Push Security Webhooks (v1)

Download OpenAPI specification:Download

support: support@pushsecurity.com URL: https://pushsecurity.com/contact/ License: Commercial Terms of Service

Overview

Configure webhooks for the Push Security platform and receive real-time updates when events occur.

Each webhook event has the following:

Versioning
Idempotency key
Metadata
New and old objects to show exactly what has changed
A signature for verifying sender authenticity

Acknowledging an event

Your endpoint has 5 seconds to respond with a 200 OK (or any other 2xx response). Otherwise, retry behavior will be triggered.

Retry behavior

Each event will be sent a maximum of 4 times at the following time intervals:

Immediately
After 1 minute
After 5 minutes
After 25 minutes

If the event is acknowledged within a 5-second window, no more retries will be attempted.

Each retry of the event will have a newly generated X-Signature, but the event id will be the same for all retries.

Handling duplicate events

The payload body is JSON-encoded and contains an idempotency key named id. If you want to ensure that you handle an event exactly once, please store this value and compare it against incoming events. This can be used to discard duplicate events that have been delivered more than once.

Verifying signatures

Each event has a header X-Signature which contains 2 parts:

A UNIX timestamp value t (in seconds)
An HMAC-SHA-256 value v1 which contains the payload signature to check using your webhook secret obtained at the time you created it

Here is an example of how it is formatted:

X-Signature: t=1698349494,v1=0E01666E58BC2E6C64E9A5DA66C28CF9D88C3E342CCFC029D56B749A4B4282CE

To calculate and verify the signature, perform the following steps:

Parse the X-Signature header by splitting it first by , and then by = to obtain key-value pairs.
Store the t (timestamp) and v1 (signature) values in variables.
Concatenate the value of t (as a string) with a . and the JSON request body (in its raw format).
Use the HMAC-SHA256 algorithm to compute the hash of the concatenated string.
Compare the computed HMAC with the v1 value from the header to verify the signature.
Additionally, check the timestamp (t) and compare it to the current time. If the difference is bigger than 35 mins (or your preferable threshold) you should discard the event to avoid replay attacks.

Example in Python:

import json
import hmac
import hashlib
import time

# Your secret key for the webhook
SECRET_KEY = b'psws_ad9d0bba8260baf774c3821acaff1b7d'

# Example header and request body (you would normally get these from the incoming HTTP request)
example_header = 't=1698349494,v1=0E01666E58BC2E6C64E9A5DA66C28CF9D88C3E342CCFC029D56B749A4B4282CE'
example_request_body = json.dumps({"key": "value"})

# Step 1: Parse the header
elements = example_header.split(',')
parsed_header = {}
for element in elements:
    key, value = element.split('=')
    parsed_header[key] = value

# Step 2: Store 't' and 'v1' values in variables
received_t = parsed_header.get('t')
received_v1 = parsed_header.get('v1')

# Step 3: Concatenate 't' value with '.' and the JSON request body
payload = f"{received_t}.{example_request_body}"

# Step 4: Compute the HMAC using SHA256
computed_hmac = hmac.new(SECRET_KEY, payload.encode(), hashlib.sha256).hexdigest().upper()

# Step 5: Compare the signature
is_valid = hmac.compare_digest(received_v1, computed_hmac)

# Step 6: Check the timestamp
current_time = int(time.time())
time_difference = current_time - int(received_t)
if time_difference > 2100:  # 35 minutes
    is_valid = False
    message = "Timestamp is too old."
else:
    message = "Signature verified" if is_valid else "Signature mismatch"

print(f"Is the signature valid? {is_valid}. Message: {message}")

Example in Node.js:

const crypto = require('crypto');

// Your secret key for the webhook
const SECRET_KEY = 'psws_ad9d0bba8260baf774c3821acaff1b7d';

// Example header and request body (you'd normally get these from the incoming HTTP request)
const exampleHeader = 't=1698349494,v1=0E01666E58BC2E6C64E9A5DA66C28CF9D88C3E342CCFC029D56B749A4B4282CE';
const exampleRequestBody = JSON.stringify({ key: 'value' });

// Step 1: Parse the header
const elements = exampleHeader.split(',');
const parsedHeader = {};
elements.forEach((element) => {
  const [key, value] = element.split('=');
  parsedHeader[key] = value;
});

// Step 2: Store 't' and 'v1' values in variables
const receivedT = parsedHeader['t'];
const receivedV1 = parsedHeader['v1'];

// Step 3: Concatenate 't' value with '.' and the JSON request body
const payload = `${receivedT}.${exampleRequestBody}`;

// Step 4: Compute the HMAC using SHA256
const computedHmac = crypto.createHmac('sha256', SECRET_KEY).update(payload).digest('hex');

// Step 5: Compare the signature
const isValid = crypto.timingSafeEqual(Buffer.from(receivedV1, 'hex'), Buffer.from(computedHmac, 'hex'));

// Step 6: Check the timestamp
const currentTime = Math.floor(Date.now() / 1000);
const timeDifference = currentTime - parseInt(receivedT, 10);
let message;

if (timeDifference > 2100) {  // 35 minutes
  isValid = false;
  message = 'Timestamp is too old.';
} else {
  message = isValid ? 'Signature verified' : 'Signature mismatch';
}

console.log(`Is the signature valid? ${isValid}. Message: ${message}`);

Versioning

The payload body is JSON-encoded and contains a value named version. You're currently working with version 1 of the Push Security webhooks. Should there be any breaking changes in the future, we'll bump up this version number. If you have any webhooks configured, we'll send you notifications over email about the deprecation date for the older version.

Custom headers

If you need any custom headers configured on your webhook that are required by the receiver, please contact support or reach out to your account representative.

Entities

Events representing CRUD operations on entities.

AccountWebhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

An account was created, updated or deleted.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

string

The category of the event.

Value: "ENTITY"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "employee@example.com on Google Workspace updated"

type

string

The type of event that occurred.

Enum: "CREATE" "UPDATE" "DELETE"

object

string

The object that was created, updated or deleted.

Value: "ACCOUNT"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Account"

object (Account)

This object represents an account in your organization.

string

Unique identifier for the account

Example: "d6a32ba5-0532-4a66-8137-48cdf409c972"

employeeId

string

Identifier of primary employee that this account belongs to

Example: "72d0347a-2663-4ef5-b1c5-df39163f1603"

appType

string

The app associated with this account

Example: "ATLASSIAN"

appId

string

The ID of the app associated with this account

Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"

string <email>

The email address used to log into the account

Example: "john.hill@example.com"

mfaRegistered

boolean or null

Whether MFA is registered or not. If unknown, null is provided.

Example: true

mfaMethods

Array of strings or null (MfaMethodsType)

The MFA methods registered for this account

Enum Value	Description
APP_TOTP	Time-based one-time password via app
PUSH_NOTIFICATION	Authentication prompt on device
EMAIL_OTP	One-time password sent to email
U2F	Physical security key
HARDWARE_TOTP	Time-based password via hardware token
PHONE_CALL	Voice verification
SMS_OTP	One-time password sent via SMS
APP_PASSWORD	Specialized password for app access
GRID_CARD	Reference card with codes
EXTERNAL_PROVIDER	Third-party authentication service
BACKUP_CODES	Pre-generated one-time codes
WEBAUTHN	Two-factor authentication with biometrics support

passwordId

string or null

Identifier of the password used on this account. The actual password is not sent up by the browser extension and so this is an identifier for it instead. This value is null if password authentication is not used.

