention
- Enhanced file risk assessment in email detections to improve accuracy of malware identification
- User detail page now shows integration source and icon
- User first and last names are now optional in profile and registration
- Redesigned case detail page header for clearer case context
- Tagging rules and custom detection modals now use slide-over sheets
- Integration connect flow supports collapsible Advanced Options for optional configuration fields
- Added clear button to users and endpoints More Filter dropdown
Feb 4, 2026
UI/UX Improvements
- Endpoint dashboard now shows OS distribution chart, live/contained stats, and redesigned search filters
- Containment dialog now shows live loading status when refreshing asset states
- Integration detail pages with creation date, status badge, event stats, log level legend
- Enhanced integrations browse page with connection status filter and clearer styling for connected integrations
- Authentication locations now display region/state for more precise location context
- Removed duplicate header on Team Analytics page
- Fixed bug preventing team settings from saving when support email was not configured
- Optimized tagging of unmanaged users
- CrowdStrike detections now extract IPv4/IPv6 IOCs as IP address observables
- In CrowdStrike true/false positives tags are now applied when the case is updated in Wirespeed
- New and improved detection categorizations for persistence and other techniques
- Domain Takeout alerts from Google Alert Center now properly categorized
- Improved endpoint name matching to handle special characters
Jan 29, 2026
Integrations
- Bitwarden integration added for organization event logs
- Check Point Firewall and SonicWall added as first class firewall log ingestion integrations
- Improved email detection analysis with sender/receiver direction tracking
- Streamlined custom detection creation flow so you can build and save detections in one place
- Redesigned Integrations page with category filtering, grid/list views, and improved connect modal
- New hierarchical navigation and breadcrumbs for Verdict settings
- Fixed Events table empty state alignment
Jan 27, 2026
Features
- Successful brute force detections are now categorized as Login events
- Optimized how we track progress on Events queries
- API keys pages now use table layout with clearer empty states
Jan 26, 2026
Features
- Notification frequency can now be managed from the Profile page
- User tagging rules now support regex matching
- Updated theme switcher to make dark mode toggle more prominent
Jan 23, 2026
Platform
- Upgraded to the Bun 1.3.6 runtime
- 1Password integration added for audit events, item usages, and sign-in attempts monitoring
- Orca Security integration added for cloud security alerts
- Simplified JAMF Pro integration setup - you can now paste the JSON configuration directly
- Integration enable/disable actions are now logged to the system audit log
- Bulk Actions! Close multiple cases at once from the Cases table
- Generic syslog and JSON integrations support custom labels for easy identification
- Team API keys can be created independently of user accounts
- Redesigned profile page with organized sections for user details, notification settings, and API keys
- Users can now edit their profile information including name, phone number, and timezone
- Improved containment dialog with better asset selection and clearer actions
- New verdict configuration UI with tree navigation and search to easily find and configure rules
- Added ability to review and apply secure defaults across all verdict categories at once
- Clearer timeline messages when searching for related authentication events
- Service providers: Demo clients are now hidden by default in cases/detections tables
Jan 15, 2026
UI/UX Improvements
- Added OS search filter to endpoints table for easier endpoint filtering by operating system
- Improved containment UI in detection pages with better button and panel layout
- Enhanced dark mode contrast for toggles, selects, inputs, and text fields for better visibility
- Updated filter button to visually show applied filters with a clear button for easier filter management
- Improved mobile UX for action panels with better alignment and responsiveness
- Updated input component styling for consistency across the application
- Updated documentation tooltips for better user guidance
- Added
countIffunction for Events queries
- Updated Microsoft IDP categorization rules
- Optimized user automations to reduce false positives and incorrect tagging
- Fixed incorrect calculation of Mean Time To Respond (MTTR) and Mean Time To Detect (MTTD) metrics in team statistics
Jan 12, 2026
- Added Team API Keys allowing admins to create service account API keys for programmatic access at the team level
Jan 9, 2026
UI/UX Improvements
- Added secure defaults preview dialog allowing you to review and selectively apply recommended security settings before changes are made
- Added category filter to exclusion backtesting to test against specific detection categories
- Improved automation UX with tabbed interface, renamed “Automations” to “Tagging Rules”, and added live preview when creating rules
- Updated navigation hierarchy and removed onboarding link for cleaner navigation
- Added empty states to tables and widgets across the application for better user guidance
- Improved events table with advanced vs basic layout options and fixed dropdown menu behavior
- Fixed case search UI disappearing when filters return no results
- Removed warning screen when switching teams for a smoother team switching experience
- Added white-labeling the platform name to case logs
- Enhanced SafeBreach integration to handle detections with multiple IP addresses
- CrowdStrike domain controllers are now automatically tagged as Highly Valued Assets (HVA)
- Unmapped SentinelOne high-severity detections now escalate properly
- Improved primary file IOC detection to better highlight the actual threat indicator in detection summaries
- Added Impacket, SecretsDump, and GoToResolve to the tool catalog
- Fixed Python tool detection to avoid false positives with malware names
- Phishing connections from mobile devices are now automatically closed
- Some detections are now mapped to informational events to reduce noise
- Service providers can no longer add integrations (integrations only work at client tenant level)
Jan 7, 2026
- Added ability to skip onboarding for faster team setup
- Service providers can now opt out of subscribing to notifications when creating a team
- Improved UI layout for custom detections and exclusions pages with action buttons now at the top right
- Improved detection categorizations for evasion and discovery alerts
Dec 31, 2025
- Fixed bug where team inbox escalation emails were incorrectly updated when switching teams.
