After Wirespeed receives a detection from one of your integrations, it is categorized and goes through the process of verdicting. Verdicts are a series of enrichments and checks we perform on detections and related data in your environment to determine what actions should be performed. Below are a few examples from the Endpoint > Execution detection verdicts:

The verdicts are processed in a top down order. If the first verdict is not true, it continues until a true verdict is reached or we hit the default verdict. You can customize these verdicts to tune Wirespeed to your environment.

Customizing Verdicts

You can customize Wirespeed’s automatic response options, chat ops, and severities for each verdict.

Response

Contain User

Lock the user account of any user’s associated with this detection

Contain Endpoint

Network isolate any endpoints associated with this detection

Escalate

Notify your team about the detection for manually investigation

Correlate & close

Close the detection and allow it to be used as a threat indicator for other cases.

Skip

Ignore this verdict and continue on. You cannot skip the default rule.

Chat Ops

Reach out to the user(s) affected by this detection and ask them if it was an intentional action by them. Additional options are available to require the user to perform SMS MFA for identity verification, verify with their manager, and enable/disable chat ops for VIP users.

Chat Ops Timeout Verdict

When a user does not respond within the chat ops timeout window you have defined in your team settings, you can declare a verdict to use.

Chat Ops Unsure Verdict

When a user responds they are unsure if they performed the action that caused the detection, you can declare a verdict to use.

Malicious will result in the user & endpoint being contained, benign will close the case, and suspicious will escalate.