Example: "4c13674f-e88a-4411-bfa2-53a70468a898"

object

passwordLogin	boolean Whether or not this account has been logged into with a password Example: true
oidcLogin	string or null The identity provider that was used to do an OIDC login on this account. This is `null` if no OIDC login has been performed. Example: "GOOGLE_WORKSPACE"
samlLogin	string or null The identity provider that was used to do a SAML login on this account. This is `null` if no SAML login has been performed. Example: "OKTA"
oktaSwaLogin	boolean Whether or not this account has been logged into with Okta SWA Example: true
vendorSsoLogin	string or null Whether or not this account has an associated vendor SSO provider. Example: "GOOGLE_WORKSPACE"
fedCmLogin	string or null The identity provider that was used to do a FedCM login on this account. This is `null` if no FedCM login has been performed. Example: "GOOGLE_WORKSPACE"

creationTimestamp

integer

When this account was created, formatted as a UNIX timestamp (in seconds)

Example: 1698064423

lastUsedTimestamp

integer or null

When the account was last used by an employee, formatted as a UNIX timestamp (in seconds)

Example: 1698669168

object (Account)

This object represents an account in your organization.

string

Unique identifier for the account

Example: "d6a32ba5-0532-4a66-8137-48cdf409c972"

employeeId

string

Identifier of primary employee that this account belongs to

Example: "72d0347a-2663-4ef5-b1c5-df39163f1603"

appType

string

The app associated with this account

Example: "ATLASSIAN"

appId

string

The ID of the app associated with this account

Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"

string <email>

The email address used to log into the account

Example: "john.hill@example.com"

mfaRegistered

boolean or null

Whether MFA is registered or not. If unknown, null is provided.

Example: true

mfaMethods

Array of strings or null (MfaMethodsType)

The MFA methods registered for this account

Enum Value	Description
APP_TOTP	Time-based one-time password via app
PUSH_NOTIFICATION	Authentication prompt on device
EMAIL_OTP	One-time password sent to email
U2F	Physical security key
HARDWARE_TOTP	Time-based password via hardware token
PHONE_CALL	Voice verification
SMS_OTP	One-time password sent via SMS
APP_PASSWORD	Specialized password for app access
GRID_CARD	Reference card with codes
EXTERNAL_PROVIDER	Third-party authentication service
BACKUP_CODES	Pre-generated one-time codes
WEBAUTHN	Two-factor authentication with biometrics support

passwordId

string or null

Example: "4c13674f-e88a-4411-bfa2-53a70468a898"

object

passwordLogin	boolean Whether or not this account has been logged into with a password Example: true
oidcLogin	string or null The identity provider that was used to do an OIDC login on this account. This is `null` if no OIDC login has been performed. Example: "GOOGLE_WORKSPACE"
samlLogin	string or null The identity provider that was used to do a SAML login on this account. This is `null` if no SAML login has been performed. Example: "OKTA"
oktaSwaLogin	boolean Whether or not this account has been logged into with Okta SWA Example: true
vendorSsoLogin	string or null Whether or not this account has an associated vendor SSO provider. Example: "GOOGLE_WORKSPACE"
fedCmLogin	string or null The identity provider that was used to do a FedCM login on this account. This is `null` if no FedCM login has been performed. Example: "GOOGLE_WORKSPACE"

creationTimestamp

integer

When this account was created, formatted as a UNIX timestamp (in seconds)

Example: 1698064423

lastUsedTimestamp

integer or null

When the account was last used by an employee, formatted as a UNIX timestamp (in seconds)

Example: 1698669168

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Account (Other)Webhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

An account (Other) was created, updated or deleted.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

type

string

The type of event that occurred.

Enum: "CREATE" "UPDATE" "DELETE"

category

string

The category of the event.

Value: "ENTITY"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com updated on other app (c478966c-f927-411c-b919-179832d3d50c)"

object

string

The object that was created, updated or deleted.

Value: "ACCOUNT_OTHER"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Account (Other)"

object (Account (other))

This object represents an account (other) in your organization.

string

Unique identifier for the account

Example: "1009e8cb-497b-49ae-ac87-e083e42078d2"

employeeId

string

Identifier of primary employee that this account belongs to

Example: "72d0347a-2663-4ef5-b1c5-df39163f1603"

otherAppId

string

The ID of the app associated with this account

Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"

string <email>

The email address used to log into the account

Example: "john.hill@example.com"

object

passwordLogin required	boolean Whether or not this account has been logged into with a password Example: true
oidcLogin required	string or null The identity provider that was used to do an OIDC login on this account. This is `null` if no OIDC login has been performed. Example: "GOOGLE_WORKSPACE"
samlLogin required	string or null The identity provider that was used to do a SAML login on this account. This is `null` if no SAML login has been performed. Example: "OKTA"
fedCmLogin required	string or null The identity provider that was used to do a FedCM login on this account. This is `null` if no FedCM login has been performed. Example: "GOOGLE_WORKSPACE"

creationTimestamp

integer

When the account was first observed, formatted as a UNIX timestamp (in seconds)

Example: 1698064423

lastUsedTimestamp

integer or null

When the account was last used by an employee, formatted as a UNIX timestamp (in seconds)

Example: 1698669168

object (Account (other))

This object represents an account (other) in your organization.

string

Unique identifier for the account

Example: "1009e8cb-497b-49ae-ac87-e083e42078d2"

employeeId

string

Identifier of primary employee that this account belongs to

Example: "72d0347a-2663-4ef5-b1c5-df39163f1603"

otherAppId

string

The ID of the app associated with this account

Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"

string <email>

The email address used to log into the account

Example: "john.hill@example.com"

object

passwordLogin required	boolean Whether or not this account has been logged into with a password Example: true
oidcLogin required	string or null The identity provider that was used to do an OIDC login on this account. This is `null` if no OIDC login has been performed. Example: "GOOGLE_WORKSPACE"
samlLogin required	string or null The identity provider that was used to do a SAML login on this account. This is `null` if no SAML login has been performed. Example: "OKTA"
fedCmLogin required	string or null The identity provider that was used to do a FedCM login on this account. This is `null` if no FedCM login has been performed. Example: "GOOGLE_WORKSPACE"

creationTimestamp

integer

When the account was first observed, formatted as a UNIX timestamp (in seconds)

Example: 1698064423

lastUsedTimestamp

integer or null

When the account was last used by an employee, formatted as a UNIX timestamp (in seconds)

Example: 1698669168

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

AppWebhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

An app was created, updated or deleted.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

type

string

The type of event that occurred.

Enum: "CREATE" "UPDATE" "DELETE"

category

string

The category of the event.

Value: "ENTITY"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "Google Workspace first observed"

object

string

The object that was created, updated or deleted.

Value: "APP"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "App"

object (App)

This object represents an app in your organization.

string

Unique identifier for this object

Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"

type

string

The type of app, formatted as an ENUM value.

Example: "ZAPIER"

approvalStatus

string or null (ApprovalStatusType)

Approval status of the app, null if not set

Enum Value	Description
UNDER_REVIEW	The app is under review
APPROVED	The app has been approved
NOT_APPROVED	The app has not been approved

sensitivityLevel

string or null (SensitivityLevelType)

The sensitivity level of the app, null if not set

Enum Value	Description
HIGH	The sensitivity of the app is high
MEDIUM	The sensitivity of the app is medium
LOW	The sensitivity of the app is low

ownerId

string or null

Identifier of the employee who is the owner of this platform

Example: "87569da6-fb7a-4df7-8ce2-246c14044911"

notes

string

Notes recorded on this app (Note - changes to this field do not trigger an UPDATE event)

Example: "Last security audit: 16 January 2023.\n"

creationTimestamp

integer

When the app was first observed, formatted as a UNIX timestamp (in seconds)

Example: 1698064423

object (App)

This object represents an app in your organization.

string

Unique identifier for this object

Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"

type

string

The type of app, formatted as an ENUM value.

Example: "ZAPIER"

approvalStatus

string or null (ApprovalStatusType)

Approval status of the app, null if not set

Enum Value	Description
UNDER_REVIEW	The app is under review
APPROVED	The app has been approved
NOT_APPROVED	The app has not been approved

sensitivityLevel

string or null (SensitivityLevelType)

The sensitivity level of the app, null if not set

Enum Value	Description
HIGH	The sensitivity of the app is high
MEDIUM	The sensitivity of the app is medium
LOW	The sensitivity of the app is low

ownerId

string or null

Identifier of the employee who is the owner of this platform

Example: "87569da6-fb7a-4df7-8ce2-246c14044911"

notes

string

Notes recorded on this app (Note - changes to this field do not trigger an UPDATE event)

Example: "Last security audit: 16 January 2023.\n"

creationTimestamp

integer

When the app was first observed, formatted as a UNIX timestamp (in seconds)

Example: 1698064423

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

App (Other)Webhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

An app (Other) was created, updated or deleted.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

type

string

The type of event that occurred.

