Customize how Wirespeed automatically handles your detections
After Wirespeed receives a detection from one of your integrations, it is categorized and goes through the process of verdicting. Verdicts are a series of enrichments and checks we perform on detections and related data in your environment to determine what actions should be performed. Below are a few examples from the Endpoint > Execution detection verdicts:
The verdicts are processed in a top down order. If the first verdict is not true, it continues until a true verdict is reached or we hit the default verdict. You can customize these verdicts to tune Wirespeed to your environment.
You can customize Wirespeed’s automatic response options, chat ops, and severities for each verdict.
Lock the user account of any user’s associated with this detection
Network isolate any endpoints associated with this detection
Notify your team about the detection for manually investigation
Close the detection and allow it to be used as a threat indicator for other cases.
Ignore this verdict and continue on. You cannot skip the default rule.
Reach out to the user(s) affected by this detection and ask them if it was an intentional action by them. Additional options are available to require the user to perform SMS MFA for identity verification, verify with their manager, and enable/disable chat ops for VIP users.
When a user does not respond within the chat ops timeout window you have defined in your team settings, you can declare a verdict to use.
When a user responds they are unsure if they performed the action that caused the detection, you can declare a verdict to use.
Malicious will result in the user & endpoint being contained, benign will close the case, and suspicious will escalate.