[{"data":1,"prerenderedAt":1177},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/better-together-identity-telemetry-from-push-smart-storage-and-searches-from":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":724,"faqItemsCollection":725,"faqTitle":62,"featured":6,"hashTags":62,"meta":727,"metaTitle":728,"ogImage":62,"publishedDate":729,"relatedBlogPostsCollection":730,"slug":1153,"stem":1154,"subtitle":62,"summary":1155,"synopsis":1166,"sys":1167,"tagsCollection":1170,"__hash__":1176},"blog/blog/better-together-identity-telemetry-from-push-smart-storage-and-searches-from.json","Better together: Identity telemetry from Push + smart storage and searches from Cribl",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Kelly Davenport","Kelly","Product Team",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"json":238,"links":710},{"data":239,"content":240,"nodeType":709},{},[241,250,295,302,309,347,354,361,414,421,429,436,443,450,457,465,472,479,512,519,539,546,553,560,593,600,617,624,631,661,690],{"data":242,"content":243,"nodeType":249},{},[244],{"data":245,"marks":246,"value":247,"nodeType":248},{},[],"In the midst of an identity security investigation when every minute counts, there are few sentences more painful to say than:","text","paragraph",{"data":251,"content":252,"nodeType":294},{},[253,264,274,284],{"data":254,"content":255,"nodeType":263},{},[256],{"data":257,"content":258,"nodeType":249},{},[259],{"data":260,"marks":261,"value":262,"nodeType":248},{},[],"“We didn’t snapshot that data, so we didn’t have the right time period.”","list-item",{"data":265,"content":266,"nodeType":263},{},[267],{"data":268,"content":269,"nodeType":249},{},[270],{"data":271,"marks":272,"value":273,"nodeType":248},{},[],"“We didn’t send those logs to the SIEM, so we couldn’t do the correlation we needed to rule out [bad thing].”",{"data":275,"content":276,"nodeType":263},{},[277],{"data":278,"content":279,"nodeType":249},{},[280],{"data":281,"marks":282,"value":283,"nodeType":248},{},[],"“We didn’t have any user behavior telemetry in the browser, so we didn’t know if they entered their password on the phishing page or not.”",{"data":285,"content":286,"nodeType":263},{},[287],{"data":288,"content":289,"nodeType":249},{},[290],{"data":291,"marks":292,"value":293,"nodeType":248},{},[],"“We had no way of determining what other accounts they were using that compromised password on.”","unordered-list",{"data":296,"content":297,"nodeType":249},{},[298],{"data":299,"marks":300,"value":301,"nodeType":248},{},[],"Security teams use Push and Cribl so they never have to utter those words. So we’re especially thrilled to announce our partnership with Cribl to make it much easier to snapshot, transform, and query Push telemetry using Cribl’s data management solutions.",{"data":303,"content":304,"nodeType":249},{},[305],{"data":306,"marks":307,"value":308,"nodeType":248},{},[],"Push uses a browser agent deployed across all your workforce browsers to do real-time detection and response for identity-based attacks like credential phishing, account takeover, and session token theft. ",{"data":310,"content":311,"nodeType":249},{},[312,316,329,333,343],{"data":313,"marks":314,"value":315,"nodeType":248},{},[],"As the Push browser agent learns your environment, it also automatically inventories all the apps that your employees log in to, their authentication methods and MFA usage, and the security posture of their accounts. We call this an organization’s ",{"data":317,"content":323,"nodeType":328},{"target":318},{"sys":319},{"id":320,"type":321,"linkType":322},"1pJdOGN0dOd3BKVqO4CxHh","Link","Entry",[324],{"data":325,"marks":326,"value":327,"nodeType":248},{},[],"identity attack surface","entry-hyperlink",{"data":330,"marks":331,"value":332,"nodeType":248},{},[]," because it represents the risks posed by insecure accounts and apps — even the ones you didn’t know about — that are ",{"data":334,"content":338,"nodeType":328},{"target":335},{"sys":336},{"id":337,"type":321,"linkType":322},"wgpdyHDn9NcpIJNr7jnFp",[339],{"data":340,"marks":341,"value":342,"nodeType":248},{},[],"increasingly targeted",{"data":344,"marks":345,"value":346,"nodeType":248},{},[]," by attackers.",{"data":348,"content":349,"nodeType":249},{},[350],{"data":351,"marks":352,"value":353,"nodeType":248},{},[],"From