How do I configure browser event storage?

To allow Push to perform detections for emerging threats and improve existing detections, you will need to configure Browser event storage on the Settings page of the Push admin console.

Go to Settings > Telemetry > Browser event storage to enable the setting. You can opt to enable it for all users, or begin with a test group of users by creating a configuration rule. You can also exclude specific user groups or individuals from metadata collection if you wish.

When you enable this setting, the Push extension will collect additional forms of metadata (e.g. browser events) and store those locally in the user’s browser. Browser event metadata is stored locally for 14 days. You can opt to store events for up to 30 days or for shorter periods of time. This metadata is only ever sent to and processed by Push when a suspicious event is identified.

Note: Push does not collect actual content or inputted values, only metadata such as page XML structure, cookie names (but not values), etc.

Because metadata is stored locally in the browser sandbox, you might notice an increase in disk usage — an estimated 250MB per active browser profile per day, based on regular browser usage. The browser sandbox enforces limits on space usage so that the disk can never become full.

When Push identifies a suspicious event — usually a new attack type not previously observed and therefore not identified by existing detections — the metadata collected in customer environments is used to pinpoint TTPs. Once a suspicious event is confirmed, Push will raise a detection with the event type of THREAT_DETECTION on the Detections page for any impacted customers. Note that these detections do not block end-user activity and are Monitor mode only.

This type of detection can also identify retroactive suspicious activity. This means that you may see previously unidentified issues raised as detections.