# Push Security Webhooks

## Overview

Configure webhooks for the Push Security platform and receive real-time updates when events occur.

Each webhook event has the following:
* Versioning
* Idempotency key
* Metadata
* New and old objects to show exactly what has changed
* A signature for verifying sender authenticity

## Creating webhooks

To create or manage your webhooks, go to the [Settings](https://pushsecurity.com/app/settings/webhooks) page in the Push admin console.

## Acknowledging an event

Your endpoint has 5 seconds to respond with a `200 OK` (or any other 2xx response). Otherwise, retry behavior will be triggered.

## Retry behavior

Each event will be sent a maximum of 4 times at the following time intervals:
* Immediately
* After 1 minute
* After 5 minutes
* After 15 minutes

If the event is acknowledged within a 5-second window, no more retries will be attempted.

Each retry of the event will have a newly generated `X-Signature`, but the event `id` will be the same for all retries.

## Handling duplicate events

The payload body is JSON-encoded and contains an idempotency key named `id`. If you want to ensure that you handle an event exactly once, please store this value and compare it against incoming events. This can be used to discard duplicate events that have been delivered more than once.

## Verifying signatures

Each event has a header `X-Signature` which contains 2 parts:
* A UNIX timestamp value `t` (in seconds)
* An HMAC-SHA-256 value `v1` which contains the payload signature to check using your webhook secret obtained at the time you created it

Here is an example of how it is formatted:
```
X-Signature: t=1698349494,v1=0E01666E58BC2E6C64E9A5DA66C28CF9D88C3E342CCFC029D56B749A4B4282CE
```

To calculate and verify the signature, perform the following steps:
1. Parse the `X-Signature` header by splitting it first by `,` and then by `=` to obtain key-value pairs.
2. Store the `t` (timestamp) and `v1` (signature) values in variables.
3. Concatenate the value of `t` (as a string) with a `.` and the JSON request body (in its raw format).
4. Use the HMAC-SHA256 algorithm to compute the hash of the concatenated string.
5. Compare the computed HMAC with the `v1` value from the header to verify the signature.
6. Additionally, check the timestamp (`t`) and compare it to the current time. If the difference is bigger than 35 mins (or your preferable threshold) you should discard the event to avoid replay attacks.

Example in Python:

```py
import json
import hmac
import hashlib
import time

# Your secret key for the webhook
SECRET_KEY = b'psws_ad9d0bba8260baf774c3821acaff1b7d'

# Example header and request body (you would normally get these from the incoming HTTP request)
example_header = 't=1698349494,v1=0E01666E58BC2E6C64E9A5DA66C28CF9D88C3E342CCFC029D56B749A4B4282CE'
example_request_body = json.dumps({"key": "value"})

# Step 1: Parse the header
elements = example_header.split(',')
parsed_header = {}
for element in elements:
    key, value = element.split('=')
    parsed_header[key] = value

# Step 2: Store 't' and 'v1' values in variables
received_t = parsed_header.get('t')
received_v1 = parsed_header.get('v1')

# Step 3: Concatenate 't' value with '.' and the JSON request body
payload = f"{received_t}.{example_request_body}"

# Step 4: Compute the HMAC using SHA256
computed_hmac = hmac.new(SECRET_KEY, payload.encode(), hashlib.sha256).hexdigest().upper()

# Step 5: Compare the signature
is_valid = hmac.compare_digest(received_v1, computed_hmac)

# Step 6: Check the timestamp
current_time = int(time.time())
time_difference = current_time - int(received_t)
if time_difference > 2100:  # 35 minutes
    is_valid = False
    message = "Timestamp is too old."
else:
    message = "Signature verified" if is_valid else "Signature mismatch"

print(f"Is the signature valid? {is_valid}. Message: {message}")
```

Example in Node.js:

```js
const crypto = require('crypto');

// Your secret key for the webhook
const SECRET_KEY = 'psws_ad9d0bba8260baf774c3821acaff1b7d';

// Example header and request body (you'd normally get these from the incoming HTTP request)
const exampleHeader = 't=1698349494,v1=0E01666E58BC2E6C64E9A5DA66C28CF9D88C3E342CCFC029D56B749A4B4282CE';
const exampleRequestBody = JSON.stringify({ key: 'value' });

// Step 1: Parse the header
const elements = exampleHeader.split(',');
const parsedHeader = {};
elements.forEach((element) => {
  const [key, value] = element.split('=');
  parsedHeader[key] = value;
});

// Step 2: Store 't' and 'v1' values in variables
const receivedT = parsedHeader['t'];
const receivedV1 = parsedHeader['v1'];

// Step 3: Concatenate 't' value with '.' and the JSON request body
const payload = `${receivedT}.${exampleRequestBody}`;

// Step 4: Compute the HMAC using SHA256
const computedHmac = crypto.createHmac('sha256', SECRET_KEY).update(payload).digest('hex');

// Step 5: Compare the signature
const isValid = crypto.timingSafeEqual(Buffer.from(receivedV1, 'hex'), Buffer.from(computedHmac, 'hex'));

// Step 6: Check the timestamp
const currentTime = Math.floor(Date.now() / 1000);
const timeDifference = currentTime - parseInt(receivedT, 10);
let message;

if (timeDifference > 2100) {  // 35 minutes
  isValid = false;
  message = 'Timestamp is too old.';
} else {
  message = isValid ? 'Signature verified' : 'Signature mismatch';
}

console.log(`Is the signature valid? ${isValid}. Message: ${message}`);

```

## Versioning

The payload body is JSON-encoded and contains a value named `version`. You're currently working with version 1 of the Push Security webhooks. Should there be any breaking changes in the future, we'll bump up this version number. If you have any webhooks configured, we'll send you notifications over email about the deprecation date for the older version.