this unique vantage point in the browser, Push can block identity attacks like credential phishing while also generating telemetry that security teams rely on for knowing what happened during an incident, such as what the user saw and did, and how big the blast radius is in terms of other compromised accounts.",{"data":355,"content":356,"nodeType":249},{},[357],{"data":358,"marks":359,"value":360,"nodeType":248},{},[],"By integrating with Cribl, Push customers can now:",{"data":362,"content":363,"nodeType":294},{},[364,374,384,394,404],{"data":365,"content":366,"nodeType":263},{},[367],{"data":368,"content":369,"nodeType":249},{},[370],{"data":371,"marks":372,"value":373,"nodeType":248},{},[],"Quickly ingest and transform Push data into Cribl in order to route it to their SIEM, SOAR, or other third-party system — without overwhelming their pipeline or running up costs on log volume.",{"data":375,"content":376,"nodeType":263},{},[377],{"data":378,"content":379,"nodeType":249},{},[380],{"data":381,"marks":382,"value":383,"nodeType":248},{},[],"Get immediate insights into identity security threats and posture across their environment by using Cribl’s out-of-the-box dashboards for Push telemetry.",{"data":385,"content":386,"nodeType":263},{},[387],{"data":388,"content":389,"nodeType":249},{},[390],{"data":391,"marks":392,"value":393,"nodeType":248},{},[],"Easily create a snapshot of Push data to allow for historical comparisons and queries.",{"data":395,"content":396,"nodeType":263},{},[397],{"data":398,"content":399,"nodeType":249},{},[400],{"data":401,"marks":402,"value":403,"nodeType":248},{},[],"Correlate Push data with other log sources such as their EDR and identity provider to get a fuller picture of identity security risks and incidents. ",{"data":405,"content":406,"nodeType":263},{},[407],{"data":408,"content":409,"nodeType":249},{},[410],{"data":411,"marks":412,"value":413,"nodeType":248},{},[],"Hunt across their data for risky user behaviors like suspicious login methods, signs of credential phishing or stolen sessions, and credential reuse.",{"data":415,"content":416,"nodeType":249},{},[417],{"data":418,"marks":419,"value":420,"nodeType":248},{},[],"Here’s a closer look at what we built together and how you can use it.",{"data":422,"content":423,"nodeType":428},{},[424],{"data":425,"marks":426,"value":427,"nodeType":248},{},[],"Tooling built by the teams that actually use it","heading-1",{"data":430,"content":431,"nodeType":249},{},[432],{"data":433,"marks":434,"value":435,"nodeType":248},{},[],"The truth is, we selfishly had the idea to build this integration because we use Cribl at Push — and they use Push at Cribl. ",{"data":437,"content":438,"nodeType":249},{},[439],{"data":440,"marks":441,"value":442,"nodeType":248},{},[],"As mutual users (and fans!) of each other’s products, our security teams had firsthand experience with the use cases, data, and possibilities that combining our capabilities presented.",{"data":444,"content":445,"nodeType":249},{},[446],{"data":447,"marks":448,"value":449,"nodeType":248},{},[],"“Our team had been using Push for a while, and I was already a big fan of their approach,” explains Alex Crusco, staff security engineer at Cribl. “So when we decided to build out-of-the-box security packs in Cribl, they were the first partner that came to mind. Identity is a top attack vector, and defending it isn’t easy. The combined power of Cribl and Push gives security teams the clarity and control to turn identity from a blind spot into a defensible asset.”",{"data":451,"content":452,"nodeType":249},{},[453],{"data":454,"marks":455,"value":456,"nodeType":248},{},[],"So here’s what we built:",{"data":458,"content":459,"nodeType":464},{},[460],{"data":461,"marks":462,"value":463,"nodeType":248},{},[],"Cribl Stream pack for Push","heading-2",{"data":466,"content":467,"nodeType":249},{},[468],{"data":469,"marks":470,"value":471,"nodeType":248},{},[],"Using the Cribl Stream pack for Push, you get a preconfigured parser for individual Push events that automatically cleans and formats them for your exact use case so you can query the data directly in Cribl or route it somewhere else. ",{"data":473,"content":474,"nodeType":249},{},[475],{"data":476,"marks":477,"value":478,"nodeType":248},{},[],"By