# Stolen credentials detection Endpoint: POST stolen-credentials-detection Version: v1 Security: X-Signature ## Header parameters: - `X-Signature` (string, required) Example: "X-Signature: t=1492774577,v1=5257a869..." ## Request fields (application/json): - `version` (string) The version of the event. Example: "1" - `id` (string) The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" - `timestamp` (integer) When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 - `category` (string) The category of the event. Enum: "DETECTION" - `description` (string) The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com triggered a new stolen credentials detection" - `type` (string) The type of event that occurred. Enum: "CREATE", "UPDATE", "DELETE" - `object` (string) The object that was created. Example: "STOLEN_CREDENTIALS" - `friendlyName` (string) The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Stolen credentials" - `new` (object) This object represents a detection event, indicating an employee has triggered an alert. - `new.id` (string) Identifier of the detection Example: "c478966c-f927-411c-b919-179832d3d50c" - `new.employeeId` (string) Identifier for the employee that triggered the event. Example: "37cda962-7e78-49bc-8721-1becd16276a3" - `new.employee` (object) This object represents an employee in your organization. - `new.employee.id` (string) Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0" - `new.employee.email` (string) Primary email address of the employee Example: "john.hill@example.com" - `new.employee.firstName` (string) First name of the employee Example: "John" - `new.employee.lastName` (string) Last name of the employee Example: "Hill" - `new.employee.department` (string) Department - as provided by connected API integrations Example: "Security Engineering" - `new.employee.location` (string) Location - as provided by connected API integrations Example: "New York" - `new.employee.licensed` (boolean) Whether the employee is licensed on the Push platform Example: true - `new.employee.creationTimestamp` (integer) When this employee was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223 - `new.employee.chatopsEnabled` (boolean) Whether the employee has ChatOps enabledDeprecation notice: this value no longer does anything unless you still have access to the legacy Employee chat topics functionality on your account. It will be removed in the next API version. Example: true - `new.browserId` (string) Identifier of the browser that was used when the event was triggered. Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0" - `new.severity` (any) The severity of the detection Enum: "LOW", "MEDIUM", "HIGH", "CRITICAL" - `new.detectionType` (any) The type of detection Enum: "PHISHING", "STOLEN_CREDENTIALS", "BLOCKED_URL", "MALWARE_DELIVERY" - `new.detectionLink` (string) Link to the detection. Example: "https://pushsecurity.com/app/detections?id=c478966c-f927-411c-b919-179832d3d50c" - `new.response` (any) The response for the detection Enum: "BLOCKED", "EMPLOYEE_IGNORED_WARNING", "EMPLOYEE_WARNED", "NOT_BLOCKED" - `new.creationTimestamp` (integer) When the detection was created. Formatted as a UNIX timestamp (in seconds). Example: 1698604061 - `new.lastActivityTimestamp` (integer) When the detection was last active. Formatted as a UNIX timestamp (in seconds). Example: 1698604061 - `new.archived` (boolean) Whether the detection has been archived. Example: true - `new.classification` (string,null) The classification of the detection. Enum: "TRUE_POSITIVE", "BENIGN_TRUE_POSITIVE", "FALSE_POSITIVE" - `new.events` (array) - `new.events.id` (string) Identifier of the detection event. Example: "c478966c-f927-411c-b919-179832d3d50c" - `new.events.creationTimestamp` (integer) When the event was created. Formatted as a UNIX timestamp (in seconds). Example: 1698604061 - `new.events.detectionEventType` (any) The type of detection event. Enum: "PHISHING_TOOL_DETECTED", "CLONED_LOGIN_PAGE_DETECTED", "SSO_PASSWORD_USED", "PROTECTED_PASSWORD_ENTERED", "STOLEN_CREDENTIALS", "BLOCKED_URL_VISITED", "MALICIOUS_COPY_PASTE_DETECTED" - `new.events.accountId` (string,null) Identifier of the account that the detection event is associated with. Example: "37cda962-7e78-49bc-8721-1becd16276a3" - `new.events.appType` (string,null) The type of app that the detection event is associated with. Example: "PUSH_SECURITY" - `new.events.phishingToolIndicator` (string,null) Example: "AITM_TOOL_EVILGINX_01" - `new.events.controlMode` (string,null) All possible ENUM values for control modes. Enum: "INFORM", "ACKNOWLEDGE", "REASON", "BLOCK", "WARN", "MONITOR" - `new.events.description` (string,null) The description of the detection event. Note: this is subject to change and should not be used to match on this object. Example: "Phishing attempt detected" - `new.events.clonedLoginPageIndicator` (string,null) Example: "MICROSOFT_01" - `new.events.response` (any) The response for the detection event. Enum: "BLOCKED", "EMPLOYEE_IGNORED_WARNING", "EMPLOYEE_WARNED", "NOT_BLOCKED" - `new.events.email` (string,null) The email associated with the account related to the detection event. Example: "john.hill@example.com" - `new.events.url` (string,null) The URL that the detection event was triggered on. Example: "https://example.com/phishing" - `new.events.referrerUrl` (string,null) The referrer URL. Example: "https://mail.google.com" - `new.events.clonedLoginPageUrls` (array,null) The legitimate login page URL that was cloned. Example: ["https://example.com/phishing"] - `new.events.sourceIpAddress` (string) The source IP address. Example: "8.158.25.38" - `new.events.metadata` (string) The metadata associated with the detection event. Example: "{\"source_type\": \"Telegram\", \"breach_type\": \"Stealer Malware Logs\", \"breach_publication_date\": \"2025-04-01\"}" - `new.events.experimental` (boolean) Indicates if this detection event is experimental. - `old` (object) This object represents a detection event, indicating an employee has triggered an alert. ## Response 2XX fields