## Custom headers

Some SIEMs or other external systems where you may wish to send Push webhook events require a custom HTTP header for authorization. You can configure a custom header for webhooks in the Push admin console.

Go to **Settings** > **Webhooks** and add a new webhook. You will see a dropdown option for **Custom headers**.

Then enter a header key and value. Note that once your header key and value are entered, you will not be able to view them again, as they may contain secrets.

## Filtering events

You may wish to send only specific types (or categories) of Push webhook events to your receiver. You can configure this when creating a new webhook in the Push admin console.

Go to **Settings** > **Webhooks** and add a new webhook. You will see a dropdown option for **Select events**.

Then you can select the specific events, or categories of events, to enable. If you select a category, any new events that are added to that category later (as part of new features released) will also be sent.


Version: v1
License: Commercial

## Servers

```
https://api.pushsecurity.com
```

## Security

### X-Signature

Signature verification

Type: http
Scheme: bearer

## Download OpenAPI description

[Push Security Webhooks](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/_bundle/webhooks-v1.yaml)

## Events

### Login

 - [POST login](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/activity/login-event.md)

### App banner

 - [POST app-banner](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/app-banner-event.md)

### Browser extension blocked or enabled

 - [POST browser-extension-state-enforcement-event](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/browser-extension-state-enforcement-event.md)

### Blocked URL detection

 - [POST blocked-url-detection](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/detections/blocked-url-detection-event.md)

### Malware delivery detection

 - [POST malware-delivery-detection](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/detections/malware-delivery-detection-event.md)

### Phishing attack detection

 - [POST phishing-attack-detection](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/detections/phishing-detection-event.md)

### Stolen credentials detection

 - [POST stolen-credentials-detection](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/detections/stolen-credentials-detection-event.md)

### Account

 - [POST account](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/account-event.md)

### Account (Other)

 - [POST accounts_other](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/account-other-event.md)

### App

 - [POST app](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/app-event.md)

### App (Other)

 - [POST apps_other](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/app-other-event.md)

### Browser

 - [POST browser](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/browser-event.md)

### Browser Extension

 - [POST browser-extension](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/browser-extension-event.md)

### Employee

 - [POST employee](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/employee-event.md)

### Finding

 - [POST finding](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/finding-event.md)

## Activity

Events representing employee activity.

### Login

 - [POST login](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/activity/login-event.md)

## Audit

Audit log events.

### Account login method removed

 - [POST account-login-method-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/account-login-method-removed-event.md): A login method for an account has been removed

### Admin accepted invitation

 - [POST admin-accepted-invitation](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-accepted-invitation-event.md): A new admin user has accepted the invitation.

### Admin enabled MFA

 - [POST admin-enabled-mfa](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-enabled-mfa-event.md): An admin user has enabled MFA for their account.

### Admin exported data

 - [POST admin-exported-data](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-exported-data-event.md): An admin user has exported data.

### Admin loaded data

 - [POST admin-loaded-data](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-loaded-data-event.md): An admin user has loaded data.

Note: this event will only be emitted if extended admin audit logging is
enabled. Learn more

### Admin logged in

 - [POST admin-logged-in](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-logged-in-event.md): An admin user has logged in.

### Admin removed

 - [POST admin-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-removed-event.md): An admin user has been removed.

### Admin role updated

 - [POST admin-role-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-role-updated-event.md): An admin user has updated another user's role.

### API key added

 - [POST api-key-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/api-key-added-event.md): An admin user has added a new API Key.

### API key removed

 - [POST api-key-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/api-key-removed-event.md): An admin user has removed an API Key.

### App approval status updated

 - [POST app-approval-status-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-approval-status-updated-event.md): The approval status of an app has been updated

### App labels added

 - [POST app-labels-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-labels-added-event.md): A set of labels has been added to one or more apps.

### App labels removed

 - [POST app-labels-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-labels-removed-event.md): A set of labels has been removed from one or more apps.

### App notes updated

 - [POST app-notes-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-notes-updated-event.md): The notes of an app have been updated

### App owner ID updated

 - [POST app-owner-id-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-owner-id-updated-event.md): The owner ID of an app has been updated

### App sensitivity level updated

 - [POST app-sensitivity-level-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-sensitivity-level-updated-event.md): The sensitivity level of an app has been updated

### Auto-licensing toggled

 - [POST auto-licensing-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/auto-licensing-toggled-event.md): An admin user has toggled the auto-licensing setting.