sending Push data to Cribl, you can enable your security team to:",{"data":480,"content":481,"nodeType":294},{},[482,492,502],{"data":483,"content":484,"nodeType":263},{},[485],{"data":486,"content":487,"nodeType":249},{},[488],{"data":489,"marks":490,"value":491,"nodeType":248},{},[],"Ingest and normalize telemetry on the employees, accounts, browsers, security findings, and detections observed by Push across your environment.",{"data":493,"content":494,"nodeType":263},{},[495],{"data":496,"content":497,"nodeType":249},{},[498],{"data":499,"marks":500,"value":501,"nodeType":248},{},[],"Route specific alerts and events to your SIEM or other tool.",{"data":503,"content":504,"nodeType":263},{},[505],{"data":506,"content":507,"nodeType":249},{},[508],{"data":509,"marks":510,"value":511,"nodeType":248},{},[],"Enrich Push data with other sources to expand the context for understanding events, or look for wider patterns.",{"data":513,"content":514,"nodeType":249},{},[515],{"data":516,"marks":517,"value":518,"nodeType":248},{},[],"Push logs are pretty lightweight out of the box, but the Stream pack streamlines them further. By transforming or dropping some of the event fields (such as event headers), you can reduce your event size by 50%. This gives security teams the opportunity and flexibility to save on costs when sending events to systems that charge by log volume while also getting the data that security teams need where they need it.",{"data":520,"content":521,"nodeType":249},{},[522,526,535],{"data":523,"marks":524,"value":525,"nodeType":248},{},[],"You can get the Cribl Stream pack for Push via the ",{"data":527,"content":529,"nodeType":534},{"uri":528},"https://packs.cribl.io/packs/cc-push-security",[530],{"data":531,"marks":532,"value":533,"nodeType":248},{},[],"Cribl Dispensary","hyperlink",{"data":536,"marks":537,"value":538,"nodeType":248},{},[],". ",{"data":540,"content":541,"nodeType":464},{},[542],{"data":543,"marks":544,"value":545,"nodeType":248},{},[],"Cribl Search pack for Push",{"data":547,"content":548,"nodeType":249},{},[549],{"data":550,"marks":551,"value":552,"nodeType":248},{},[],"The other half of the equation is the Cribl Search pack for Push. Once you’ve got your Push data into Cribl, you can use it to populate pre-built dashboards provided by the Search pack.",{"data":554,"content":555,"nodeType":249},{},[556],{"data":557,"marks":558,"value":559,"nodeType":248},{},[],"Using the Cribl Search pack dashboards, you can:",{"data":561,"content":562,"nodeType":294},{},[563,573,583],{"data":564,"content":565,"nodeType":263},{},[566],{"data":567,"content":568,"nodeType":249},{},[569],{"data":570,"marks":571,"value":572,"nodeType":248},{},[],"Monitor the state of your Push Security deployment and identify any gaps in browser extension coverage.",{"data":574,"content":575,"nodeType":263},{},[576],{"data":577,"content":578,"nodeType":249},{},[579],{"data":580,"marks":581,"value":582,"nodeType":248},{},[],"Get a snapshot of security issues such as suspicious or unapproved login methods (e.g. local password logins on SSO apps); credential reuse; or signs of adversary-in-the-middle phishing incidents or stolen sessions.",{"data":584,"content":585,"nodeType":263},{},[586],{"data":587,"content":588,"nodeType":249},{},[589],{"data":590,"marks":591,"value":592,"nodeType":248},{},[],"Deep dive into behavior data for a specific employee, to assist threat hunters and analysts with investigations or incident response.",{"data":594,"content":595,"nodeType":249},{},[596],{"data":597,"marks":598,"value":599,"nodeType":248},{},[],"With the Search pack, you can also take a daily snapshot of your Push data to see trends across time when searching, or to conduct historical investigations.",{"data":601,"content":602,"nodeType":249},{},[603,607,614],{"data":604,"marks":605,"value":606,"nodeType":248},{},[],"You can get the Cribl Search pack for Push via the ",{"data":608,"content":610,"nodeType":534},{"uri":609},"https://packs.cribl.io/packs/cc-search-push-security",[611],{"data":612,"marks":613,"value":533,"nodeType":248},{},[],{"data":615,"marks":616,"value":538,"nodeType":248},{},[],{"data":618,"content":619,"nodeType":428},{},[620],{"data":621,"marks":622,"value":623,"nodeType":248},{},[],"Get