Enum: "CREATE" "UPDATE" "DELETE"

category

string

The category of the event.

Value: "ENTITY"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "app.pushsecurity.com first observed"

object

string

The object that was created, updated or deleted.

Value: "APP_OTHER"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "App (Other)"

object (App (Other))

This object represents an app (other) in your organization.

id	string Unique identifier for this object Example: "35603905-ff98-4b7d-8940-eb1906a2bdf6"
domain	string or null Domain the user logged into. This value is null if a OIDC login is used Example: "app.pushsecurity.com"
oauthAppId	string or null ID of the oauth app from the Identity Provider. This value is null if a password login is used. Example: "1234567890"
name	string or null Name of the app. This value is null if a password login is used. Example: "Push Security"
hidden	boolean Whether the app is hidden or not.
requestSupportStatus	string Current request support status of the app Example: "DISCOVERED"
creationTimestamp	integer When the app was first observed, formatted as a UNIX timestamp (in seconds) Example: 1698064423

object (App (Other))

This object represents an app (other) in your organization.

id	string Unique identifier for this object Example: "35603905-ff98-4b7d-8940-eb1906a2bdf6"
domain	string or null Domain the user logged into. This value is null if a OIDC login is used Example: "app.pushsecurity.com"
oauthAppId	string or null ID of the oauth app from the Identity Provider. This value is null if a password login is used. Example: "1234567890"
name	string or null Name of the app. This value is null if a password login is used. Example: "Push Security"
hidden	boolean Whether the app is hidden or not.
requestSupportStatus	string Current request support status of the app Example: "DISCOVERED"
creationTimestamp	integer When the app was first observed, formatted as a UNIX timestamp (in seconds) Example: 1698064423

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

BrowserWebhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

An employee browser was created, updated or deleted.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

type

string

The type of event that occurred.

Enum: "CREATE" "UPDATE" "DELETE"

category

string

The category of the event.

Value: "ENTITY"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "New browser for user@example.com"

object

string

The object that was created, updated or deleted.

Value: "BROWSER"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Browser"

object (Browser)

This object represents an employee's browser in your organization.

id	string Unique identifier for the browser Example: "1852b6ab-0cca-4c8d-8f14-4905497504ec"
employeeId	string Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
email	string <email> Email address of the employee Example: "john.hill@example.com"
version	string Version of the browser Example: "125.0.0.0"
tokenType	string Type of enrollment token used Enum: "INDIVIDUAL" "TEAM"
isActive	boolean Whether the browser extension is used by a licensed employee Example: true
browser	any (BrowserType) The browser used by the employee Enum: "CHROME" "FIREFOX" "EDGE" "SAFARI" "OPERA" "BRAVE" "ARC" "UNKNOWN"
os	any (OSType) The OS used by the employee Enum: "MACOS" "WINDOWS" "LINUX" "CHROME_OS" "IOS" "ANDROID" "UNKNOWN"
extensionVersion	string Version of the Push extension Example: "1.66.17"
creationTimestamp	integer When this browser object was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223
lastOnlineTimestamp	integer When this browser was last seen, formatted as a UNIX timestamp (in seconds) Example: 1716290202

object (Browser)

This object represents an employee's browser in your organization.

id	string Unique identifier for the browser Example: "1852b6ab-0cca-4c8d-8f14-4905497504ec"
employeeId	string Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
email	string <email> Email address of the employee Example: "john.hill@example.com"
version	string Version of the browser Example: "125.0.0.0"
tokenType	string Type of enrollment token used Enum: "INDIVIDUAL" "TEAM"
isActive	boolean Whether the browser extension is used by a licensed employee Example: true
browser	any (BrowserType) The browser used by the employee Enum: "CHROME" "FIREFOX" "EDGE" "SAFARI" "OPERA" "BRAVE" "ARC" "UNKNOWN"
os	any (OSType) The OS used by the employee Enum: "MACOS" "WINDOWS" "LINUX" "CHROME_OS" "IOS" "ANDROID" "UNKNOWN"
extensionVersion	string Version of the Push extension Example: "1.66.17"
creationTimestamp	integer When this browser object was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223
lastOnlineTimestamp	integer When this browser was last seen, formatted as a UNIX timestamp (in seconds) Example: 1716290202

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

EmployeeWebhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

An employee was created, updated or deleted.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

type

string

The type of event that occurred.

Enum: "CREATE" "UPDATE" "DELETE"

category

string

The category of the event.

Value: "ENTITY"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "employee@example.com added"

object

string

The object that was created, updated or deleted.

Value: "EMPLOYEE"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Employee"

object or null (Employee)

This object represents an employee in your organization.

id	string Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
email	string <email> Email address of the employee Example: "john.hill@example.com"
firstName	string First name of the employee Note: changes to this field do not trigger an UPDATE event Example: "John"
lastName	string Last name of the employee Note: changes to this field do not trigger an UPDATE event Example: "Hill"
department	string Department - as provided by connected API integrations Note: changes to this field do not trigger an UPDATE event Example: "Security Engineering"
location	string Location - as provided by connected API integrations Note: changes to this field do not trigger an UPDATE event Example: "New York"
licensed	boolean Whether the employee is licensed on the Push platform Example: true
chatopsEnabled	boolean Deprecated Whether the employee has ChatOps enabled Deprecation notice: this value no longer does anything unless you still have access to the legacy Employee chat topics functionality on your account. It will be removed in the next API version. Example: true
creationTimestamp	integer When this employee was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223

object or null (Employee)

This object represents an employee in your organization.

id	string Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
email	string <email> Email address of the employee Example: "john.hill@example.com"
firstName	string First name of the employee Note: changes to this field do not trigger an UPDATE event Example: "John"
lastName	string Last name of the employee Note: changes to this field do not trigger an UPDATE event Example: "Hill"
department	string Department - as provided by connected API integrations Note: changes to this field do not trigger an UPDATE event Example: "Security Engineering"
location	string Location - as provided by connected API integrations Note: changes to this field do not trigger an UPDATE event Example: "New York"
licensed	boolean Whether the employee is licensed on the Push platform Example: true
chatopsEnabled	boolean Deprecated Whether the employee has ChatOps enabled Deprecation notice: this value no longer does anything unless you still have access to the legacy Employee chat topics functionality on your account. It will be removed in the next API version. Example: true
creationTimestamp	integer When this employee was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

FindingWebhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

A finding was created, updated or deleted.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

type

string

The type of event that occurred.

Enum: "CREATE" "UPDATE" "DELETE"

category

string

The category of the event.

Value: "ENTITY"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "MFA not registered finding observed for user@example.com on Google Workspace"

object

string

The object that was created, updated or deleted.

Value: "FINDING"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Finding"

object (Finding)

This object represents a finding in your organization.

string

Unique identifier for the finding

Example: "d6a32ba5-0532-4a66-8137-48cdf409c972"

type

string (FindingType)

The type of finding

Enum Value	Description
MFA_NOT_REGISTERED	This account does not have MFA.
REUSED_PASSWORD	The password used on the account is being reused.
SHARED_ACCOUNT	The account credentials are being shared with another employee.
UNUSED_THIRD_PARTY_APP	The third-party integration has not been used in 90 days or more.
WEAK_PASSWORD	The password used on the account is weak.
LEAKED_PASSWORD	The password used on the account has been leaked in a data breach.
PASSWORD_MANAGER_NOT_USED	The employee typically uses manually typed passwords, rather than a password manager.
STOLEN_CREDENTIALS	The credentials used on the account have been identified as stolen.

state

string (FindingState)

The state of the finding

Enum Value	Description
OPEN	The finding has been confirmed and is open.
RESOLVED	The finding has been resolved and is no longer an issue.

employeeId

string or null

ID of the employee this finding is linked to, null if finding is not linked to an employee.