### Auto-unlicensing configuration updated

 - [POST automatic-unlicensing-configuration-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/automatic-unlicensing-configuration-updated-event.md): An admin user updated the automatic unlicensing configuration.

### Blocked URLs added

 - [POST blocked-urls-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/blocked-urls-added-event.md): A set of URLs has been added to the URL blocking configuration.

### Blocked URLs removed

 - [POST blocked-urls-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/blocked-urls-removed-event.md): A set of URLs has been removed from the URL blocking configuration.

### Blocked URLs URL schema obfuscation toggled

 - [POST blocked-urls-url-schema-obfuscation-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/blocked-urls-url-schema-obfuscation-toggled-event.md): The URL schema obfuscation setting for blocked URLs has been toggled.

### Browser extension enumeration toggled

 - [POST browser-extension-enumeration-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/browser-extension-enumeration-toggled-event.md): An admin user has enabled or disabled browser extension enumeration.

### Cloned login page detection ignored domains added

 - [POST cloned-login-page-detection-ignored-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/cloned-login-page-detection-ignored-domains-added-event.md): A set of domains have been added to the list of ignored domains for the Cloned login page detection feature.

### Cloned login page detection ignored domains removed

 - [POST cloned-login-page-detection-ignored-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/cloned-login-page-detection-ignored-domains-removed-event.md): A set of domains have been removed from the list of ignored domains for the Cloned login page detection feature.

### Control rule added

 - [POST control-rule-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/control-rule-added-event.md): An admin user has added a new control rule.

### Control rule updated

 - [POST control-rule-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/control-rule-updated-event.md): An admin user has updated a control rule.

### Control rule removed

 - [POST control-rule-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/control-rule-removed-event.md): An admin user has removed a control rule.

### Control rule toggled

 - [POST control-rule-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/control-rule-toggled-event.md): An admin user has enabled or disabled a control rule.

### Control rule reordered

 - [POST control-rule-reordered](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/control-rule-reordered-event.md): An admin user has reordered a new control rule.

### Custom login URL added

 - [POST custom-login-url-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/custom-login-url-added-event.md): A custom login URL has been added for an app.

### Custom login URL removed

 - [POST custom-login-url-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/custom-login-url-removed-event.md): A custom login URL has been removed for an app.

### Data retention configuration updated

 - [POST data-retention-configuration-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/data-retention-configuration-updated-event.md): An admin user updated the data retention configuration.

### Detection archive status updated

 - [POST detection-archived](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/detection-archive-status-updated-event.md): The archive status of a detection has been updated

### Detection classification updated

 - [POST detection-classification-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/detection-classification-updated-event.md): The classification of a detection has been updated

### Detection screenshots toggled

 - [POST detection-screenshots-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/detection-screenshots-toggled-event.md): An admin user has enabled or disabled detection screenshots.

### Domain enrichment toggled

 - [POST domain-enrichment-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/domain-enrichment-toggled-event.md): An admin user has enabled or disabled domain enrichment.

### Employees added to group

 - [POST employee-added-to-group](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employees-added-to-group-event.md): An admin user has added one or more employees to a group.

### Employee disabled extension

 - [POST employee-disabled-extension](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employee-disabled-extension-event.md): An employee has temporarily disabled the Push extension for a specific domain.

### Excluded extension domains added

 - [POST excluded-extension-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/excluded-extension-domains-added-event.md): A set of domains have been added to the list of excluded browser extension domains to monitor.

### Extended audit logging toggled

 - [POST extended-audit-logs-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/extended-audit-logs-toggled-event.md): An admin user has enabled or disabled extended audit logging.

### Excluded extension domains removed

 - [POST excluded-extension-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/excluded-extension-domains-removed-event.md): A set of domains have been removed from the list of excluded browser extension domains to monitor.

### Employee email updated

 - [POST employee-email-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employee-email-updated-event.md): An admin user has updated the primary email of an employee.

### Employee name updated

 - [POST employee-name-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employee-name-updated-event.md): An admin user has updated the first name and/or last name of an employee.

### Employee removed from group

 - [POST employee-removed-from-group](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employee-removed-from-group-event.md): An admin user removed an employee from a group.

### Employees merged

 - [POST employees-merged](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employees-merged-event.md): An admin user has merged a list of employees.

### Employees unmerged

 - [POST employees-unmerged](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employees-unmerged-event.md): An admin user has unmerged one of the emails of an employee into a new employee.

### Integration added

 - [POST integration-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/integration-added-event.md): A new integration has been added.

### Integration completed

 - [POST integration-completed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/integration-completed-event.md): An integration has been successfully completed.

### Integration removed

 - [POST integration-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/integration-removed-event.md): A integration has been removed.

### Label updated

 - [POST label-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/label-updated-event.md): A label has been updated.

### Label removed

 - [POST label-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/label-removed-event.md): A label has been removed.

### Leaked password check toggled

 - [POST leaked-password-check-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/leaked-password-check-toggled-event.md): An admin user has toggled the leaked password check.

### License assigned

 - [POST license-assigned](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/license-assigned-event.md): One or more employees have been assigned a license.

### License removed

 - [POST license-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/license-removed-event.md): The license has been removed from one or more employees.

