# Phishing tool detected

Endpoint: POST phishing-tool-detected
Version: v1
Security: X-Signature

## Header parameters:

  - `X-Signature` (string, required)
    Example: "X-Signature: t=1492774577,v1=5257a869..."

## Request fields (application/json):

  - `version` (string)
    The version of the event.
    Example: "1"

  - `id` (string)
    The unique identifier for the event. This can be used as an idempotency key.
    Example: "c478966c-f927-411c-b919-179832d3d50c"

  - `timestamp` (integer)
    When the event occurred, formatted as a UNIX timestamp (in seconds).
    Example: 1698604061

  - `category` (string)
    The category of the event.
    Enum: "CONTROL"

  - `description` (string)
    The description of the event. Note: this is subject to change and should not be used to match on this object.
    Example: "user@example.com visited https://phishing.com"

  - `object` (string)
    The object that was created.
    Enum: "PHISHING_TOOL_DETECTED"

  - `friendlyName` (string)
    The friendly name of this object. Note: this is subject to change and should not be used to match on this object.
    Example: "Phishing tool detected"

  - `new` (object)
    This object represents a phishing tool detected event.

  - `new.employee` (object)
    This object represents an employee in your organization.

  - `new.employee.id` (string)
    Unique identifier for the employee
    Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"

  - `new.employee.email` (string)
    Primary email address of the employee
    Example: "john.hill@example.com"

  - `new.employee.firstName` (string)
    First name of the employee
    Example: "John"

  - `new.employee.lastName` (string)
    Last name of the employee
    Example: "Hill"

  - `new.employee.department` (string)
    Department - as provided by connected API integrations
    Example: "Security Engineering"

  - `new.employee.location` (string)
    Location - as provided by connected API integrations
    Example: "New York"

  - `new.employee.licensed` (boolean)
    Whether the employee is licensed on the Push platform
    Example: true

  - `new.employee.creationTimestamp` (integer)
    When this employee was created, formatted as a UNIX timestamp (in seconds)
    Example: 1698669223

  - `new.employee.chatopsEnabled` (boolean)
    Whether the employee has ChatOps enabledDeprecation notice: this value no longer does anything unless you still have access to the legacy Employee chat topics functionality on your account. It will be removed in the next API version.
    Example: true

  - `new.indicator` (string)
    Example: "AITM_TOOL_EVILGINX_01"

  - `new.url` (string)
    The URL the phishing tool was detected on
    Example: "https://evil.com/okta.php"

  - `new.referrerUrl` (string,null)
    The URL the user was on before the phishing tool was detected
    Example: "https://statics.teams.cdn.office.net/"

  - `new.sourceIpAddress` (string)
    The IP address of the user.
    Example: "8.158.25.38"

  - `new.browser` (any)
    The browser used by the employee
    Enum: "CHROME", "FIREFOX", "EDGE", "SAFARI", "OPERA", "BRAVE", "ARC", "ISLAND", "PRISMA_ACCESS", "UNKNOWN"

  - `new.os` (any)
    The OS used by the employee
    Enum: "MACOS", "WINDOWS", "LINUX", "CHROME_OS", "IOS", "ANDROID", "UNKNOWN"

  - `new.userAgent` (string)
    The user agent string reported by the browser
    Example: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299"

  - `new.mode` (string,null)
    Mode that the phishing tool detection control is in.
    Enum: "OFF", "MONITOR", "WARN", "BLOCK"

  - `new.action` (string,null)
    The action that the user took while on the phishing tool detection page.
    Enum: "DISPLAYED", "IGNORED"


## Response 2XX fields