Example: "379ac7ea-ff2a-42ef-af37-06d2020dc46a"

passwordId

string or null

ID of the password this finding is linked to, null if finding is not linked to a password.

Example: "c4a045a1-5331-4714-af83-6a361e98960d"

accountId

string or null

ID of the account this finding is linked to, null if finding is not linked to an account.

appType

string or null

The type of app this finding is linked to, null if finding is not linked to an app.

Example: "PUSH_SECURITY"

appId

string or null

ID of the app this finding is linked to, null if finding is not linked to an app.

Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"

creationTimestamp

integer

When this finding was first observed, formatted as a UNIX timestamp (in seconds)

Example: 1698064423

object (Finding)

This object represents a finding in your organization.

string

Unique identifier for the finding

Example: "d6a32ba5-0532-4a66-8137-48cdf409c972"

type

string (FindingType)

The type of finding

Enum Value	Description
MFA_NOT_REGISTERED	This account does not have MFA.
REUSED_PASSWORD	The password used on the account is being reused.
SHARED_ACCOUNT	The account credentials are being shared with another employee.
UNUSED_THIRD_PARTY_APP	The third-party integration has not been used in 90 days or more.
WEAK_PASSWORD	The password used on the account is weak.
LEAKED_PASSWORD	The password used on the account has been leaked in a data breach.
PASSWORD_MANAGER_NOT_USED	The employee typically uses manually typed passwords, rather than a password manager.
STOLEN_CREDENTIALS	The credentials used on the account have been identified as stolen.

state

string (FindingState)

The state of the finding

Enum Value	Description
OPEN	The finding has been confirmed and is open.
RESOLVED	The finding has been resolved and is no longer an issue.

employeeId

string or null

ID of the employee this finding is linked to, null if finding is not linked to an employee.

Example: "379ac7ea-ff2a-42ef-af37-06d2020dc46a"

passwordId

string or null

ID of the password this finding is linked to, null if finding is not linked to a password.

Example: "c4a045a1-5331-4714-af83-6a361e98960d"

accountId

string or null

ID of the account this finding is linked to, null if finding is not linked to an account.

appType

string or null

The type of app this finding is linked to, null if finding is not linked to an app.

Example: "PUSH_SECURITY"

appId

string or null

ID of the app this finding is linked to, null if finding is not linked to an app.

Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"

creationTimestamp

integer

When this finding was first observed, formatted as a UNIX timestamp (in seconds)

Example: 1698064423

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Activity

Events representing employee activity.

LoginWebhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

A login occurred.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

string

The category of the event.

Value: "ACTIVITY"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com logged into https://login.com using a password"

object

string

The object that was created.

Value: "LOGIN"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Login"

object (Login)

This object represents a login event, indicating when an employee accesses an application by logging in.

employeeId

string

Identifier of employee who used this account

Example: "72d0347a-2663-4ef5-b1c5-df39163f1603"

accountId

string or null

Identifier for the account that was logged into. This value is null when workApp=false.

Example: "37cda962-7e78-49bc-8721-1becd16276a3"

appType

string or null

The app associated with this account. This value is null when workApp=false.

Example: "ATLASSIAN"

appId

string or null

The identifier of the app associated with this account. This value is null when workApp=false.

Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"

string <email>

The email address used to log into the account

Example: "john.hill@example.com"

loginTimestamp

integer

When the login occurred. Formatted as a UNIX timestamp (in seconds).

Example: 1698064423

loginUrl

string

The URL where the login took place.

Example: "https://www.example.com/login"

workApp

boolean

Whether the app is recognized as a commonly used work app. Learn more.

Example: true

passwordManuallyTyped

boolean or null

Whether the password was manually typed (or a password manager was used). This value is null if password authentication was not used.

Example: true

passwordManager

string or null

The password manager used to log in. This value is null if a password manager was not detected.

Enum: "ARC_BUILTIN" "BITWARDEN" "BRAVE_BUILTIN" "CHROME_BUILTIN" "CLIPBOARD_PASTE" "DASHLANE" "EDGE_BUILTIN" "FIREFOX_BUILTIN" "KEEPER" "LASTPASS" "OPERA_BUILTIN" "SAFARI_BUILTIN" "OKTA" "ONEPASSWORD" "UNKNOWN"

Example: "ONEPASSWORD"

weakPassword

boolean or null

True if the password used was considered weak. This value is null if password authentication was not used.

Example: true

weakPasswordReasons

Array of strings or null (FindingType)

Reasons a password is weak. This value is null if weakPassword is false or null.

Enum Value	Description
COMPROMISED_HIBP	Password appears in the Have I Been Pwnd database.
COMMON_BASE_WORD	The base word is a derivative of top 10000 most used passwords.
BANNED_BASE_WORD	The password is a derivative of a custom banned word.

leakedPassword

boolean or null

Whether the password used on the account has been leaked in a data breach or not. This value is null if password authentication is not used.

Example: true

loginType

string or null (LoginType)

All possible ENUM values for login types

Enum: "OIDC_LOGIN" "SAML_LOGIN" "PASSWORD_LOGIN" "FEDCM_LOGIN"

identityProvider

string or null

The identity provider used to authenticate. This value is null if password authentication was used.

Example: "OKTA"

sourceIpAddress

string

The IP address of the user logging in.

Example: "8.158.25.38"

browser

any (BrowserType)

The browser used by the employee

Enum: "CHROME" "FIREFOX" "EDGE" "SAFARI" "OPERA" "BRAVE" "ARC" "UNKNOWN"

any (OSType)

The OS used by the employee

Enum: "MACOS" "WINDOWS" "LINUX" "CHROME_OS" "IOS" "ANDROID" "UNKNOWN"

userAgent

string

The user agent string reported by the browser

Example: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299"

passwordId

string or null

The identifier of the password used to login. This value is null if password authentication was not used.

Example: "9c816f55-7453-49e5-bc60-6b1b9b38cadc"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Controls

Events related to any of the control features.

App bannerWebhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

An app banner event was detected.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

string

The category of the event.

Value: "CONTROL"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com saw a banner on Google Workspace"

object

string

The object that was created.

Value: "APP_BANNER"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "App banner"

object (App banner)

This object represents an app banner event, indicating an employee has interacted with an app banner.

object (Employee)

This object represents an employee in your organization.

id	string Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
email	string <email> Email address of the employee Example: "john.hill@example.com"
firstName	string First name of the employee Example: "John"
lastName	string Last name of the employee Example: "Hill"
department	string Department - as provided by connected API integrations Example: "Security Engineering"
location	string Location - as provided by connected API integrations Example: "New York"
licensed	boolean Whether the employee is licensed on the Push platform Example: true
chatopsEnabled	boolean Deprecated Whether the employee has ChatOps enabled Deprecation notice: this value no longer does anything unless you still have access to the legacy Employee chat topics functionality on your account. It will be removed in the next API version. Example: true
groups	Array of strings Groups the employee is in Example: ["engineering","marketing"]
creationTimestamp	integer When this employee was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223

appType

string

The app that the banner was configured on.

Example: "OPENAI"

object (App Banner)

This object represents an app banner.

title	string Title of the app banner. Example: "This is a title"
subtext	string Subtext of the app banner. Example: "This is the subtext that supports limited [markdown](https://markdown.org)"
mode	string (AppBannerModeType) All possible ENUM values for app banner modes Enum: "INFORM" "ACKNOWLEDGE" "REASON" "BLOCK"
buttonText	string or null Button text of the app banner. Only applicable when the app banner is in `ACKNOWLEDGE` or `REASON` mode, or is in `BLOCK` mode with `allowReasonSubmission` set to true. Example: "Proceed anyway"
allowReasonSubmission	boolean or null Whether the user is allowed to submit a request to access a blocked page. Only applicable when the app banner is in `BLOCK` mode. Example: false

action

string (AppBannerActionType)

All possible ENUM values for app banner actions

Enum: "ACKNOWLEDGED" "DISPLAYED" "SUBMITTED_REASON"

reason

string or null

Reason provided by the employee for bypassing or requesting access to the app. Applicable when the action is SUBMITTED_REASON.