### Malicious copy paste detection ignored domains added

 - [POST malicious-copy-paste-detection-ignored-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/malicious-copy-paste-detection-ignored-domains-added-event.md): A set of domains have been added to the list of ignored domains for the malicious copy and paste detection feature.

### Malicious copy paste detection ignored domains removed

 - [POST malicious-copy-paste-detection-ignored-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/malicious-copy-paste-detection-ignored-domains-removed-event.md): A set of domains have been removed from the list of ignored domains for the malicious copy and paste detection feature.

### MFA tracking exclusions updated

 - [POST mfa-tracking-exclusions-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/mfa-tracking-exclusions-updated.md): The MFA tracking exclusions list has been updated

### Monitor all domains toggled

 - [POST monitor-all-domains-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/monitor-all-domains-toggled-event.md): An admin user has toggled the "Monitor all domains" setting.

### Monitored domains added

 - [POST monitored-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/monitored-domains-added-event.md): A set of domains have been added to the list of monitored company domains.

### Monitored domains removed

 - [POST monitored-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/monitored-domains-removed-event.md): A set of domains have been removed from the list of monitored company domains.

### Password protection URL masking toggled

 - [POST password-protection-hide-urls-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/password-protection-hide-urls-toggled-event.md): An admin user has toggled the password protection URL masking setting.

### Password protection ignore work apps toggled

 - [POST password-protection-ignore-work-apps-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/password-protection-ignore-work-apps-toggled-event.md): An admin user has toggled the "Ignore work apps" setting of the password protection feature.

### Password protection ignored domains added

 - [POST password-protection-ignored-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/password-protection-ignored-domains-added-event.md): A set of domains have been added to the list of ignored domains for the password protection feature.

### Password protection ignored domains removed

 - [POST password-protection-ignored-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/password-protection-ignored-domains-removed-event.md): A set of domains have been removed from the list of ignored domains for the password protection feature.

### Phishing tool detection ignored domains added

 - [POST phishing-tool-detection-ignored-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/phishing-tool-detection-ignored-domains-added-event.md): A set of domains have been added to the list of ignored domains for the Phishing tool detection feature.

### Phishing tool detection ignored domains removed

 - [POST phishing-tool-detection-ignored-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/phishing-tool-detection-ignored-domains-removed-event.md): A set of domains have been removed from the list of ignored domains for the Phishing tool detection feature.

### Reused password exceptions updated

 - [POST reused-password-finding-exceptions-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/reused-password-exceptions-updated.md): The reused password exceptions list has been updated

### SAML SSO added

 - [POST saml-sso-added-event](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/saml-sso-added-event.md): A SAML SSO connection has been added.

### SAML SSO completed

 - [POST saml-sso-completed-event](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/saml-sso-completed-event.md): A SAML SSO connection has been successfully setup and enabled.

### SAML SSO default role updated

 - [POST saml-sso-default-role-updated-event](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/saml-sso-default-role-updated-event.md): An admin updated the SAML SSO default role.

### Session theft domains added

 - [POST session-theft-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/session-theft-domains-added-event.md): A set of domains have been added to the list of domains in which the session theft marker is injected.

### Session theft domains removed

 - [POST session-theft-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/session-theft-domains-removed-event.md): A set of domains have been removed from the list of domains in which the session theft marker is injected.

### Session theft marker rotated

 - [POST session-theft-marker-rotated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/session-theft-marker-rotated-event.md): An admin user has rotated the session theft marker.

### Stolen credentials added

 - [POST stolen-credentials-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/stolen-credentials-added-event.md): A set of stolen credentials have been added.

### Stolen credentials removed

 - [POST stolen-credentials-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/stolen-credentials-removed-event.md): A set of stolen credentials have been removed.

### Stolen credentials mode updated

 - [POST stolen-credentials-mode-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/stolen-credentials-mode-updated-event.md): An admin user has updated the mode of the stolen credentials feature.

### Unsupported app support requested

 - [POST unsupported-app-support-requested](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/unsupported-app-support-requested-event.md): Support for an unsupported app has been requested.

### Unsupported app support request cancelled

 - [POST unsupported-app-support-request-cancelled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/unsupported-app-support-request-cancelled-event.md): Support request for an unsupported app has been cancelled.

### URL block page updated

 - [POST url-block-page-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/url-block-page-updated-event.md): An admin user updated the contents of the page shown when access to a URL is blocked by the URL blocking control.

### Weak password custom words added

 - [POST weak-password-custom-words-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/weak-password-custom-words-added-event.md): An admin user has added custom words to the weak password check.

### Weak password custom words removed

 - [POST weak-password-custom-words-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/weak-password-custom-words-removed-event.md): An admin user has removed custom words from the weak password check.

### Webhook added

 - [POST webhook-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/webhook-added-event.md): An admin user has configured a new webhook URL.

### Webhook removed

 - [POST webhook-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/webhook-removed-event.md): An admin user has removed a webhook URL.

### App banner configured (deprecated)

 - [POST app-banner-configured](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-banner-configured-event.md): An app banner was configured.