Dec 27, 2025
- Added support for multiple team inboxes, allowing teams to configure and manage multiple email inboxes for case notifications
- Improved search UX with a new clearable input component across the application
- Added light and dark mode logos for Okta and AWS integrations
- Improved UI performance for the sidebar, users page, and endpoints page
- Enhanced SentinelOne STAR alert processing with better user and device extraction
- Fixed bug where automation tag rules failed to tag users correctly
- Improved OAuth JWT security with token expiration and versioning
Dec 18, 2025
- SafeBreach integration added so that detections can be correlated to both actively running or past simulations
- Added support for SentinelOne STAR alerts
- Upgraded the Azure blog SDK used for syncing Entra sign-in logs
- Improved JWT usage when adding integrations
Dec 11, 2025
- Enhanced status transition handling for cases and detections to prevent race conditions
- Added new RMM tools to our catalog
- Improved Crowdstrike categorizations
- Updated how productivity events are tagged to improve query performance
- Jira comments are now marked as private when created in Jira Service Desk context
Dec 4, 2025
- Added a Chat Ops status so that you can easily view cases and detections actively awaiting user feedback
- More details about chat ops and containments have been added to the timeline and summary views
- Improved Activity Summary emails, offering a more concise view of your env health and what requires your attention
- A new dedicated Activity Summary email for Service Providers to give them a view of all clients
- Events and WEL queries now support regex matching
- Fixed bug where endpoints that failed to lookup would overwrite existing endpoint data
- Fixed SentinelOne URL link issue
- Improved performance for ingestion of historic detections
- Improved search endpoint performance
- Added new items to our RMM tool catalog
Nov 5, 2025
- Initial support for Gmail subscriptions
- Case and Detection tables now have the ability to filter by Integration
- Crowdstrike Falcon Cloud Security is now parsed and ingested. No need to update your existing integration, it will begin to pull if present.
- Added a new configuration in Verdicts where you can stipulate what to do if a monitor cannot run (for example if there is not enough data for the monitor, then escalate!)
- New category mappings for Defender’s suppressed and discovery events
- Endpoint Exploitation added as a new category
- Jamf Protect integration now logs when your token is expired
- Improved extraction of parent process files
Nov 3, 2025
- AI verdicts for live off the land executions are now shown in the detection timeline
- Thinkst Canary console settings now map to informational event
- Simplified table filters, all filters can now be found at the right-hand side of the search bar
Oct 28, 2025
- Improved Case and Impact UI on mobile devices
- Exclusion creations, edits, and deletions are now tracked in the system log
- Increased the amount of data extracted from Jamf Protect detections
- Chat Ops tests are now easier with typeahead user searching
- Various SMS chatops improvements
- Fixed how we extract command line arguments for SentinelOne
- Remapped how we handle Entra Connect tampering
- Fixed a bug in manager chatops verdicts
- Added average MTTV, MTTD, and MTTR to cases
Oct 24, 2025
- 🍞 Upgraded to the Bun 1.3 runtime
- Improved background job processing for added resiliency during long-running jobs
- Added non-interactive sessions in Microsoft sign-in logs
- Verdict rules can now insert a friendly explanation into your timeline
- Added new categories for private credential exposure for VIPs, evasive activities in email, and more
Oct 22, 2025
- SMS chat ops is now available! Learn more here
- Mimecast integration added
- AI analysis for some live off the land executions is now live
- Automated impact identification is now in beta testing, Wirespeed will identify all activities performed by a user after suspicious activity is alerted on.