started",{"data":625,"content":626,"nodeType":249},{},[627],{"data":628,"marks":629,"value":630,"nodeType":248},{},[],"To get started, you’ll need to be using both Cribl and Push. ",{"data":632,"content":633,"nodeType":249},{},[634,638,646,650,657],{"data":635,"marks":636,"value":637,"nodeType":248},{},[],"To get started using the Stream pack, you’ll need to configure a Stream source to receive data over HTTPS, then create a ",{"data":639,"content":641,"nodeType":534},{"uri":640},"https://pushsecurity.redoc.ly/webhooks-v1/",[642],{"data":643,"marks":644,"value":645,"nodeType":248},{},[],"webhook",{"data":647,"marks":648,"value":649,"nodeType":248},{},[]," in the Push admin console that points to your Cribl Stream source and download and install the Cribl Stream pack for Push. Follow the instructions in the ",{"data":651,"content":652,"nodeType":534},{"uri":528},[653],{"data":654,"marks":655,"value":656,"nodeType":248},{},[],"Stream pack description",{"data":658,"marks":659,"value":660,"nodeType":248},{},[]," for guidance.",{"data":662,"content":663,"nodeType":249},{},[664,668,676,680,687],{"data":665,"marks":666,"value":667,"nodeType":248},{},[],"To get started using the Search pack, you’ll need to also set up the ",{"data":669,"content":671,"nodeType":534},{"uri":670},"https://github.com/criblio/collector-templates/tree/main/collectors/rest/pushsecurity",[672],{"data":673,"marks":674,"value":675,"nodeType":248},{},[],"Push REST collectors",{"data":677,"marks":678,"value":679,"nodeType":248},{},[]," in Cribl Stream to ingest your Push data. Then import the Search pack into your Cribl instance. Follow the instructions in the ",{"data":681,"content":682,"nodeType":534},{"uri":609},[683],{"data":684,"marks":685,"value":686,"nodeType":248},{},[],"Search pack description",{"data":688,"marks":689,"value":660,"nodeType":248},{},[],{"data":691,"content":692,"nodeType":249},{},[693,697,705],{"data":694,"marks":695,"value":696,"nodeType":248},{},[],"Not yet a user of Push yet, but want to learn more about how our data enables detection, response, and security investigations? ",{"data":698,"content":700,"nodeType":534},{"uri":699},"/demo",[701],{"data":702,"marks":703,"value":704,"nodeType":248},{},[],"Book a demo",{"data":706,"marks":707,"value":708,"nodeType":248},{},[]," with our team to chat.","document",{"entries":711},{"block":712,"inline":713,"hyperlink":714},[],[],[715,720],{"sys":716,"__typename":717,"title":718,"slug":719},{"id":320},"BlogPosts","Looking back on identity-based breaches in 2024","2024-identity-breaches",{"sys":721,"__typename":717,"title":722,"slug":723},{"id":337},"Scattered Spider: TTP evolution in 2025","scattered-spider-ttp-evolution-in-2025","json",{"items":726},[],{},"Integrate Cribl and Push Security","2025-06-03T00:00:00.000Z",{"items":731},[732],{"__typename":717,"sys":733,"content":735,"title":1135,"synopsis":1136,"hashTags":62,"publishedDate":1137,"slug":1138,"tagsCollection":1139,"authorsCollection":1149},{"id":734},"7qYHyqnkvqQRbYn3nTi5br",{"json":736},{"nodeType":709,"data":737,"content":738},{},[739,746,753,802,809,816,823,830,849,856,878,885,892,914,920,959,966,973,979,986,993,1000,1007,1014,1091,1098,1117],{"nodeType":249,"data":740,"content":741},{},[742],{"nodeType":248,"value":743,"marks":744,"data":745},"While Push’s official mission is to stop identity attacks, our unofficial motto might be described as “don’t make security teams log into another tool if they don’t have to.”",[],{},{"nodeType":249,"data":747,"content":748},{},[749],{"nodeType":248,"value":750,"marks":751,"data":752},"To that end, we’re thrilled to announce a new integration with Panther that makes it possible in a few clicks to:",[],{},{"nodeType":294,"data":754,"content":755},{},[756,772,787],{"nodeType":263,"data":757,"content":758},{},[759],{"nodeType":249,"data":760,"content":761},{},[762,768],{"nodeType":248,"value":763,"marks":764,"data":767},"Ingest Push logs",[765],{"type":766},"bold",{},{"nodeType":248,"value":769,"marks":770,"data":771}," into your Panther SIEM.",[],{},{"nodeType":263,"data":773,"content":774},{},[775],{"nodeType":249,"data":776,"content":777},{},[778,783],{"nodeType":248,"value":779,"marks":780,"data":782},"Use preconfigured data