# Cloned login page detected Endpoint: POST cloned-login-page-detected Version: v1 Security: X-Signature ## Header parameters: - `X-Signature` (string, required) Example: "X-Signature: t=1492774577,v1=5257a869..." ## Request fields (application/json): - `version` (string) The version of the event. Example: "1" - `id` (string) The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" - `timestamp` (integer) When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 - `category` (string) The category of the event. Enum: "CONTROL" - `description` (string) The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "john@company.com visited https://evil.com/okta.php which is a clone of a Okta login page" - `object` (string) The object that was created. Enum: "CLONED_LOGIN_PAGE_DETECTED" - `friendlyName` (string) The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Cloned login page detected" - `new` (object) This object represents a cloned login page detected event. - `new.employee` (object) This object represents an employee in your organization. - `new.employee.id` (string) Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0" - `new.employee.email` (string) Primary email address of the employee Example: "john.hill@example.com" - `new.employee.firstName` (string) First name of the employee Example: "John" - `new.employee.lastName` (string) Last name of the employee Example: "Hill" - `new.employee.department` (string) Department - as provided by connected API integrations Example: "Security Engineering" - `new.employee.location` (string) Location - as provided by connected API integrations Example: "New York" - `new.employee.licensed` (boolean) Whether the employee is licensed on the Push platform Example: true - `new.employee.creationTimestamp` (integer) When this employee was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223 - `new.employee.chatopsEnabled` (boolean) Whether the employee has ChatOps enabledDeprecation notice: this value no longer does anything unless you still have access to the legacy Employee chat topics functionality on your account. It will be removed in the next API version. Example: true - `new.mode` (string,null) Mode that the cloned login page detection control is in. Enum: "OFF", "MONITOR", "WARN", "BLOCK" - `new.clonedLoginPageType` (string) The type of login page that was cloned Example: "OKTA" - `new.clonedLoginPageUrls` (array) The legitimate login page URL that was cloned. Example: ["https://login.okta.com"] - `new.url` (string) The URL that triggered this detection. Example: "https://evil.com/okta.php" - `new.referrerUrl` (string,null) The URL the user was on before the cloned login page was detected Example: "https://statics.teams.cdn.office.net/" - `new.sourceIpAddress` (string) The IP address of the user. Example: "8.158.25.38" - `new.browser` (any) The browser used by the employee Enum: "CHROME", "FIREFOX", "EDGE", "SAFARI", "OPERA", "BRAVE", "ARC", "ISLAND", "PRISMA_ACCESS", "UNKNOWN" - `new.os` (any) The OS used by the employee Enum: "MACOS", "WINDOWS", "LINUX", "CHROME_OS", "IOS", "ANDROID", "UNKNOWN" - `new.userAgent` (string) The user agent string reported by the browser Example: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299" - `new.action` (string,null) The action that the user took while on the cloned login detection page. Enum: "DISPLAYED", "IGNORED" - `new.indicator` (string) The indicator that was used to detect the cloned login page. Example: "INDICATOR_01" ## Response 2XX fields