Ready to help

How does Push assign a severity level to detections?

On the Detections page in the Push admin console, you’ll see a severity level for individual detections. These levels are automatically assigned based on the context for a specific detection:

  • Low: The incident was blocked by Push.

  • Medium: The incident was detected but the security control was configured in Warn mode and administrators should investigate further.

  • High: The incident was detected but the security control was either in Monitor mode or in Warn mode and the employee ignored the warning; in other words, the incident was not blocked by Push.

  • Critical: The incident was detected but not blocked by Push and the employee entered their password into the suspicious page.

Note that for the security control URL blocking, the outcome of an incident will always be a block from Push, so the severity of blocked URL detections will always be Low.

For the security control Stolen credential detection, there is no corresponding blocking action for a detected stolen credential in use by an employee, so the severity will be Critical if the credential is being used on an app marked as highly sensitive, and High for all other app categories.