After Wirespeed receives a detection from one of your integrations, it is categorized and goes through the process of verdicting. Verdicts are a series of enrichments and checks we perform on detections and related data in your environment to determine what actions should be performed. Below are a few examples from the Endpoint > Execution detection verdicts:
Each rule shows when it runs (for example Immediate), the condition that must be true (if), and the actions Wirespeed takes (then). When remediation actions are enabled, the outcome lists the specific actions in parentheses — for example, Remediate Endpoint (Isolate Endpoint, Lock Device).
The verdicts are processed in a top down order. If the first verdict is not true, it continues until a true verdict is reached or we hit the default verdict. You can customize these verdicts to tune Wirespeed to your environment.
Customizing Verdicts
When editing a verdict rule, you can configure remediation actions, response options, verdict, and severity.
Remediation actions automatically contain or release users, endpoints, and files associated with a detection. For each asset type, you can choose which specific actions to perform.
Lock down users associated with this detection. Available actions:
- Disable Account — prevent the user from signing in
- Reset Password — force a password change on next sign-in
- Revoke Sessions — terminate all active sign-in sessions
Isolate endpoints associated with this detection. Available actions:
- Isolate Endpoint — disconnect the endpoint from the network
- Lock Device — remotely lock the device screen
Quarantine or delete files associated with this detection. Available actions:
- Quarantine File — quarantine the file to prevent execution
- Delete File — permanently delete the file from the endpoint (irreversible)
Release User
Reverse user remediation when a detection is resolved as benign:
- Enable Account — re-enable the user account for sign-in
Release Endpoint
Reverse endpoint remediation when a detection is resolved as benign:
- Unisolate Endpoint — reconnect the endpoint to the network
- Unlock Device — unlock the device screen
Release File
Reverse file remediation when a detection is resolved as benign:
- Unquarantine File — release the file from quarantine
If a detection matches a verdict rule with remediation actions configured, but the corresponding global auto-remediation setting is disabled, the detection will be escalated to your team. See User Containment, Endpoint Containment, and File Containment for details. Response
Escalate
Notify your team about the detection for manual investigation.
Run Monitors
Use case monitors to watch for further activity related to this detection.
Correlate & Resolve
Resolve the detection and allow it to be used as a threat indicator for other cases.
Skip
Ignore this verdict and continue on. You cannot skip the default rule.
Chat Ops
Reach out to the user(s) affected by this detection and ask them if it was an intentional action. Additional options are available:
- Chat Ops MFA — require SMS MFA when a user claims they performed the activity (requires Chat Ops Second Factor in team settings)
- Manager Chat Ops — escalate to the user’s manager if they do not respond or cannot complete MFA
- VIP Chat Ops — allow Chat Ops for VIP users on this rule
Timeout — when a user does not respond within the chat ops timeout window defined in your team settings, choose whether to continue with a verdict, resolve with a verdict, or run monitors.
Unsure Verdict — when a user responds that they are unsure if they performed the action, continue with the selected verdict.
Malicious will result in the user and endpoint being remediated, benign will resolve the case, and suspicious will escalate.
Case monitors and productivity logs
Case monitors run for some categories (for example Identity Login) and watch for patterns over time using platform data, not only the original detection.
The Identity Login monitor depends on productivity logs: mailbox and related collaboration activity that Wirespeed stores as productivity-tagged events.
Before running its rules, the monitor checks that your tenant has enough recent volume (at least 250 productivity-tagged events in the last 30 days).
If that threshold is not met, the monitor skips so it does not draw conclusions without enough data.
That is not a signal that a specific integration is broken; it means productivity log volume in Wirespeed is too low for this monitor to run meaningfully.
Which integrations supply productivity logs?
Productivity-tagged events come from:
| Integration | Role |
|---|
| Microsoft (Microsoft 365) | Unified Audit Log (UAL) activity that Wirespeed maps to productivity actions (for example mailbox rules, mail access/send/delete, SharePoint/OneDrive file activity, and certain account-related operations). |
| Google Workspace | Gmail audit/reporting (message sent and received). |