### App banner enabled (deprecated)

 - [POST app-banner-enabled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-banner-enabled-event.md): An app banner was enabled or disabled.

### MFA enforcement apps updated (deprecated)

 - [POST mfa-enforcement-apps-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/mfa-enforcement-apps-updated-event.md): An admin user has updated which apps the MFA enforcement control is enabled for.

### MFA enforcement settings updated (deprecated)

 - [POST mfa-enforcement-settings-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/mfa-enforcement-settings-updated-event.md): An admin user has updated the MFA enforcement control settings.

### Phishing tool detection page updated (deprecated)

 - [POST phishing-tool-detection-page-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/phishing-tool-detection-page-updated-event.md): An admin user has updated the page settings of the Phishing tool detection feature.

### Phishing tool detection mode updated (deprecated)

 - [POST phishing-tool-detection-mode-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/phishing-tool-detection-mode-updated-event.md): An admin user has updated the mode of the Phishing tool detection feature.

### SSO password protection ignored domains added (deprecated)

 - [POST sso-password-protection-ignored-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/sso-password-protection-ignored-domains-added-event.md): A set of domains have been added to the list of ignored domains for the SSO password protection feature.

### SSO password protection ignored domains removed (deprecated)

 - [POST sso-password-protection-ignored-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/sso-password-protection-ignored-domains-removed-event.md): A set of domains have been removed from the list of ignored domains for the SSO password protection feature.

### SSO password protection ignore work apps toggled (deprecated)

 - [POST sso-password-protection-ignore-work-apps-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/sso-password-protection-ignore-work-apps-toggled-event.md): An admin user has toggled the "Ignore work apps" setting of the SSO password protection feature.

### SSO password protection mode updated (deprecated)

 - [POST sso-password-protection-mode-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/sso-password-protection-mode-updated-event.md): An admin user has updated the mode of the SSO password protection feature.

### SSO password protection page updated (deprecated)

 - [POST sso-password-protection-page-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/sso-password-protection-page-updated-event.md): An admin user has updated the page settings of the SSO password protection feature.

### SSO password protection URL masking toggled (deprecated)

 - [POST sso-password-protection-url-masking-toggled-event](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/sso-password-protection-url-masking-toggled-event.md): An admin user has toggled the password protection URL masking setting.

## Admin

### Account login method removed

 - [POST account-login-method-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/account-login-method-removed-event.md): A login method for an account has been removed

### Admin accepted invitation

 - [POST admin-accepted-invitation](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-accepted-invitation-event.md): A new admin user has accepted the invitation.

### Admin enabled MFA

 - [POST admin-enabled-mfa](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-enabled-mfa-event.md): An admin user has enabled MFA for their account.

### Admin exported data

 - [POST admin-exported-data](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-exported-data-event.md): An admin user has exported data.

### Admin loaded data

 - [POST admin-loaded-data](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-loaded-data-event.md): An admin user has loaded data.

Note: this event will only be emitted if extended admin audit logging is
enabled. Learn more

### Admin logged in

 - [POST admin-logged-in](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-logged-in-event.md): An admin user has logged in.

### Admin removed

 - [POST admin-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-removed-event.md): An admin user has been removed.

### Admin role updated

 - [POST admin-role-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/admin-role-updated-event.md): An admin user has updated another user's role.

### API key added

 - [POST api-key-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/api-key-added-event.md): An admin user has added a new API Key.

### API key removed

 - [POST api-key-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/api-key-removed-event.md): An admin user has removed an API Key.

### App approval status updated

 - [POST app-approval-status-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-approval-status-updated-event.md): The approval status of an app has been updated

### App labels added

 - [POST app-labels-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-labels-added-event.md): A set of labels has been added to one or more apps.

### App labels removed

 - [POST app-labels-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-labels-removed-event.md): A set of labels has been removed from one or more apps.

### App notes updated

 - [POST app-notes-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-notes-updated-event.md): The notes of an app have been updated

### App owner ID updated

 - [POST app-owner-id-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-owner-id-updated-event.md): The owner ID of an app has been updated

### App sensitivity level updated

 - [POST app-sensitivity-level-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-sensitivity-level-updated-event.md): The sensitivity level of an app has been updated

### Auto-licensing toggled

 - [POST auto-licensing-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/auto-licensing-toggled-event.md): An admin user has toggled the auto-licensing setting.

### Auto-unlicensing configuration updated

 - [POST automatic-unlicensing-configuration-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/automatic-unlicensing-configuration-updated-event.md): An admin user updated the automatic unlicensing configuration.

### Blocked URLs added

 - [POST blocked-urls-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/blocked-urls-added-event.md): A set of URLs has been added to the URL blocking configuration.

### Blocked URLs removed

 - [POST blocked-urls-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/blocked-urls-removed-event.md): A set of URLs has been removed from the URL blocking configuration.

### Blocked URLs URL schema obfuscation toggled

 - [POST blocked-urls-url-schema-obfuscation-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/blocked-urls-url-schema-obfuscation-toggled-event.md): The URL schema obfuscation setting for blocked URLs has been toggled.