Example: "I need to access this app for my work."

sourceIpAddress

string

The IP address of the user interacting with the app banner.

Example: "8.158.25.38"

browser

any (BrowserType)

The browser used by the employee

Enum: "CHROME" "FIREFOX" "EDGE" "SAFARI" "OPERA" "BRAVE" "ARC" "UNKNOWN"

any (OSType)

The OS used by the employee

Enum: "MACOS" "WINDOWS" "LINUX" "CHROME_OS" "IOS" "ANDROID" "UNKNOWN"

userAgent

string

The user agent string reported by the browser

Example: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Blocked URL visitedWebhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

A blocked URL was visited.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

string

The category of the event.

Value: "CONTROL"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com attempted to visit https://blocked.com"

object

string

The object that was created.

Value: "BLOCKED_URL_VISITED"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Blocked URL visited"

object (Blocked URL Visited)

This object represents a blocked URL visited event, indicating an employee tried to visit a URL that has been blocked.

object (Employee)

This object represents an employee in your organization.

id	string Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
email	string <email> Email address of the employee Example: "john.hill@example.com"
firstName	string First name of the employee Example: "John"
lastName	string Last name of the employee Example: "Hill"
department	string Department - as provided by connected API integrations Example: "Security Engineering"
location	string Location - as provided by connected API integrations Example: "New York"
licensed	boolean Whether the employee is licensed on the Push platform Example: true
chatopsEnabled	boolean Deprecated Whether the employee has ChatOps enabled Deprecation notice: this value no longer does anything unless you still have access to the legacy Employee chat topics functionality on your account. It will be removed in the next API version. Example: true
groups	Array of strings Groups the employee is in Example: ["engineering","marketing"]
creationTimestamp	integer When this employee was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223

url

string

The blocked URL.

Example: "https://example.com/login"

referrerUrl

string or null

The URL the user was on before navigating to the blocked URL.

Example: "https://statics.teams.cdn.office.net/"

sourceIpAddress

string

The IP address of the user.

Example: "8.158.25.38"

browser

any (BrowserType)

The browser used by the employee

Enum: "CHROME" "FIREFOX" "EDGE" "SAFARI" "OPERA" "BRAVE" "ARC" "UNKNOWN"

any (OSType)

The OS used by the employee

Enum: "MACOS" "WINDOWS" "LINUX" "CHROME_OS" "IOS" "ANDROID" "UNKNOWN"

userAgent

string

The user agent string reported by the browser.

Example: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Cloned login page detectedWebhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

A cloned login page detected event occurred.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

string

The category of the event.

Value: "CONTROL"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "john@company.com visited https://evil.com/okta.php which is a clone of a Okta login page"

object

string

The object that was created.

Value: "CLONED_LOGIN_PAGE_DETECTED"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Cloned login page detected"

object (Cloned login page detected)

This object represents a cloned login page detected event.

object (Employee)

This object represents an employee in your organization.

id	string Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
email	string <email> Email address of the employee Example: "john.hill@example.com"
firstName	string First name of the employee Example: "John"
lastName	string Last name of the employee Example: "Hill"
department	string Department - as provided by connected API integrations Example: "Security Engineering"
location	string Location - as provided by connected API integrations Example: "New York"
licensed	boolean Whether the employee is licensed on the Push platform Example: true
chatopsEnabled	boolean Deprecated Whether the employee has ChatOps enabled Deprecation notice: this value no longer does anything unless you still have access to the legacy Employee chat topics functionality on your account. It will be removed in the next API version. Example: true
groups	Array of strings Groups the employee is in Example: ["engineering","marketing"]
creationTimestamp	integer When this employee was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223

mode

string

Mode that the cloned login page detection control is in.

Enum: "OFF" "MONITOR"

clonedLoginPageType

string

The type of login page that was cloned

Example: "OKTA"

clonedLoginPageUrls

Array of strings

The legitimate login page URL that was cloned.

Example: ["https://login.okta.com"]

url

string

The URL that triggered this detection.

Example: "https://evil.com/okta.php"

referrerUrl

string or null

The URL the user was on before the cloned login page was detected

Example: "https://statics.teams.cdn.office.net/"

sourceIpAddress

string

The IP address of the user.

Example: "8.158.25.38"

browser

any (BrowserType)

The browser used by the employee

Enum: "CHROME" "FIREFOX" "EDGE" "SAFARI" "OPERA" "BRAVE" "ARC" "UNKNOWN"

any (OSType)

The OS used by the employee

Enum: "MACOS" "WINDOWS" "LINUX" "CHROME_OS" "IOS" "ANDROID" "UNKNOWN"

userAgent

string

The user agent string reported by the browser

Example: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

SSO password usedWebhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

An SSO password used event occurred.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

string

The category of the event.

Value: "CONTROL"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com ignored warning page"

object

string

The object that was created.

Value: "SSO_PASSWORD_USED"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "SSO password used"

object (SSO Password used)

This object represents an SSO password used event, indicating when an employee has typed a known IdP password into an unknown domain.

object (Employee)

This object represents an employee in your organization.

id	string Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
email	string <email> Email address of the employee Example: "john.hill@example.com"
firstName	string First name of the employee Example: "John"
lastName	string Last name of the employee Example: "Hill"
department	string Department - as provided by connected API integrations Example: "Security Engineering"
location	string Location - as provided by connected API integrations Example: "New York"
licensed	boolean Whether the employee is licensed on the Push platform Example: true
chatopsEnabled	boolean Deprecated Whether the employee has ChatOps enabled Deprecation notice: this value no longer does anything unless you still have access to the legacy Employee chat topics functionality on your account. It will be removed in the next API version. Example: true
groups	Array of strings Groups the employee is in Example: ["engineering","marketing"]
creationTimestamp	integer When this employee was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223

mode

any (SsoPasswordProtectionModeType)

The mode that SSO password protection is in.

Enum: "BLOCK" "MONITOR" "WARN" "OFF"

action

any (SsoPasswordProtectionActionType)

The action that the user took while on the SSO password protection page.

Enum: "DISPLAYED" "IGNORED"

url

string

The URL the user entered the password into

Example: "https://evil.com/okta.php"

referrerUrl

string or null

The URL the user was on before entering the password

Example: "https://statics.teams.cdn.office.net/"

string <email>

The email address used to log into the account

Example: "john.hill@example.com"

appType

string

The IdP password that was entered

Example: "OKTA"

sourceIpAddress

string

The IP address of the user logging in.

Example: "8.158.25.38"

browser

any (BrowserType)

The browser used by the employee

Enum: "CHROME" "FIREFOX" "EDGE" "SAFARI" "OPERA" "BRAVE" "ARC" "UNKNOWN"

any (OSType)

The OS used by the employee

Enum: "MACOS" "WINDOWS" "LINUX" "CHROME_OS" "IOS" "ANDROID" "UNKNOWN"

userAgent

string

The user agent string reported by the browser

Example: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Phishing tool detectedWebhook

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

A phishing tool detected event occurred.

version

string

The version of the event.

Example: "1"

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

string

The category of the event.

Value: "CONTROL"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com visited https://phishing.com"

object

string

The object that was created.

Value: "PHISHING_TOOL_DETECTED"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Phishing tool detected"

object (Phishing tool detected)

This object represents a phishing tool detected event.

object (Employee)

This object represents an employee in your organization.

id	string Unique identifier for the employee Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
email	string <email> Email address of the employee Example: "john.hill@example.com"
firstName	string First name of the employee Example: "John"
lastName	string Last name of the employee Example: "Hill"
department	string Department - as provided by connected API integrations Example: "Security Engineering"
location	string Location - as provided by connected API integrations Example: "New York"
licensed	boolean Whether the employee is licensed on the Push platform Example: true
chatopsEnabled	boolean Deprecated Whether the employee has ChatOps enabled Deprecation notice: this value no longer does anything unless you still have access to the legacy Employee chat topics functionality on your account. It will be removed in the next API version. Example: true
groups	Array of strings Groups the employee is in Example: ["engineering","marketing"]
creationTimestamp	integer When this employee was created, formatted as a UNIX timestamp (in seconds) Example: 1698669223

indicator

any (PhishingToolDetectedIndicatorType)

The indicator of the phishing tool that was detected.