- Fixed API bug when attempting to enable LOTL endpoint auto containment
- Directory/Endpoint tag automations are now logged to the system log
- Case reopening is now added to the case timeline
Oct 10, 2025
- Improved next steps granularity when containment is partially successful
- Added detection from 3 new RMM tools
- Add 200 new detection mappings for Vectra integrations
- CSV exports are now available on the cases and detections pages. Exports have a limit of 100k rows.
- Bug fix for billable user counts on the Clients page for service providers
Oct 8, 2025
- Improved retry handling for ticket creation in external systems
- Cases with >24 hours of delay from the source are now closed automatically
- Benign chat ops responses are now saved as exclusions
- Refactored login verdict handling to remove low confidence verdict rules
- New experimental AI analysis for live off the land executions is now being run in read-only mode
- Verdict is now available in the Case details view
- Reduced false positives for suspicious email identification after a suspicious login
- Team, Case, and User deletion bug fixes
- Service Providers can now whitelabel the following:
- Email “from” name
- Email reply-to address
- In-product support button email address
- Email signature and footer address
- Historic Cases can now be reopened for further inspection
Sep 29, 2025
- Increased webhook durability
- Enhanced file grouping
- Optimized memorary usage on detection consumption
- Improved JSON parsing date parsing
- Enhanced OAuth client credential grant handling
- Fixed monitor logic for better accuracy
- Improved duplicate detection lookups
- Updated bun version
Sep 25, 2025
- Vectra integration is now available!
- Enhanced NATS consumer durability
- Prevented chat ops when a monitor is already active
- Enhanced chat ops to avoid notifying users who have timed out recently
- Improved HVA value handling to not override manually set values during endpoint syncing
- Optimized malware algorithms
- Added categorizations for Falcon Cloud Security
- Allowed VIP chat ops during testing
Sep 17, 2025
- Improved AITM behavior detection
- Improved unicode handling
- Upgraded Crowdstrike Falcon endpoint syncs to use bulk fetching
- Refactored enrichment to analyze files concurrently
Sep 15, 2025
- Updated our algorithm to more accurately detect live off the land scenarios
- Improved JSON parsing across all integrations
- Adjusted our parser to better support inconsistencies observed in Microsoft data
- If a detection is added to a case, ticket integrations (e.g. Jira) will note so via a comment
Sep 10, 2025
- Service Provider name will now be used in client Timelines
- Team list now identifies external members, easing Service Provider team management
- Improve monitoring so that detection monitors in the same case stay in sync with one another
- Improve date parsing for syslog ingestion
- Update Jira Cloud integration to faciliate templated summary and optional sending of closed detections
- Fixed bug where the IP page would not load for private IP addresses
Sep 9, 2025
- 20 new and updated integration categorizations
- Simulated breach detection
- Identification and new verdict rules for masquerading files
- Added category for Business Email Compromise (BEC), was previously mapped to Login alerts
- Added category for Account Compromise
- Added category for Lateral Movement
- Fixed bug on events page where click-to-search functionality duplicated values
- Clients table for Service Providers is now sortable
- Improved detection of authorized RMM tools
- Active monitors are displayed below escalated cases in the navigation bar
Aug 31, 2025
- 11 new and updated integration categorizations
Aug 28, 2025
- Webhooks are now processed asynchronously to increase reliability
- Billable users & endpoints are available underneath your Team page, or the Clients page for service providers
- 47 new and updated integration categorizations
Aug 24, 2025
- User and Endpoint details pages have been updated to show related detections
- User details page exposes authentication patterns
- Dedicated category for business email compromise added
- Updated details grid available on all entity details pages
- Removed files, user agents, locations, processes, ip addresses, and domains from left-hand navigation
- New command pallette available via
cmd+korctrl+kto search the removed navigation items above - AI summary is now the default case description
Aug 22, 2025
- You can now delete your team by navigating to the Teams page and selecting “Delete Team”. This action is irreversible.
