Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Wirespeed automatically imports custom detection rules from supported security platforms, allowing you to centrally review, categorize, and manage all your custom detections in one place. When detections fire from these imported rules, Wirespeed automatically applies the correct categorization and processing.

How It Works

  1. Automatic Sync: Wirespeed periodically syncs custom detection rules from your integrated EDR/XDR platforms (e.g., CrowdStrike, Microsoft Defender, SentinelOne)
  2. AI-Powered Classification: Each imported rule is analyzed by Wirespeed AI, which suggests an appropriate detection category based on the rule’s content and behavior
  3. Review and Approval: You can review imported rules, accept or modify the AI’s category suggestion, and enable them for use in Wirespeed
  4. Automatic Matching: When a detection fires from an imported rule, Wirespeed automatically matches it to your approved rule and applies the correct category for processing

Supported Integrations

The following integrations support automatic custom detection import:
  • CrowdStrike Falcon: Imports custom Indicator of Attack (IOA) rules
  • Microsoft Defender: Imports custom detection rules from Microsoft 365 Defender and Microsoft Sentinel
  • SentinelOne: Imports custom detection rules
More integrations are being added regularly. Check your integration’s documentation page for the latest capabilities.

Managing Automated Custom Detections

Navigate to Settings > Custom Detections > Imported Detections to view and manage rules synced from your integrations.
The feature is called “Automated Custom Detections” but the UI tab is labeled “Imported Detections” to reflect that these rules are imported from your security platforms.

Viewing Imported Rules

The Imported Detections tab shows all rules that have been reviewed and approved:
  • View detection name, description, and severity
  • See which integration each rule comes from
  • Check enabled/disabled status
  • Review AI-suggested categorization

Reviewing New Rules

The To Review tab displays newly synced rules pending your review:
  • Review the rule details and sample detections
  • See the AI-suggested category (marked with a sparkles icon)
  • Accept the suggested category or choose a different one
  • Enable the rule to start matching incoming detections
Wirespeed AI suggests categories based on the rule’s indicators, behaviors, and threat patterns. You can always override the suggestion if a different category better fits your security operations workflow.

Rule Details

When reviewing or editing an imported rule, you can view:
  • Detection Information: Name, description, severity, and source payload
  • Categorization: Current category and AI suggestion (if available)
  • Sample Detection: An example of what this rule detects (when available from the provider)
  • Provider Metadata: Additional context from your security platform
  • Raw Payload: Full JSON structure of the rule as received from the integration

Enabling and Disabling Rules

  • Enable: When enabled, incoming detections matching this rule will be automatically categorized and processed according to your configuration
  • Disable: Disabled rules will not match incoming detections, but the rule configuration is preserved
  • Provider Status: Rules show whether they are enabled in the source platform. Disabling a rule in Wirespeed does not affect its status in your EDR/XDR platform.

Detection Matching

When a detection is received from an integrated platform:
  1. Wirespeed checks if it matches an imported custom detection rule
  2. If a match is found and the rule is enabled, the detection is automatically categorized
  3. The detection proceeds through Wirespeed’s normal verdicting and case creation workflow
  4. The detection timeline logs show that it was matched to an imported rule
Only enabled and approved rules will match incoming detections. Rules in “pending review” status do not affect detection processing.

Best Practices

  1. Review Regularly: Check the “To Review” tab periodically for newly synced rules from your security platforms
  2. Trust but Verify: While AI suggestions are accurate most of the time, always review the category to ensure it aligns with your team’s workflow
  3. Use Sample Detections: Review sample detections when available to understand what the rule actually triggers on
  4. Keep Rules Organized: Disable rules you’re not actively using rather than dismissing them, so you can easily re-enable them later
  5. Monitor Provider Status: Pay attention to rules that are disabled in the provider but enabled in Wirespeed—this may indicate a configuration mismatch
  • Custom Detections - Create custom detections using Wirespeed’s query language
  • Advanced Queries - Learn how to query events in Wirespeed’s SIEM
  • Verdicts - Understand how detections are automatically processed and escalated