Enum: "BITM_TOOL_NOVNC_01" "BITM_TOOL_NOVNC_02" "BITM_TOOL_NOVNC_03" "AITM_TOOL_EVILGINX_01" "AITM_TOOL_EVILGINX_02" "AITM_TOOL_EVILGINX_03" "AITM_TOOL_MODLISHKA_01" "AITM_TOOL_MODLISHKA_02" "AITM_TOOL_MURAENA_01" "AITM_TOOL_MURAENA_02"

url

string

The URL the phishing tool was detected on

Example: "https://evil.com/okta.php"

referrerUrl

string or null

The URL the user was on before the phishing tool was detected

Example: "https://statics.teams.cdn.office.net/"

sourceIpAddress

string

The IP address of the user.

Example: "8.158.25.38"

browser

any (BrowserType)

The browser used by the employee

Enum: "CHROME" "FIREFOX" "EDGE" "SAFARI" "OPERA" "BRAVE" "ARC" "UNKNOWN"

any (OSType)

The OS used by the employee

Enum: "MACOS" "WINDOWS" "LINUX" "CHROME_OS" "IOS" "ANDROID" "UNKNOWN"

userAgent

string

The user agent string reported by the browser

Example: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299"

mode

string or null

Mode that the phishing tool detection control is in.

Enum: "OFF" "MONITOR" "WARN" "BLOCK"

action

string or null

The action that the user took while on the phishing tool detection page.

Enum: "DISPLAYED" "IGNORED"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Audit

Audit log events.

Account login method removedWebhook

A login method for an account has been removed

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "ACCOUNT_LOGIN_METHOD_REMOVED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

accountId required	string The ID of the account. Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
accountEmail required	string The email address associated with the account. Example: "employee@example.com"
appType required	string The name of the app. Example: "ATLASSIAN"
loginMethod required	string The login method removed from the account. Enum: "USERNAME_PASSWORD" "OKTA_SWA" "OIDC" "SAML" "FEDCM" Example: "OIDC"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com removed a login method for an account"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Account login method removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Admin accepted invitationWebhook

A new admin user has accepted the invitation.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "ADMIN_ACCEPTED_INVITATION"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

inviter

string

The email address of the admin that sent the invitation.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com joined your team"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Admin accepted invitation"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Admin enabled MFAWebhook

An admin user has enabled MFA for their account.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "ADMIN_ENABLED_MFA"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

method

required

string

The MFA method used.

Value: "APP_TOTP"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com enabled MFA on their Push account"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Admin enabled MFA"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Admin logged inWebhook

An admin user has logged in.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "ADMIN_LOGGED_IN"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com logged into the Push platform"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Admin logged in"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Admin removedWebhook

An admin user has been removed.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "ADMIN_REMOVED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

target

required

string

The email address of the removed admin user.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com removed another.user@example.com from your team"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Admin removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

API key addedWebhook

An admin user has added a new API Key.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "API_KEY_ADDED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

permissions

required

string

The permissions granted to the API key.

Enum Value	Description
FULL_ACCESS	Allows all request types to all endpoints in the API
READ_ONLY	Allows only GET requests to the API

name

string

A friendly name for the API Key, if one is chosen.

Example: "CI/CD access"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com configured a new API Key"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "API key added"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

API key removedWebhook

An admin user has removed an API Key.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "API_KEY_REMOVED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

name	string A friendly name for the API Key, if one is chosen. Example: "CI/CD access"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com removed an existing API Key"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "API key removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

App approval status updatedWebhook

The approval status of an app has been updated

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "APP_APPROVAL_STATUS_UPDATED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

appId required	string The ID of the app. Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
appType required	string The name of the app. Example: "ATLASSIAN"
approvalStatus required	string or null The approval status of the app after the update.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com updated the app approval status"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "App approval status updated"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

App banner configuredDeprecatedWebhook

An app banner was configured.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "APP_BANNER_CONFIGURED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

title required	string Title of the app banner. Example: "This is a title"
subtext required	string Subtext of the app banner. Example: "This is the subtext that supports limited [markdown](https://markdown.org)"
mode required	string (AppBannerModeType) All possible ENUM values for app banner modes Enum: "INFORM" "ACKNOWLEDGE" "REASON" "BLOCK"
buttonText	string or null Button text of the app banner. Only applicable when the app banner is in `ACKNOWLEDGE` or `REASON` mode, or is in `BLOCK` mode with `allowReasonSubmission` set to true. Example: "Proceed anyway"
allowReasonSubmission	boolean or null Whether the user is allowed to submit a request to access a blocked page. Only applicable when the app banner is in `BLOCK` mode. Example: false

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example assigned licenses to employees"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "License assigned"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

App banner enabledDeprecatedWebhook

An app banner was enabled or disabled.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "APP_BANNER_CONFIGURED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

enabled

required

boolean

Whether the app banner is enabled or disabled.

Example: true

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example assigned licenses to employees"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "License assigned"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

App labels addedWebhook

A set of labels has been added to one or more apps.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "APP_LABELS_ADDED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

labels required	Array of strings The list of labels added.
apps required	Array of strings The list of apps that the labels were added to.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com added labels to apps"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "App labels added"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

App labels removedWebhook

A set of labels has been removed from one or more apps.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "APP_LABELS_REMOVED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

labels required	Array of strings The list of labels removed.
apps required	Array of strings The list of apps the labels were removed from.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com removed labels from apps"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "App labels removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

App notes updatedWebhook

The notes of an app have been updated

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "APP_NOTES_UPDATED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

appId required	string The ID of the app. Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
appType required	string The name of the app. Example: "ATLASSIAN"
notes required	string The notes of the app after the update.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com updated the app notes"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "App notes updated"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

App sensitivity level updatedWebhook

The sensitivity level of an app has been updated

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "APP_SENSITIVITY_LEVEL_UPDATED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

appId required	string The ID of the app. Example: "2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0"
appType required	string The name of the app. Example: "ATLASSIAN"
sensitivityLevel required	string or null The sensitivity level of the app after the update.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com updated the app sensitivity level"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "App sensitivity level updated"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Auto-licensing toggledWebhook

An admin user has toggled the auto-licensing setting.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "AUTO_LICENSING_TOGGLED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

enabled

required

boolean

Whether the auto-licensing setting is enabled or not.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example toggled the auto-licensing setting to true"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Auto-licensing toggled"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Blocked URLs addedWebhook

A set of URLs has been added to the URL blocking configuration.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "BLOCKED_URLS_ADDED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

urls

required

Array of strings

A list of the added URLs.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com added new blocked URLs"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Blocked URLs added"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Blocked URLs removedWebhook

A set of URLs has been removed from the URL blocking configuration.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "BLOCKED_URLS_REMOVED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

urls

required

Array of strings

A list of the removed URLs.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com removed blocked URLs"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Blocked URLs removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Cloned login page detection mode updatedWebhook

An admin user has updated the mode of the Cloned login page detection feature.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "CLONED_LOGIN_PAGE_DETECTION_MODE_UPDATED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

mode

required

string

The current mode for the cloned login page detection control.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com set the mode to monitor"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Cloned login page detection mode updated"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Control rule addedWebhook

An admin user has added a new control rule.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The type of event.

Value: "CONTROL_RULE_ADDED"

friendlyName

required

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Control rule added"

description

required

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com added a control rule"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object (Control Rule)

The details of the updated rule.

ruleId

required

string

The unique identifier for the rule

Example: "c478966c-f927-411c-b919-179832d3d50c"

control

required

string

The control that the rule applies to.

