# Retrieve a detection Endpoint: GET /v1/detections/{id} Version: v1 Security: x-api-key ## Path parameters: - `id` (string, required) Unique identifier for the detection ## Response 200 fields (application/json): - `id` (string) Identifier of the detection Example: "c478966c-f927-411c-b919-179832d3d50c" - `employeeId` (string) Identifier for the employee that triggered the detection. Example: "37cda962-7e78-49bc-8721-1becd16276a3" - `employee` (object) This object represents an employee in your organization. - `employee.id` (string) Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0" - `employee.email` (string) Primary email address of the employee Example: "john.hill@example.com" - `employee.firstName` (string) First name of the employee Example: "John" - `employee.lastName` (string) Last name of the employee Example: "Hill" - `employee.department` (string) Department - as provided by connected API integrations Example: "Security Engineering" - `employee.location` (string) Location - as provided by connected API integrations Example: "New York" - `employee.licensed` (boolean) Whether the employee is licensed on the Push platform Example: true - `employee.creationTimestamp` (integer) When this employee was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223 - `employee.chatopsEnabled` (boolean) Whether the employee has ChatOps enabledDeprecation notice: this value no longer does anything unless you still have access to the legacy Employee chat topics functionality on your account. It will be removed in the next API version. Example: true - `browserId` (string) Identifier of the browser that was used when the detection was triggered. Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0" - `severity` (any) The severity of the detection Enum: "LOW", "MEDIUM", "HIGH", "CRITICAL" - `detectionType` (any) The type of detection Enum: "PHISHING", "STOLEN_CREDENTIALS", "BLOCKED_URL", "MALWARE_DELIVERY" - `response` (any) The response for the detection Enum: "BLOCKED", "EMPLOYEE_IGNORED_WARNING", "EMPLOYEE_WARNED", "NOT_BLOCKED" - `creationTimestamp` (integer) When the detection was created. Formatted as a UNIX timestamp (in seconds). Example: 1698604061 - `archived` (boolean) Whether the detection has been archived. Example: true - `classification` (string,null) The classification of the detection. Enum: "TRUE_POSITIVE", "BENIGN_TRUE_POSITIVE", "FALSE_POSITIVE" - `events` (array) The events associated with the detection. - `events.id` (string) Identifier of the detection event. Example: "c478966c-f927-411c-b919-179832d3d50c" - `events.creationTimestamp` (integer) When the event was created. Formatted as a UNIX timestamp (in seconds). Example: 1698604061 - `events.detectionEventType` (any) The type of detection event. Enum: "PHISHING_TOOL_DETECTED", "CLONED_LOGIN_PAGE_DETECTED", "SSO_PASSWORD_USED", "PROTECTED_PASSWORD_ENTERED", "STOLEN_CREDENTIALS", "BLOCKED_URL_VISITED", "MALICIOUS_COPY_PASTE_DETECTED" - `events.accountId` (string,null) Identifier of the account that the detection event is associated with. Example: "37cda962-7e78-49bc-8721-1becd16276a3" - `events.appType` (string,null) The type of app that the detection event is associated with. Example: "PUSH_SECURITY" - `events.phishingToolIndicator` (string,null) Example: "AITM_TOOL_EVILGINX_01" - `events.controlMode` (string,null) All possible ENUM values for control modes. Enum: "INFORM", "ACKNOWLEDGE", "REASON", "BLOCK", "WARN", "MONITOR" - `events.description` (string,null) The description of the detection event. Note: this is subject to change and should not be used to match on this object. Example: "Phishing attempt detected" - `events.clonedLoginPageIndicator` (string,null) Example: "MICROSOFT_01" - `events.response` (any) The response for the detection event. Enum: "BLOCKED", "EMPLOYEE_IGNORED_WARNING", "EMPLOYEE_WARNED", "NOT_BLOCKED" - `events.email` (string,null) The email associated with the account related to the detection event. Example: "john.hill@example.com" - `events.url` (string,null) The URL that the detection event was triggered on. Example: "https://example.com/phishing" - `events.referrerUrl` (string,null) The referrer URL. Example: "https://mail.google.com" - `events.clonedLoginPageUrls` (array,null) The legitimate login page URL that was cloned. Example: ["https://example.com/phishing"] - `events.sourceIpAddress` (string) The source IP address. Example: "8.158.25.38" - `events.metadata` (string) The metadata associated with the detection event. Example: "{\"source_type\": \"Telegram\", \"breach_type\": \"Stealer Malware Logs\", \"breach_publication_date\": \"2025-04-01\"}" - `events.experimental` (boolean) Indicates if this detection event is experimental. ## Response 400 fields