### Browser extension enumeration toggled

 - [POST browser-extension-enumeration-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/browser-extension-enumeration-toggled-event.md): An admin user has enabled or disabled browser extension enumeration.

### Cloned login page detection ignored domains added

 - [POST cloned-login-page-detection-ignored-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/cloned-login-page-detection-ignored-domains-added-event.md): A set of domains have been added to the list of ignored domains for the Cloned login page detection feature.

### Cloned login page detection ignored domains removed

 - [POST cloned-login-page-detection-ignored-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/cloned-login-page-detection-ignored-domains-removed-event.md): A set of domains have been removed from the list of ignored domains for the Cloned login page detection feature.

### Control rule added

 - [POST control-rule-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/control-rule-added-event.md): An admin user has added a new control rule.

### Control rule updated

 - [POST control-rule-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/control-rule-updated-event.md): An admin user has updated a control rule.

### Control rule removed

 - [POST control-rule-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/control-rule-removed-event.md): An admin user has removed a control rule.

### Control rule toggled

 - [POST control-rule-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/control-rule-toggled-event.md): An admin user has enabled or disabled a control rule.

### Control rule reordered

 - [POST control-rule-reordered](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/control-rule-reordered-event.md): An admin user has reordered a new control rule.

### Custom login URL added

 - [POST custom-login-url-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/custom-login-url-added-event.md): A custom login URL has been added for an app.

### Custom login URL removed

 - [POST custom-login-url-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/custom-login-url-removed-event.md): A custom login URL has been removed for an app.

### Data retention configuration updated

 - [POST data-retention-configuration-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/data-retention-configuration-updated-event.md): An admin user updated the data retention configuration.

### Detection archive status updated

 - [POST detection-archived](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/detection-archive-status-updated-event.md): The archive status of a detection has been updated

### Detection classification updated

 - [POST detection-classification-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/detection-classification-updated-event.md): The classification of a detection has been updated

### Detection screenshots toggled

 - [POST detection-screenshots-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/detection-screenshots-toggled-event.md): An admin user has enabled or disabled detection screenshots.

### Domain enrichment toggled

 - [POST domain-enrichment-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/domain-enrichment-toggled-event.md): An admin user has enabled or disabled domain enrichment.

### Employees added to group

 - [POST employee-added-to-group](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employees-added-to-group-event.md): An admin user has added one or more employees to a group.

### Employee disabled extension

 - [POST employee-disabled-extension](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employee-disabled-extension-event.md): An employee has temporarily disabled the Push extension for a specific domain.

### Excluded extension domains added

 - [POST excluded-extension-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/excluded-extension-domains-added-event.md): A set of domains have been added to the list of excluded browser extension domains to monitor.

### Extended audit logging toggled

 - [POST extended-audit-logs-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/extended-audit-logs-toggled-event.md): An admin user has enabled or disabled extended audit logging.

### Excluded extension domains removed

 - [POST excluded-extension-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/excluded-extension-domains-removed-event.md): A set of domains have been removed from the list of excluded browser extension domains to monitor.

### Employee email updated

 - [POST employee-email-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employee-email-updated-event.md): An admin user has updated the primary email of an employee.

### Employee name updated

 - [POST employee-name-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employee-name-updated-event.md): An admin user has updated the first name and/or last name of an employee.

### Employee removed from group

 - [POST employee-removed-from-group](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employee-removed-from-group-event.md): An admin user removed an employee from a group.

### Employees merged

 - [POST employees-merged](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employees-merged-event.md): An admin user has merged a list of employees.

### Employees unmerged

 - [POST employees-unmerged](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/employees-unmerged-event.md): An admin user has unmerged one of the emails of an employee into a new employee.

### Integration added

 - [POST integration-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/integration-added-event.md): A new integration has been added.

### Integration completed

 - [POST integration-completed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/integration-completed-event.md): An integration has been successfully completed.

### Integration removed

 - [POST integration-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/integration-removed-event.md): A integration has been removed.

### Label updated

 - [POST label-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/label-updated-event.md): A label has been updated.

### Label removed

 - [POST label-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/label-removed-event.md): A label has been removed.

### Leaked password check toggled

 - [POST leaked-password-check-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/leaked-password-check-toggled-event.md): An admin user has toggled the leaked password check.

### License assigned

 - [POST license-assigned](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/license-assigned-event.md): One or more employees have been assigned a license.

### License removed

 - [POST license-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/license-removed-event.md): The license has been removed from one or more employees.

### Malicious copy paste detection ignored domains added

 - [POST malicious-copy-paste-detection-ignored-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/malicious-copy-paste-detection-ignored-domains-added-event.md): A set of domains have been added to the list of ignored domains for the malicious copy and paste detection feature.

### Malicious copy paste detection ignored domains removed

 - [POST malicious-copy-paste-detection-ignored-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/malicious-copy-paste-detection-ignored-domains-removed-event.md): A set of domains have been removed from the list of ignored domains for the malicious copy and paste detection feature.

### MFA tracking exclusions updated

 - [POST mfa-tracking-exclusions-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/mfa-tracking-exclusions-updated.md): The MFA tracking exclusions list has been updated

### Monitor all domains toggled

 - [POST monitor-all-domains-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/monitor-all-domains-toggled-event.md): An admin user has toggled the "Monitor all domains" setting.