Enum Value	Description
APP_BANNER	The App Banner control.
BLOCKED_URL	The Blocked URL control.
PHISHING_TOOL_DETECTION	The Phishing Tool Detection control.
SESSION_TOKEN_THEFT_DETECTION	The Session Theft Detection control.
SSO_PASSWORD_PROTECTION	The SSO Password Protection control.

description

required

string

The description given to the rule.

Example: "Display app banner on ChatGPT"

enabled

required

boolean

Whether the rule is enabled.

Example: true

criteria

required

object

The criteria for applying the rule.

lastUpdatedTimestamp

required

integer

When the rule was last updated, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

settings

object

The settings for the control.

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Control rule updatedWebhook

An admin user has updated a control rule.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The type of event.

Value: "CONTROL_RULE_UPDATED"

friendlyName

required

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Control rule updated"

description

required

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com updated a control rule"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object (Control Rule)

The current details of the updated rule.

ruleId

required

string

The unique identifier for the rule

Example: "c478966c-f927-411c-b919-179832d3d50c"

control

required

string

The control that the rule applies to.

Enum Value	Description
APP_BANNER	The App Banner control.
BLOCKED_URL	The Blocked URL control.
PHISHING_TOOL_DETECTION	The Phishing Tool Detection control.
SESSION_TOKEN_THEFT_DETECTION	The Session Theft Detection control.
SSO_PASSWORD_PROTECTION	The SSO Password Protection control.

description

required

string

The description given to the rule.

Example: "Display app banner on ChatGPT"

enabled

required

boolean

Whether the rule is enabled.

Example: true

criteria

required

object

The criteria for applying the rule.

lastUpdatedTimestamp

required

integer

When the rule was last updated, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

settings

object

The settings for the control.

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Control rule removedWebhook

An admin user has removed a control rule.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The type of event.

Value: "CONTROL_RULE_REMOVED"

friendlyName

required

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Control rule removed"

description

required

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com removed a control rule"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object (Control Rule)

The details of the removed rule.

ruleId

required

string

The unique identifier for the rule

Example: "c478966c-f927-411c-b919-179832d3d50c"

control

required

string

The control that the rule applies to.

Enum Value	Description
APP_BANNER	The App Banner control.
BLOCKED_URL	The Blocked URL control.
PHISHING_TOOL_DETECTION	The Phishing Tool Detection control.
SESSION_TOKEN_THEFT_DETECTION	The Session Theft Detection control.
SSO_PASSWORD_PROTECTION	The SSO Password Protection control.

description

required

string

The description given to the rule.

Example: "Display app banner on ChatGPT"

enabled

required

boolean

Whether the rule is enabled.

Example: true

criteria

required

object

The criteria for applying the rule.

lastUpdatedTimestamp

required

integer

When the rule was last updated, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

settings

object

The settings for the control.

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Control rule toggledWebhook

An admin user has enabled or disabled a control rule.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The type of event.

Value: "CONTROL_RULE_TOGGLED"

friendlyName

required

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Control rule toggled"

description

required

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com enabled/disabled a control rule"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object (Control Rule)

The details of the enabled/disabled rule.

ruleId

required

string

The unique identifier for the rule

Example: "c478966c-f927-411c-b919-179832d3d50c"

control

required

string

The control that the rule applies to.

Enum Value	Description
APP_BANNER	The App Banner control.
BLOCKED_URL	The Blocked URL control.
PHISHING_TOOL_DETECTION	The Phishing Tool Detection control.
SESSION_TOKEN_THEFT_DETECTION	The Session Theft Detection control.
SSO_PASSWORD_PROTECTION	The SSO Password Protection control.

description

required

string

The description given to the rule.

Example: "Display app banner on ChatGPT"

enabled

required

boolean

Whether the rule is enabled.

Example: true

criteria

required

object

The criteria for applying the rule.

lastUpdatedTimestamp

required

integer

When the rule was last updated, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

settings

object

The settings for the control.

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Control rule reorderedWebhook

An admin user has reordered a new control rule.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The type of event.

Value: "CONTROL_RULE_REORDERED"

friendlyName

required

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Control rule reordered"

description

required

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com reordered the control configuration rules"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

required

object (Control Rule)

The details of the reordered rule.

ruleId

required

string

The unique identifier for the rule

Example: "c478966c-f927-411c-b919-179832d3d50c"

control

required

string

The control that the rule applies to.

Enum Value	Description
APP_BANNER	The App Banner control.
BLOCKED_URL	The Blocked URL control.
PHISHING_TOOL_DETECTION	The Phishing Tool Detection control.
SESSION_TOKEN_THEFT_DETECTION	The Session Theft Detection control.
SSO_PASSWORD_PROTECTION	The SSO Password Protection control.

description

required

string

The description given to the rule.

Example: "Display app banner on ChatGPT"

enabled

required

boolean

Whether the rule is enabled.

Example: true

criteria

required

object

The criteria for applying the rule.

lastUpdatedTimestamp

required

integer

When the rule was last updated, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

settings

object

The settings for the control.

previousRuleId

required

string or null <uuid>

The unique identifier of the rule immediately before in precedence order. If null, the rule is now the first in the list.

Example: "c478966c-f927-411c-b919-179832d3d50c"

nextRuleId

required

string or null <uuid>

The unique identifier of the rule immediately after in precedence order. If null, the rule is now the last in the list.

Example: "c478966c-f927-411c-b919-179832d3d50c"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Custom login URL addedWebhook

A custom login URL has been added for an app.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "CUSTOM_LOGIN_URL_ADDED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

app required	string The app for which the custom login URL was added.
url required	string The custom login URL that was added.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example added a custom login URL for Google Workspace"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Custom login URL added"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Custom login URL removedWebhook

A custom login URL has been removed for an app.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "CUSTOM_LOGIN_URL_REMOVED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

app

required

string

The app for which the custom login URL was removed.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example removed a custom login URL for Google Workspace"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Custom login URL removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Employees added to groupWebhook

An admin user has added one or more employees to a group.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "EMPLOYEE_ADDED_TO_GROUP"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

group required	string The name of the group.
employeeIds required	Array of strings The IDs of the employees added to the group.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com added employees to the group Engineers"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Employees added to group"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Employee disabled extensionWebhook

An employee has temporarily disabled the Push extension for a specific domain.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "EMPLOYEE_DISABLED_EXTENSION"

required

object (Admin Audit Log Employee)

This object contains details about the employee that triggered the audit log.

source required	string The source of the action that generated the event. Value: "EMPLOYEE"
id required	string The employee's identifier.
email required	string The employee's email.
sourceIpAddress required	string The IP address of the employee at the time of the event.
userAgent required	string The user agent of the employee at the time of the event, if available.

required

object

browserId required	string The identifier of the employee's Push extension.
domain required	string The domain for which the extension was disabled.
disabledUntilTimestamp required	integer The timestamp when the extension will be re-enabled on the specified domain, formatted as a UNIX timestamp (in seconds).

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com temporarily disabled the Push extension on domain some-domain.com."

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Employee disabled extension"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Excluded extension domains addedWebhook

A set of domains have been added to the list of excluded browser extension domains to monitor.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "EXCLUDED_EXTENSION_DOMAINS_ADDED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

domains

required

Array of strings

A list of the added domains.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example added excluded extension domains"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Excluded extension domains added"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Excluded extension domains removedWebhook

A set of domains have been removed from the list of excluded browser extension domains to monitor.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "EXCLUDED_EXTENSION_DOMAINS_REMOVED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

domains

required

Array of strings

A list of the removed domains.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example removed excluded extension domains"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Excluded extension domains removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Employee name updatedWebhook

An admin user has updated the first name and/or last name of an employee.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "EMPLOYEE_NAME_UPDATED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

email required	string The email address of the employee.
firstName required	string The updated first name.
lastName required	string The updated last name.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com updated an employee's name"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Employee name updated"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Employee removed from groupWebhook

An admin user removed an employee from a group.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "EMPLOYEE_REMOVED_FROM_GROUP"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

group required	string The name of the group.
employee_id required	string The ID of the employee removed from the group.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com removed an employee from the group Engineers"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Employee removed from group"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Integration addedWebhook

