> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Introduction to Integrations

> Connect your security stack to enable automated detection and response

Wirespeed connects to your existing security tools to provide automated threat detection, investigation, and response. Our integrations are designed to work together—combining detection sources with user directories, endpoint managers, and communication platforms to enable a fully automated MDR experience.

<Tip>
  New to Wirespeed? Start by connecting a [user directory](#user-directories) and a [detection source](#detection-sources) to see our automation in action.
</Tip>

## How Integrations Work

When you connect an integration, Wirespeed automatically:

1. **Syncs your data** — We pull user directories, endpoint inventories, and detection history to build context about your environment
2. **Ingests detections** — Security alerts flow into Wirespeed in real-time from your detection platforms
3. **Enriches and triages** — Each detection is automatically enriched with context and triaged using our verdict system
4. **Takes action** — Based on your configured verdicts, Wirespeed can contain threats, notify users via chat ops, or escalate to your team

<Info>
  All integrations use secure OAuth or API tokens. We request only the permissions necessary to deliver our service and never store credentials in plain text.
</Info>

## Webhook Rate Limiting

Integrations that deliver data via webhooks are subject to a rate limit of **600 requests per minute per team**. If a team exceeds this limit, Wirespeed will respond with HTTP `429 Too Many Requests` until the rate drops below the threshold. This protects the platform from misconfigured or overly aggressive webhook sources.

If you encounter rate limiting, check whether the source system is sending duplicate or unnecessary events and reduce the webhook frequency accordingly.

## Source System Updates

When Wirespeed processes a detection, it can sync verdict, status, notes, and comments back to the originating integration. This is called a **source system update**. It keeps your detection platform in sync with Wirespeed's triage decisions.

Source system updates are controlled at three levels:

### Integration-Level Control

Each integration has a **Source Updates** toggle available from the row actions menu on the [**Integrations**](https://app.wirespeed.co/settings/integrations) page. When disabled, Wirespeed will not sync verdict, status, notes, or comments back to that integration for any detection.

### Team-Level Control

Under [**Settings > Team Settings**](https://app.wirespeed.co/settings/team), the **Skip Managed Source Updates** toggle controls whether Wirespeed skips source system updates for detections that are managed by a third party (e.g. CrowdStrike Falcon Complete, SentinelOne Vigilance).

This is useful when a third-party managed service is already triaging detections in your security platform. Enabling it prevents Wirespeed from overwriting their work by writing verdicts or comments back to those specific detections, while still syncing updates for detections that are not third-party managed.

### Group-Level Control

Groups also have an **Update Source System** toggle. When disabled for a group, detections involving assets in that group will not trigger source system updates. See [Groups](/groups/introduction) for details.

<Warning>
  If an asset belongs to **any** group that has source system updates disabled, the update is suppressed for detections involving that asset—even if other groups have it enabled.
</Warning>

## Beta Integrations

Some integrations are marked as **beta** while we refine their capabilities. Beta integrations work for detection ingestion, asset syncing, and manual actions, but have one important limitation:

<Warning>
  Auto-containment is not performed for detections from beta integrations. If a detection is generated by a beta integration, Wirespeed will skip automatic containment and escalate the case to your team instead. Manual containment remains available.
</Warning>

Beta integrations are labeled in the platform. Once an integration graduates from beta, auto-containment will apply normally.

## Integration Categories

<CardGroup cols={2}>
  <Card title="Detection Sources" icon="shield" href="#detection-sources">
    EDR, XDR, and SIEM platforms that generate security alerts
  </Card>

  <Card title="User Directories" icon="users" href="#user-directories">
    Identity providers that define your users and their attributes
  </Card>

  <Card title="Endpoint Management" icon="laptop" href="#endpoint-management">
    MDM and endpoint platforms that inventory your devices
  </Card>

  <Card title="Communication" icon="message-circle" href="#communication">
    Chat and messaging platforms for user verification
  </Card>

  <Card title="Ticketing" icon="ticket" href="#ticketing">
    Ticket systems for case management and escalation
  </Card>

  <Card title="Enrichment" icon="search" href="#enrichment">
    Threat intelligence and data enrichment services
  </Card>
</CardGroup>

***

## Detection Sources

Detection sources are the foundation of Wirespeed. These integrations provide the security alerts that Wirespeed automatically triages and responds to. Connect your EDR, XDR, identity protection, or SIEM platform to get started.