schemas",[781],{"type":766},{},{"nodeType":248,"value":784,"marks":785,"data":786}," for these logs without having to create your own.",[],{},{"nodeType":263,"data":788,"content":789},{},[790],{"nodeType":249,"data":791,"content":792},{},[793,798],{"nodeType":248,"value":794,"marks":795,"data":797},"Enable ready-made detections",[796],{"type":766},{},{"nodeType":248,"value":799,"marks":800,"data":801}," for Push webhook events, including session token theft and adversary-in-the-middle (AitM) phishing toolkits.",[],{},{"nodeType":249,"data":803,"content":804},{},[805],{"nodeType":248,"value":806,"marks":807,"data":808},"The combination of Push’s unique telemetry, powered by the Push browser agent, and Panther’s correlation and log normalization capabilities was a perfect match, explains Panther’s Head of Partnerships, Andrew Dooley.",[],{},{"nodeType":249,"data":810,"content":811},{},[812],{"nodeType":248,"value":813,"marks":814,"data":815},"“As a SIEM, we’re looking for where we can find the most impactful security information in our customers’ environments to bring into Panther,” Dooley says. ",[],{},{"nodeType":249,"data":817,"content":818},{},[819],{"nodeType":248,"value":820,"marks":821,"data":822},"“With identity-based attacks being so common and impactful, identity telemetry data directly from users' browsers is exactly the kind of high-impact logs we want to support our customers’ threat detection and investigation workflows.”",[],{},{"nodeType":824,"data":825,"content":829},"embedded-entry-block",{"target":826},{"sys":827},{"id":828,"type":321,"linkType":322},"77bCOg5nPKjyKdhH77dUox",[],{"nodeType":249,"data":831,"content":832},{},[833,837,845],{"nodeType":248,"value":834,"marks":835,"data":836},"In this article, we’ll highlight some of the use cases you can achieve with the Push-Panther integration. Or, if you prefer, you can ",[],{},{"nodeType":534,"data":838,"content":840},{"uri":839},"https://docs.panther.com/data-onboarding/supported-logs/push-security",[841],{"nodeType":248,"value":842,"marks":843,"data":844},"dive into the docs",[],{},{"nodeType":248,"value":846,"marks":847,"data":848}," right away.",[],{},{"nodeType":428,"data":850,"content":851},{},[852],{"nodeType":248,"value":853,"marks":854,"data":855},"How to detect session token theft with Push and Panther",[],{},{"nodeType":249,"data":857,"content":858},{},[859,863,874],{"nodeType":248,"value":860,"marks":861,"data":862},"A key use case we set out to solve with the Push-Panther integration is detecting ",[],{},{"nodeType":328,"data":864,"content":868},{"target":865},{"sys":866},{"id":867,"type":321,"linkType":322},"6Uvqu6LcWzOVfA9mxtu841",[869],{"nodeType":248,"value":870,"marks":871,"data":873},"session token theft",[872],{"type":766},{},{"nodeType":248,"value":875,"marks":876,"data":877},", a session hijacking technique where endpoint malware such as an infostealer is used to extract sessions and other valuable data from a device.",[],{},{"nodeType":249,"data":879,"content":880},{},[881],{"nodeType":248,"value":882,"marks":883,"data":884},"Using stolen tokens, attackers don’t even need to bypass MFA; they can just log in by importing the session cookie into their browser.",[],{},{"nodeType":249,"data":886,"content":887},{},[888],{"nodeType":248,"value":889,"marks":890,"data":891},"In the past, writing high-fidelity detections for session token theft has been extremely challenging because there was only squishy ground to stand on: IP-based or geo-based signals are noisy and frequently inaccurate.",[],{},{"nodeType":249,"data":893,"content":894},{},[895,899,910],{"nodeType":248,"value":896,"marks":897,"data":898},"Push recently released our ",[],{},{"nodeType":328,"data":900,"content":904},{"target":901},{"sys":902},{"id":903,"type":321,"linkType":322},"1UMZdjyNQt4Y7NBb2wuK4L",[905],{"nodeType":248,"value":906,"marks":907,"data":909},"session token theft detection",[908],{"type":766},{},{"nodeType":248,"value":911,"marks":912,"data":913}," feature, which uses the Push browser agent to inject a unique marker into the user agent string of sessions that occur in browsers enrolled in Push.",[],{},{"nodeType":824,"data":915,"content":919},{"target":916},{"sys":917},{"id":918,"type":321,"linkType":322},"3zQamWSaZFIbMUhQZtM2II",[],{"nodeType":249,"data":921,"content":922},{},[923,927,936,940,946,950,955],{"nodeType":248,"value":924,"marks":925,"data":926},"Things