### Monitored domains added

 - [POST monitored-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/monitored-domains-added-event.md): A set of domains have been added to the list of monitored company domains.

### Monitored domains removed

 - [POST monitored-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/monitored-domains-removed-event.md): A set of domains have been removed from the list of monitored company domains.

### Password protection URL masking toggled

 - [POST password-protection-hide-urls-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/password-protection-hide-urls-toggled-event.md): An admin user has toggled the password protection URL masking setting.

### Password protection ignore work apps toggled

 - [POST password-protection-ignore-work-apps-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/password-protection-ignore-work-apps-toggled-event.md): An admin user has toggled the "Ignore work apps" setting of the password protection feature.

### Password protection ignored domains added

 - [POST password-protection-ignored-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/password-protection-ignored-domains-added-event.md): A set of domains have been added to the list of ignored domains for the password protection feature.

### Password protection ignored domains removed

 - [POST password-protection-ignored-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/password-protection-ignored-domains-removed-event.md): A set of domains have been removed from the list of ignored domains for the password protection feature.

### Phishing tool detection ignored domains added

 - [POST phishing-tool-detection-ignored-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/phishing-tool-detection-ignored-domains-added-event.md): A set of domains have been added to the list of ignored domains for the Phishing tool detection feature.

### Phishing tool detection ignored domains removed

 - [POST phishing-tool-detection-ignored-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/phishing-tool-detection-ignored-domains-removed-event.md): A set of domains have been removed from the list of ignored domains for the Phishing tool detection feature.

### Reused password exceptions updated

 - [POST reused-password-finding-exceptions-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/reused-password-exceptions-updated.md): The reused password exceptions list has been updated

### SAML SSO added

 - [POST saml-sso-added-event](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/saml-sso-added-event.md): A SAML SSO connection has been added.

### SAML SSO completed

 - [POST saml-sso-completed-event](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/saml-sso-completed-event.md): A SAML SSO connection has been successfully setup and enabled.

### SAML SSO default role updated

 - [POST saml-sso-default-role-updated-event](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/saml-sso-default-role-updated-event.md): An admin updated the SAML SSO default role.

### Session theft domains added

 - [POST session-theft-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/session-theft-domains-added-event.md): A set of domains have been added to the list of domains in which the session theft marker is injected.

### Session theft domains removed

 - [POST session-theft-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/session-theft-domains-removed-event.md): A set of domains have been removed from the list of domains in which the session theft marker is injected.

### Session theft marker rotated

 - [POST session-theft-marker-rotated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/session-theft-marker-rotated-event.md): An admin user has rotated the session theft marker.

### Stolen credentials added

 - [POST stolen-credentials-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/stolen-credentials-added-event.md): A set of stolen credentials have been added.

### Stolen credentials removed

 - [POST stolen-credentials-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/stolen-credentials-removed-event.md): A set of stolen credentials have been removed.

### Stolen credentials mode updated

 - [POST stolen-credentials-mode-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/stolen-credentials-mode-updated-event.md): An admin user has updated the mode of the stolen credentials feature.

### Unsupported app support requested

 - [POST unsupported-app-support-requested](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/unsupported-app-support-requested-event.md): Support for an unsupported app has been requested.

### Unsupported app support request cancelled

 - [POST unsupported-app-support-request-cancelled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/unsupported-app-support-request-cancelled-event.md): Support request for an unsupported app has been cancelled.

### URL block page updated

 - [POST url-block-page-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/url-block-page-updated-event.md): An admin user updated the contents of the page shown when access to a URL is blocked by the URL blocking control.

### Weak password custom words added

 - [POST weak-password-custom-words-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/weak-password-custom-words-added-event.md): An admin user has added custom words to the weak password check.

### Weak password custom words removed

 - [POST weak-password-custom-words-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/weak-password-custom-words-removed-event.md): An admin user has removed custom words from the weak password check.

### Webhook added

 - [POST webhook-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/webhook-added-event.md): An admin user has configured a new webhook URL.

### Webhook removed

 - [POST webhook-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/webhook-removed-event.md): An admin user has removed a webhook URL.

### App banner configured (deprecated)

 - [POST app-banner-configured](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-banner-configured-event.md): An app banner was configured.

### App banner enabled (deprecated)

 - [POST app-banner-enabled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/app-banner-enabled-event.md): An app banner was enabled or disabled.

### MFA enforcement apps updated (deprecated)

 - [POST mfa-enforcement-apps-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/mfa-enforcement-apps-updated-event.md): An admin user has updated which apps the MFA enforcement control is enabled for.

### MFA enforcement settings updated (deprecated)

 - [POST mfa-enforcement-settings-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/mfa-enforcement-settings-updated-event.md): An admin user has updated the MFA enforcement control settings.

### Phishing tool detection page updated (deprecated)

 - [POST phishing-tool-detection-page-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/phishing-tool-detection-page-updated-event.md): An admin user has updated the page settings of the Phishing tool detection feature.