<CardGroup cols={3}>
  <Card title="Admin By Request" icon="shield-alert" href="/integrations/admin-by-request">
    Endpoint privilege management and privilege-elevation security events
  </Card>

  <Card title="AWS" icon="cloud" href="/integrations/aws">
    CloudTrail and GuardDuty security events
  </Card>

  <Card title="Check Point Harmony" icon="shield-plus" href="/integrations/checkpoint-harmony">
    Unified endpoint and email security
  </Card>

  <Card title="Cisco XDR" icon="shield-alert" href="/integrations/cisco-xdr">
    Extended detection and response
  </Card>

  <Card title="CrowdStrike" icon="bird" href="/integrations/crowdstrike-falcon">
    Endpoint detection, NG-SIEM, and identity security
  </Card>

  <Card title="Darktrace" icon="radar" href="/integrations/darktrace">
    AI-powered network detection and response
  </Card>

  <Card title="Google Alert Center" icon="bell-ring" href="/integrations/google-alert-center">
    Google Workspace security alerts
  </Card>

  <Card title="Google SecOps" icon="search" href="/integrations/google-chronicle">
    Google Security Operations SIEM detections
  </Card>

  <Card title="Google Security Center" icon="search" href="/integrations/google-security-center">
    Google Cloud security findings
  </Card>

  <Card title="Halcyon" icon="shield" href="/integrations/halcyon">
    Anti-ransomware detection and response
  </Card>

  <Card title="Horizon3 NodeZero" icon="crosshair" href="/integrations/horizon3">
    Autonomous pentesting and attack simulation validation
  </Card>

  <Card title="Jamf Protect" icon="laptop" href="/integrations/jamf-protect">
    Mac-focused endpoint security
  </Card>

  <Card title="Microsoft 365" icon="shield-check" href="/integrations/microsoft">
    Defender for Endpoint, Entra ID Protection, Sentinel, and more
  </Card>

  <Card title="Mimecast" icon="mail-open" href="/integrations/mimecast">
    Email security and threat protection
  </Card>

  <Card title="NinjaOne" icon="server" href="/integrations/ninjaone">
    RMM/MDM alerts, activity telemetry, and device inventory
  </Card>

  <Card title="Okta" icon="key-round" href="/integrations/okta">
    Identity threat detection
  </Card>

  <Card title="Palo Alto Networks Cortex" icon="shield-alert" href="/integrations/palo-alto-networks-cortex">
    Cortex XDR/XSIAM alert ingestion and endpoint management
  </Card>

  <Card title="Picus Security" icon="flask-conical" href="/integrations/picus">
    Breach and attack simulation validation
  </Card>

  <Card title="Orca Security" icon="fish" href="/integrations/orca-security">
    Cloud security posture and workload protection
  </Card>

  <Card title="SafeBreach" icon="flask-conical" href="/integrations/safebreach">
    Breach and attack simulation
  </Card>

  <Card title="Sandfly" icon="shield-alert" href="/integrations/sandfly">
    Agentless Linux detection and host telemetry
  </Card>

  <Card title="SentinelOne" icon="shield" href="/integrations/sentinel-one">
    Autonomous endpoint protection platform
  </Card>

  <Card title="Sophos Central" icon="shield-virus" href="/integrations/sophos">
    Intercept X endpoint detections and event telemetry
  </Card>

  <Card title="Splunk" icon="search" href="/integrations/splunk">
    SIEM detection ingestion
  </Card>

  <Card title="Tenable Nessus" icon="flask-conical" href="/integrations/tenable-nessus">
    Deconflict detections from vulnerability scanning
  </Card>

  <Card title="Tracebit" icon="bell" href="/integrations/tracebit">
    Cloud-native deception platform alerts
  </Card>

  <Card title="Thinkst Canary" icon="bell" href="/integrations/thinkst-canary">
    Honeypot-based intrusion detection
  </Card>

  <Card title="Vectra" icon="radar" href="/integrations/vectra">
    Network detection and response
  </Card>

  <Card title="Wiz" icon="cloud" href="/integrations/wiz">
    Cloud security findings and vulnerability ingestion
  </Card>

  <Card title="Wordfence" icon="lock" href="/integrations/wordfence">
    WordPress security and firewall
  </Card>
</CardGroup>

***

## User Directories

User directories help Wirespeed understand your organization. We sync users, groups, roles, and managers to enrich detections with context and enable features like VIP protection, chat ops escalation, and user containment.