- New API endpoint
POST /team/switch- Service providers can use this with a service provider API key to manage multiple tenants.
Aug 20, 2025
- Fixed custom detection query timeouts by updating query generation logic to use proper partitioning keys.
- Generic Syslog and JSON log importers are now generally available.
- Improved endpoint and user correlation to prioritize active managed users over dormant ones.
Aug 17, 2025
- Improved cases dashboard now shows mean time to detect, verdict, respond, and contain.
- Timeline logging improvements for ingestion of historic detections on initial integration.
- Lowered required thresholds for Apple Private Relay and ISP logins from trusted locations.
- Improved live off the land tool detection for
pwsh.exeandwinpty-agent.exe. - Improved remote management tool detection for ScreenConnect and NinjaOne.
Aug 12, 2025
- Jira comments sync back to Wirespeed and are shown in the cases view.
- IPv6 addresses are flattened by default
- Integration categorization and parsing improvements for Crowdstrike and Okta
Aug 5, 2025
- In the Events view, you can now click properties to automatically add them to the search bar.
- When creating a user you can now opt them out of activity emails.
- New and updated mappings for Microsoft.
July 30, 2025
- Jira Cloud is now available! Review our documentation to learn how Wirespeed cases can create Jira issues and how closing issues in Jira can close the issue in Wirespeed.
- Updated Microsoft UAL parsing and tidying of AWS GuardDuty permissions checks.
- Prioritize managed users in directory user searches.
July 28, 2025
- Hunts and Monitors are now generally available!
- Hunts are deep analyses using 30-day patterns, threat intelligence, and device validation that hunts for any clues or indications that may inform a detection.
- Monitors are continuous surveillance executing rules at regular intervals to detect repeat patterns over extended periods (days to weeks), generating cases when specific threat patterns match.
- New mappings for JAMF Protect.
- Added the ability to test ChatOps with unamanaged user, making it easier than ever to see a live demo of ChatOps in action.
July 23, 2025
- Cisco Duo authentications logs are now available in Wirespeed! Check out our integration docs to learn how to get started.
- Custom detection changes are logged to your audit log.
- Detections table verdict and page size filters were not working as expected.
- New and fixed mappings for detections from Microsoft and Crowdstrike.
July 18, 2025
- Certain OCSF observables were not being properly identified on authentication events.
- Containment and chat ops actions are more clear in the What Happened summary.
- Improved detection mappings for vulnerable drivers, brute force, and email malware alerts.
July 12, 2025
- Check Point Harmony spam and graymail alerts are no longer considered detections. They will still be enriched and available in the data lake.
July 11, 2025
- Need a quick birds eye view of your Detections? Go checkout out the new stats at the top!
- You asked for it, we delivered: Apple Private Relay 🍏 handling has been added to our verdict rules.
- You’re not using Chatops? Onboard a group today to instantly increase the effectiveness and intelligence of your Wirespeed deployment.
- Subscribe to changelog updates at
https://docs.wirespeed.co/changelog/rss.xml.
July 7, 2025
- Leverage the full power of Clickhouse by using Wirespeed’s Advanced Queries. Seriously, go check out the docs for this one. Start or continue your journey to become a Wirespeed Superuser!
- Updated our user algorithm, making our directory decision making even smarter.
- Ever wonder if your mobile endpoints are responsible for more cases? You can now filter cases by “Was Mobile” to learn more about what your mobile devices are triggering.
July 1, 2025
- Custom Detections are here: use SQL to create your own custom detections.
- Jira integration added. Check out our Jira integration docs to learn how Wirespeed and Jira can stay in sync!
June 27, 2025
- Added ability for Service Providers to provide default ChatOps messaging for client teams.
June 25, 2025
- Updated verdict ordering for better prioritization
- Added TOR logins to verdict algorithm
- Fixed timeline display issues for improved event tracking
June 23, 2025
- Microsoft sign-in log processing is now generally available
June 19, 2025
- Okta sign-in log processing is now generally available
- Enhanced directory user automation rules for email domain matching
- Increased clarity of threat indicator data
June 18, 2025
- AI Case Summaries: you can now view a AI-generated summary of every case
- Added ability to ingest all assets from detection sources and option to tag them as HVT
June 11, 2025
- JAMF Protect integration has been enabled for Beta testing
June 10, 2025
Welcome to our new changelog! Items will be added here as soon as they are released.