A new integration has been added.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "INTEGRATION_ADDED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

appType

required

string

Type of integration that has been added.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example generated an integration link for Google"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Integration added"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Integration completedWebhook

An integration has been successfully completed.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "INTEGRATION_COMPLETED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	null The actor's email address is not available for this webhook.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

appType

required

string

Type of integration that has been completed.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "Google integration completed"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Integration added"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Integration removedWebhook

A integration has been removed.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "INTEGRATION_REMOVED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

appType

required

string

Type of integration that has been removed.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example removed a Google integration"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Integration removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Label updatedWebhook

A label has been updated.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "LABEL_UPDATED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

label

required

string

The new value of the updated label.

required

object

label

required

string

The value of the label before the update.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com updated a label"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Label updated"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Label removedWebhook

A label has been removed.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "LABEL_REMOVED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

label

required

string

The removed label.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com removed a label"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Label removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

License assignedWebhook

One or more employees have been assigned a license.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "LICENSE_ASSIGNED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

employees

required

Array of strings

A list of the employees that have been assigned a license.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example assigned licenses to employees"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "License assigned"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

License removedWebhook

The license has been removed from one or more employees.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "LICENSE_ASSIGNED"

required

Admin Audit Log Actor (object) or Admin Audit Log Actor API (object)

One of:

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

employees

required

Array of strings

A list of the employees from which the license has been removed.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example removed licenses from employees"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "License removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Monitor all domains toggledWebhook

An admin user has toggled the "Monitor all domains" setting.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "MONITOR_ALL_DOMAINS_TOGGLED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

enabled

required

boolean

Whether the "Monitor all domains" setting is enabled or not.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example toggled monitor all domains to true"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Monitor all domains toggled"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Monitored domains addedWebhook

A set of domains have been added to the list of monitored company domains.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "MONITORED_DOMAINS_ADDED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

domains

required

Array of strings

A list of the added domains.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example added monitored domains"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Monitored domains added"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Monitored domains removedWebhook

A set of domains have been removed from the list of monitored company domains.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "MONITORED_DOMAINS_REMOVED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

domains

required

Array of strings

A list of the removed domains.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example removed monitored domains"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Monitored domains removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Phishing tool detection page updatedWebhook

An admin user has updated the page settings of the Phishing tool detection feature.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "PHISHING_TOOL_DETECTION_PAGE_UPDATED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

title required	string The title of the page shown to users.
subtext required	string The subtext of the page shown to users.
ignoreButtonText required	string The text of the button that allows users to proceed.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com updated the message to employees"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Phishing Tool Detection page updated"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Phishing tool detection mode updatedWebhook

An admin user has updated the mode of the Phishing tool detection feature.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "PHISHING_TOOL_DETECTION_MODE_UPDATED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

mode

required

string

The current mode for the Phishing Tool Detection feature.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com set the mode to warn"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Phishing Tool Detection mode updated"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Phishing tool detection ignored domains addedWebhook

A set of domains have been added to the list of ignored domains for the Phishing tool detection feature.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "PHISHING_TOOL_DETECTION_IGNORED_DOMAINS_ADDED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

domains

required

Array of strings

A list of the added domains.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com added ignored domains"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Phishing Tool Detection ignored domains added"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Phishing tool detection ignored domains removedWebhook

A set of domains have been removed from the list of ignored domains for the Phishing tool detection feature.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "PHISHING_TOOL_DETECTION_IGNORED_DOMAINS_REMOVED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

domains

required

Array of strings

A list of the removed domains.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com removed ignored domains"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Phishing Tool Detection ignored domains removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Session theft domains addedWebhook

A set of domains have been added to the list of domains in which the session theft marker is injected.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "SESSION_THEFT_DOMAINS_ADDED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

domains

required

Array of strings

A list of the added domains.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example added session theft domains"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Session theft domains added"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Session theft domains removedWebhook

A set of domains have been removed from the list of domains in which the session theft marker is injected.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "SESSION_THEFT_DOMAINS_REMOVED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

domains

required

Array of strings

A list of the removed domains.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example removed session theft domains"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Session theft domains removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Session theft marker rotatedWebhook

An admin user has rotated the session theft marker.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "SESSION_THEFT_MARKER_ROTATED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

marker

required

string

The new value for the session theft marker.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example rotated the session theft marker"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Session theft marker rotated"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

SSO password protection ignored domains addedWebhook

A set of domains have been added to the list of ignored domains for the SSO password protection feature.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "SSO_PASSWORD_PROTECTION_IGNORED_DOMAINS_ADDED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

domains

required

Array of strings

A list of the added domains.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com added ignored domains"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "SSO password protection ignored domains added"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

SSO password protection ignored domains removedWebhook

A set of domains have been removed from the list of ignored domains for the SSO password protection feature.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "SSO_PASSWORD_PROTECTION_IGNORED_DOMAINS_REMOVED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

domains

required

Array of strings

A list of the removed domains.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com removed ignored domains"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "SSO password protection ignored domains removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

SSO password protection ignore work apps toggledWebhook

An admin user has toggled the "Ignore work apps" setting of the SSO password protection feature.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "SSO_PASSWORD_PROTECTION_IGNORE_WORK_APPS_TOGGLED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

enabled

required

boolean

Whether the "Ignore work apps" setting is enabled or not.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com set ignore work apps to true"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "SSO password protection ignore work apps toggled"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

SSO password protection mode updatedWebhook

An admin user has updated the mode of the SSO password protection feature.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "SSO_PASSWORD_PROTECTION_MODE_UPDATED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

mode

required

string

The current mode for the SSO Password Protection feature.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com set the mode to warn"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "SSO password protection mode updated"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

SSO password protection page updatedWebhook

An admin user has updated the page settings of the SSO password protection feature.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "SSO_PASSWORD_PROTECTION_PAGE_UPDATED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

title required	string The title of the page shown to users.
subtext required	string The subtext of the page shown to users.
ignoreButtonText required	string The text of the button that allows users to proceed.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com updated the message to employees"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "SSO password protection page updated"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Unsupported app support requestedWebhook

Support for an unsupported app has been requested.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "UNSUPPORTED_APP_SUPPORT_REQUESTED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

domain

required

string

The domain of the app for which support was requested.

Example: "domain.com"

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "Support was requested for domain.com"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Unsupported app support requested"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

URL block page updatedWebhook

An admin user updated the contents of the page shown when access to a URL is blocked by the URL blocking control.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "URL_BLOCK_PAGE_UPDATED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

title required	string The title of the block page.
subtext required	string The subtext of the block page.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com updated the message to employees"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "URL block page updated"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Webhook addedWebhook

An admin user has configured an new webhook URL.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "WEBHOOK_ADDED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

url

required

string

The configured URL.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com added a new webhook"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Webhook added"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully

Webhook removedWebhook

An admin user has removed a webhook URL.

Request

header Parameters

X-Signature

required

string

Example: X-Signature: t=1492774577,v1=5257a869...

Request Body schema: application/json

version

required

string

The version of the event.

Example: "1"

required

string <uuid>

The unique identifier for the event. This can be used as an idempotency key.

Example: "c478966c-f927-411c-b919-179832d3d50c"

timestamp

required

integer

When the event occurred, formatted as a UNIX timestamp (in seconds).

Example: 1698604061

category

required

string

The category of the event.

Value: "AUDIT"

object

required

string

The object that was created.

Value: "WEBHOOK_REMOVED"

required

object (Admin Audit Log Actor)

This object contains information about the user that performed the action triggering the audit log.

source required	string The source of the action that generated the event. Value: "UI"
email required	string The email address of the actor.
sourceIpAddress required	string The IP address of the actor.
userAgent	string The user agent of the actor, if available.

required

object

url

required

string

The configured URL before removal.

description

string

The description of the event. Note: this is subject to change and should not be used to match on this object.

Example: "user@example.com removed an existing webhook"

friendlyName

string

The friendly name of this object. Note: this is subject to change and should not be used to match on this object.

Example: "Webhook removed"

Responses

2XX

Return any 2XX status to indicate that the data was received successfully