<CardGroup cols={3}>
  <Card title="Cisco Duo" icon="shield-check" href="/integrations/cisco-duo">
    Multi-factor authentication directory
  </Card>

  <Card title="CyberArk" icon="key-round" href="/integrations/cyberark">
    Privilege Cloud audit events and Identity directory sync
  </Card>

  <Card title="Google Workspace" icon="users" href="/integrations/google-workspace">
    Google directory and sign-in logs
  </Card>

  <Card title="JumpCloud" icon="users" href="/integrations/jumpcloud">
    Directory events with user and endpoint sync
  </Card>

  <Card title="Microsoft 365" icon="users" href="/integrations/microsoft">
    Entra ID (Azure AD) directory sync
  </Card>

  <Card title="OneLogin" icon="key-round" href="/integrations/onelogin">
    Directory sync with user suspend and re-enable actions
  </Card>

  <Card title="Okta" icon="key-round" href="/integrations/okta">
    Universal directory and SSO
  </Card>

  <Card title="PingOne" icon="shield-check" href="/integrations/ping-one">
    PingOne audit activities and risk evaluations
  </Card>
</CardGroup>

<Tip>
  Connecting a user directory unlocks automatic VIP detection, manager escalation paths, and user-aware threat context.
</Tip>

***

## Endpoint Management

Endpoint management integrations provide device inventory and health data. Wirespeed uses this information to identify critical assets, correlate detections with device context, and enable endpoint containment actions.

<CardGroup cols={3}>
  <Card title="Axonius" icon="server" href="/integrations/axonius">
    Device and asset inventory synchronization
  </Card>

  <Card title="CrowdStrike" icon="bird" href="/integrations/crowdstrike-falcon">
    Host management, isolation, and identity
  </Card>

  <Card title="Fleet" icon="laptop" href="/integrations/fleet-dm">
    osquery-based device inventory and activity telemetry
  </Card>

  <Card title="Halcyon" icon="shield" href="/integrations/halcyon">
    Endpoint inventory and agent status
  </Card>

  <Card title="Jamf Pro" icon="laptop" href="/integrations/jamf-pro">
    Apple device management
  </Card>

  <Card title="Kandji" icon="laptop" href="/integrations/kandji">
    Modern Apple MDM
  </Card>

  <Card title="ManageEngine" icon="server" href="/integrations/manage-engine">
    AD audit and endpoint monitoring
  </Card>

  <Card title="Microsoft Intune" icon="laptop" href="/integrations/microsoft">
    Cloud-based endpoint management
  </Card>

  <Card title="Sandfly" icon="server" href="/integrations/sandfly">
    Linux host inventory and enrichment
  </Card>

  <Card title="SentinelOne" icon="shield" href="/integrations/sentinel-one">
    Endpoint inventory and containment
  </Card>
</CardGroup>

***

## Communication

Communication integrations enable [Chat Ops](/chat-ops/introduction)—Wirespeed's ability to verify suspicious activity directly with your users. When a detection requires user verification, we reach out through your existing communication channels.

<CardGroup cols={3}>
  <Card title="Email" icon="mail" href="/integrations/email">
    Email-based user notification
  </Card>

  <Card title="Custom SMTP" icon="server" href="/integrations/smtp">
    Send emails from your own domain
  </Card>

  <Card title="Microsoft Teams" icon="message-square" href="/integrations/microsoft-teams">
    In-app chat ops experience
  </Card>

  <Card title="Slack" icon="message-circle" href="/integrations/slack">
    Direct message users for verification
  </Card>
</CardGroup>

<Info>
  SMS verification is available as an add-on to any communication integration for enhanced identity verification. [Learn more about SMS Chat Ops](/chat-ops/communication-plan#sms-chat-ops).
</Info>

***

## Ticketing

Ticketing integrations sync Wirespeed cases with your existing ticket management system. Cases and detections can automatically create tickets, and updates flow bidirectionally.

<CardGroup cols={3}>
  <Card title="ConnectWise PSA" icon="clipboard-list" href="/integrations/connectwise-psa">
    Professional services automation
  </Card>

  <Card title="Freshservice" icon="ticket" href="/integrations/freshservice">
    IT service management ticketing and case sync
  </Card>

  <Card title="Halo ITSM" icon="ticket" href="/integrations/halo-itsm">
    IT service management ticketing and case sync
  </Card>

  <Card title="Jira Cloud" icon="ticket" href="/integrations/jira-cloud">
    Atlassian's cloud-hosted Jira
  </Card>

  <Card title="Jira Data Center" icon="ticket" href="/integrations/jira-data-center">
    Self-hosted Jira deployment
  </Card>

  <Card title="Odoo Helpdesk" icon="ticket" href="/integrations/odoo-helpdesk">
    Odoo Helpdesk ticket management
  </Card>

  <Card title="PagerDuty" icon="ticket" href="/integrations/pager-duty">
    Incident management and on-call alerting
  </Card>
</CardGroup>

***

## Enrichment

Enrichment integrations provide additional context and threat intelligence to enhance detection triage. These services help identify known-bad indicators and provide reputation data.