### Phishing tool detection mode updated (deprecated)

 - [POST phishing-tool-detection-mode-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/phishing-tool-detection-mode-updated-event.md): An admin user has updated the mode of the Phishing tool detection feature.

### SSO password protection ignored domains added (deprecated)

 - [POST sso-password-protection-ignored-domains-added](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/sso-password-protection-ignored-domains-added-event.md): A set of domains have been added to the list of ignored domains for the SSO password protection feature.

### SSO password protection ignored domains removed (deprecated)

 - [POST sso-password-protection-ignored-domains-removed](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/sso-password-protection-ignored-domains-removed-event.md): A set of domains have been removed from the list of ignored domains for the SSO password protection feature.

### SSO password protection ignore work apps toggled (deprecated)

 - [POST sso-password-protection-ignore-work-apps-toggled](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/sso-password-protection-ignore-work-apps-toggled-event.md): An admin user has toggled the "Ignore work apps" setting of the SSO password protection feature.

### SSO password protection mode updated (deprecated)

 - [POST sso-password-protection-mode-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/sso-password-protection-mode-updated-event.md): An admin user has updated the mode of the SSO password protection feature.

### SSO password protection page updated (deprecated)

 - [POST sso-password-protection-page-updated](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/sso-password-protection-page-updated-event.md): An admin user has updated the page settings of the SSO password protection feature.

### SSO password protection URL masking toggled (deprecated)

 - [POST sso-password-protection-url-masking-toggled-event](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/audit/sso-password-protection-url-masking-toggled-event.md): An admin user has toggled the password protection URL masking setting.

## Controls

Events related to any of the control features.

### App banner

 - [POST app-banner](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/app-banner-event.md)

### Blocked URL visited

 - [POST blocked-url-visited](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/blocked-url-visited-event.md)

### Browser extension blocked or enabled

 - [POST browser-extension-state-enforcement-event](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/browser-extension-state-enforcement-event.md)

### Cloned login page detected

 - [POST cloned-login-page-detected](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/cloned-login-page-detected-event.md)

### Malicious copy and paste detected

 - [POST malicious-copy-paste-detected](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/malicious-copy-paste-detected-event.md)

### MFA enforcement event

 - [POST mfa-enforcement](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/mfa-enforcement-event.md)

### Phishing tool detected

 - [POST phishing-tool-detected](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/phishing-tool-detected-event.md)

### Protected password entered

 - [POST protected-password-entered](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/protected-password-entered-event.md)

### Stolen credentials detected

 - [POST stolen-credentials-detected](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/stolen-credentials-detected.md)

### Strong password enforcement event

 - [POST strong-password-enforcement](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/strong-password-enforcement-event.md)

### SSO password used (deprecated)

 - [POST phishing](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/sso-password-used-event.md)

## URL blocking

Events related to the URL blocking feature.

### Blocked URL visited

 - [POST blocked-url-visited](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/blocked-url-visited-event.md)

## Cloned Login Page Detection

### Cloned login page detected

 - [POST cloned-login-page-detected](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/cloned-login-page-detected-event.md)

## Malware Delivery

### Malicious copy and paste detected

 - [POST malicious-copy-paste-detected](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/malicious-copy-paste-detected-event.md)

## MFA Enforcement

### MFA enforcement event

 - [POST mfa-enforcement](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/mfa-enforcement-event.md)

## Phishing Tools Detection

Events related to the phishing tools detection feature.

### Phishing tool detected

 - [POST phishing-tool-detected](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/phishing-tool-detected-event.md)

## Password Protection

### Protected password entered

 - [POST protected-password-entered](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/protected-password-entered-event.md)

## Stolen credentials detected

### Stolen credentials detected

 - [POST stolen-credentials-detected](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/stolen-credentials-detected.md)

## Strong Password Enforcement

### Strong password enforcement event

 - [POST strong-password-enforcement](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/strong-password-enforcement-event.md)

## SSO Password Protection

Events related to the SSO password protection feature.

### SSO password used (deprecated)

 - [POST phishing](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/controls/sso-password-used-event.md)

## Detections

### Blocked URL detection

 - [POST blocked-url-detection](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/detections/blocked-url-detection-event.md)

### Malware delivery detection

 - [POST malware-delivery-detection](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/detections/malware-delivery-detection-event.md)

### Phishing attack detection

 - [POST phishing-attack-detection](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/detections/phishing-detection-event.md)

### Stolen credentials detection

 - [POST stolen-credentials-detection](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/detections/stolen-credentials-detection-event.md)

## Entities

Events representing CRUD operations on entities.

### Account

 - [POST account](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/account-event.md)

### Account (Other)

 - [POST accounts_other](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/account-other-event.md)

### App

 - [POST app](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/app-event.md)

### App (Other)

 - [POST apps_other](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/app-other-event.md)

### Browser

 - [POST browser](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/browser-event.md)

### Browser Extension

 - [POST browser-extension](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/browser-extension-event.md)

### Employee

 - [POST employee](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/employee-event.md)

### Finding

 - [POST finding](https://push-security-prd-ba8f0f76-a2d2-42f5-aea2-d421.redocly.app/webhooks-v1/entities/finding-event.md)