'%3e%3cpath%20d='M248.027%20159.993C292.176%20159.993%20328.105%20124.1%20328.105%2079.996C328.105%2035.892%20292.191%200%20248.027%200C203.863%200%20167.95%2035.892%20167.95%2079.996C167.949%20124.101%20203.878%20159.993%20248.027%20159.993ZM213.969%2045.973C223.069%2036.882%20235.155%2031.873%20248.027%2031.873C260.899%2031.873%20272.986%2036.882%20282.086%2045.973C291.186%2055.064%20296.2%2067.154%20296.2%2079.997C296.2%2092.84%20291.186%20104.93%20282.086%20114.021C272.986%20123.112%20260.899%20128.12%20248.027%20128.12C235.155%20128.12%20223.069%20123.111%20213.969%20114.021C204.869%20104.93%20199.871%2092.84%20199.871%2079.997C199.871%2067.154%20204.884%2055.063%20213.969%2045.973Z'%20fill='%23EE4323'/%3e%3cpath%20d='M150.16%200L57.6821%20159.993H94.5381L187%200H150.16Z'%20fill='%23EE4323'/%3e%3cpath%20d='M92.478%200L0%20159.993H36.856L129.334%200H92.478Z'%20fill='%23EE4323'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_296_834'%3e%3crect%20width='328.105'%20height='159.993'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Custom detections, file download telemetry, and more
Custom detections, file download telemetry, and more
What’s new this month
Custom detections
File download telemetry
Prevent password entry into non-password fields
Expansion of Events window to 30 days
Create your own custom detections
You can now write your own detections using Push’s real-time detection engine to target specific elements of the page DOM, web requests and responses, HTTP headers such as cookies, and a lot more.
Rules are written in YAML in the Push admin console. You can define a response action (e.g. Warn or Block) and customize the end-user message, similar to other Push controls.
Example use cases:
Detect a specific IOC or TTP for campaigns targeting your organization.
Partner with your red team to detect custom tooling during pen testing.
Alert on specific user behaviors on webpages that point to risk or violate policy.
Block unauthorized MCP connections.
Stream telemetry on file download events
You can now consume a feed of file download events into your SIEM or SOAR. These events report file metadata, such as file name, download URLs, and MIME type, as well as whether the download was considered unsafe.
Events are generated for traditional network-based downloads, but also downloads of files constructed in the browser, such as those via blob or data URLs.
You can enable this feed for all employees, employee groups, or specific individuals; and for all profiles, profiles logged in with a company domain, or profiles logged in with a non-company domain. Go to Settings > Telemetry > File downloads to configure it.
Next, we’ll be adding a control that allows you implement a policy around which downloads are permitted from where, so you can block unwanted or potentially malicious files directly at the point of download.
Prevent password entry into non-password fields
You can prevent users from mistakenly entering their password into non-password fields such as username or email fields when they’re signing in to the app that password is associated with.
You may wish to prevent the entry of passwords into non-password fields particularly for core applications like your identity provider. By blocking incorrect password entry, you can avoid inadvertently recording passwords in your app logs, which can introduce security risk.
Events page now displays up to 30 days of data
We’ve expanded the storage window for events viewable on the Push admin console Events page to assist with quick triage. It is now 30 days, instead of 7.
As before, we recommend ingesting Push events into your SIEM for longer-term storage, querying, and correlation.