<CardGroup cols={3}>
  <Card title="Have I Been Pwned" icon="key" href="/integrations/have-i-been-pwned">
    Credential breach detection
  </Card>

  <Card title="IPinfo" icon="globe" href="/integrations/ipinfo">
    IP address geolocation and ASN data
  </Card>

  <Card title="Reversing Labs" icon="file-code" href="/integrations/reversing-labs">
    File reputation and malware analysis
  </Card>
</CardGroup>

***

## Log Forwarding

For platforms without native integrations, Wirespeed supports standard log forwarding protocols and network-based telemetry sources. These allow you to send security events from any source, including firewalls, network devices, and log aggregation platforms.

<CardGroup cols={3}>
  <Card title="1Password" icon="key" href="/integrations/1password">
    Password manager audit and sign-in events
  </Card>

  <Card title="Bitwarden" icon="lock" href="/integrations/bitwarden">
    Organization events and user activity
  </Card>

  <Card title="Box" icon="box" href="/integrations/box">
    Cloud content management events
  </Card>

  <Card title="Check Point Firewall (Quantum)" icon="shield-alert" href="/integrations/checkpoint-firewall">
    Next-gen firewall and network security events
  </Card>

  <Card title="Cisco Meraki" icon="network" href="/integrations/cisco-meraki">
    Cloud-managed network security
  </Card>

  <Card title="Cisco Secure Access" icon="umbrella" href="/integrations/cisco-secure-access">
    DNS-layer security
  </Card>

  <Card title="Cisco Umbrella" icon="umbrella" href="/integrations/cisco-umbrella">
    DNS-layer security
  </Card>

  <Card title="Exium" icon="server" href="/integrations/exium">
    Network and security syslog events
  </Card>

  <Card title="Fortinet FortiAnalyzer" icon="chart-line" href="/integrations/fortinet-fortianalyzer">
    Centralized log and analytics
  </Card>

  <Card title="Fortinet FortiGate" icon="shield-alert" href="/integrations/fortinet">
    Next-gen firewall security events
  </Card>

  <Card title="Generic JSON" icon="code" href="/integrations/generic-json">
    Webhook-based JSON ingestion
  </Card>

  <Card title="Generic Syslog" icon="server" href="/integrations/generic-syslog">
    CEF and standard syslog formats
  </Card>

  <Card title="HYAS Protect" icon="shield" href="/integrations/hyas-protect">
    Adversary infrastructure intelligence
  </Card>

  <Card title="Microsoft On-Prem AD" icon="building" href="/integrations/microsoft-on-prem-active-directory">
    On-premises Active Directory
  </Card>

  <Card title="Microsoft Sign-In Logs" icon="log-in" href="/integrations/microsoft-sign-in-logs">
    Standalone Entra ID sign-in data
  </Card>

  <Card title="ServiceNow" icon="clipboard-list" href="/integrations/service-now">
    Change request validation for planned maintenance workflows
  </Card>

  <Card title="SonicWall" icon="shield" href="/integrations/sonic-wall">
    Next-gen firewall security events
  </Card>

  <Card title="Stairwell" icon="code" href="/integrations/stairwell">
    Webhook delivery for Stairwell detection events
  </Card>

  <Card title="Ubiquiti UniFi Network" icon="network" href="/integrations/unifi">
    Gateway, switch, and access point syslog events
  </Card>

  <Card title="WatchGuard Firebox" icon="shield" href="/integrations/watchguard-firebox">
    VPN authentication, traffic, and alarm syslog events
  </Card>

  <Card title="Windows Event Logs" icon="monitor" href="/integrations/microsoft-windows">
    Windows event forwarding
  </Card>

  <Card title="Zscaler ZPA (Syslog)" icon="shield" href="/integrations/zscaler-zpa">
    ZPA App Connector syslog forwarding
  </Card>
</CardGroup>

***

## Getting Started

Ready to connect your first integration? Here's the recommended order:

<Steps>
  <Step title="Connect a User Directory">
    Start with [Microsoft 365](/integrations/microsoft), [Google Workspace](/integrations/google-workspace), or [Okta](/integrations/okta) to import your users and organizational structure.
  </Step>

  <Step title="Add a Detection Source">
    Connect your primary security platform—[Microsoft Defender](/integrations/microsoft), [CrowdStrike](/integrations/crowdstrike-falcon), or [SentinelOne](/integrations/sentinel-one) are great starting points.
  </Step>

  <Step title="Enable Communication">
    Set up [Slack](/integrations/slack) or [Microsoft Teams](/integrations/microsoft-teams) to enable Chat Ops for user verification.
  </Step>

  <Step title="Configure Containment">
    Review your [containment settings](/containment/introduction) to enable automated threat response.
  </Step>
</Steps>

<Note>
  Need help setting up an integration? Use the **Chat** button in the Wirespeed platform to talk directly with our engineers, or email [support@wirespeed.co](mailto:support@wirespeed.co).
</Note>
