Push Help Center
Ready to help
Help for adminsHelp for employees
Help for administrators
/
Privacy and security

How does Push assign a severity level to detections?

On the Detections page in the Push admin console, you’ll see a severity level for individual detections. These levels are automatically assigned based on the context for a specific detection:

  • Low: The incident was blocked by Push.

  • Medium: The incident was detected but the security control was configured in Warn mode and administrators should investigate further.

  • High: The incident was detected but the security control was either in Monitor mode or in Warn mode and the employee ignored the warning; in other words, the incident was not blocked by Push.

  • Critical: The incident was detected but not blocked by Push and the employee entered their password into the suspicious page.

Note that for the security control URL blocking, the outcome of an incident will always be a block from Push, so the severity of blocked URL detections will always be Low.

For the security control Stolen credential detection, there is no corresponding blocking action for a detected stolen credential in use by an employee, so the severity will be Critical if the credential is being used on an app marked as highly sensitive, and High for all other app categories.

For the Malicious browser extension detection control, the severity levels are derived based on Push's assessment of the browser extension risk and how the control is configured (e.g. which Mode). For example:

  • High: A high-risk extension is still enabled on a browser in your environment. For example, if the control is in Monitor mode and detects a high-risk known-bad extension that was already installed.

  • Medium: A medium-risk extension is still enabled on a browser in your environment (e.g. the control is in Monitor); or a high-risk extension was found installed in your environment and disabled by the control.

  • Low: A known-bad extension of any risk level was blocked from being installed (e.g. the control is in Block); or a low-risk known-bad extension is still enabled on a browser in your environment (e.g. the control is in Monitor).

Examples of high-risk extensions include things like session and credential stealers, delivering malware or crypto highjacking. Examples of medium-risk extensions include those that perform ad or affiliate fraud that harms the end-user but do not target the company. Low-risk extensions are those that are implicated in a broader ecosystem of malicious activity; have been transferred to a suspicious new owner; or that have other signals of becoming a threat.

Need more help?
Questions, feedback, tech support, sales support - anything you need.
We’ll get back to you within a day.