get interesting when you plug Push telemetry into Panther’s new ",[],{},{"nodeType":534,"data":928,"content":930},{"uri":929},"https://docs.panther.com/detections/correlation-rules",[931],{"nodeType":248,"value":932,"marks":933,"data":935},"Correlation Rules",[934],{"type":766},{},{"nodeType":248,"value":937,"marks":938,"data":939}," feature (or perform a correlation in your other SIEM of choice). By analyzing logs from your IdP, you can identify activity from the same session that both ",[],{},{"nodeType":248,"value":941,"marks":942,"data":945},"has",[943],{"type":944},"italic",{},{"nodeType":248,"value":947,"marks":948,"data":949}," and that ",[],{},{"nodeType":248,"value":951,"marks":952,"data":954},"lacks",[953],{"type":944},{},{"nodeType":248,"value":956,"marks":957,"data":958}," the Push marker, a high-fidelity signal that a stolen session token is being used by an adversary.",[],{},{"nodeType":249,"data":960,"content":961},{},[962],{"nodeType":248,"value":963,"marks":964,"data":965},"“Being able to correlate high-fidelity browser telemetry data with IdP logs and even more traditional endpoint logs is a powerful enabler for our users in catching bad actor behavior fast and early,” says Dooley, Panther’s Head of Partnerships.",[],{},{"nodeType":249,"data":967,"content":968},{},[969],{"nodeType":248,"value":970,"marks":971,"data":972},"Check out this video demo from Joe Stanulis, solutions engineer team lead at Push, and Nicholas Hakmiller, senior engineering manager at Panther, to see how Push and Panther combine their powers to detect session token theft.",[],{},{"nodeType":824,"data":974,"content":978},{"target":975},{"sys":976},{"id":977,"type":321,"linkType":322},"2hUt3IqTFlCMgC0jHTau58",[],{"nodeType":249,"data":980,"content":981},{},[982],{"nodeType":248,"value":983,"marks":984,"data":985},"As Dooley explains, “Push’s approach of generating visibility as well as security findings aligns well with Panther’s approach of centralizing customers’ security alerts but also combining multiple signals from different sources into one finding. For example, the Push agent can block phishing attacks when in Block mode, but when in Monitor mode, those findings can be sent to Panther to be correlated with other activity like unusual Okta logins to create a single alert that tells a more complete story of a user being compromised. ",[],{},{"nodeType":249,"data":987,"content":988},{},[989],{"nodeType":248,"value":990,"marks":991,"data":992},"“Similarly, the Push user agent string marker leaves a very visible fingerprint in logs from other systems, making it easy to incorporate this Push feature into Panther detections across a variety of log sources and use cases.”",[],{},{"nodeType":428,"data":994,"content":995},{},[996],{"nodeType":248,"value":997,"marks":998,"data":999},"What else can you do with Push and your SIEM?",[],{},{"nodeType":249,"data":1001,"content":1002},{},[1003],{"nodeType":248,"value":1004,"marks":1005,"data":1006},"As a browser agent, Push is uniquely positioned to provide telemetry on your identity infrastructure that you can’t easily get elsewhere. This data is a key element to stopping identity attacks and account takeover by providing the context security teams need to write detections and to perform correlations with existing log sources, such as an identity provider.",[],{},{"nodeType":249,"data":1008,"content":1009},{},[1010],{"nodeType":248,"value":1011,"marks":1012,"data":1013},"General use cases for ingesting Push data into your SIEM include:",[],{},{"nodeType":294,"data":1015,"content":1016},{},[1017,1046,1061,1076],{"nodeType":263,"data":1018,"content":1019},{},[1020],{"nodeType":249,"data":1021,"content":1022},{},[1023,1028,1032,1042],{"nodeType":248,"value":1024,"marks":1025,"data":1027},"Detecting phishing attempts",[1026],{"type":766},{},{"nodeType":248,"value":1029,"marks":1030,"data":1031}," from ",[],{},{"nodeType":328,"data":1033,"content":1037},{"target":1034},{"sys":1035},{"id":1036,"type":321,"linkType":322},"4EfGLsD4qOkE4AoTUoL83m",[1038],{"nodeType":248,"value":1039,"marks":1040,"data":1041},"AitM phishing tools",[],{},{"nodeType":248,"value":1043,"marks":1044,"data":1045}," like Evilginx or EvilNoVNC.",[],{},{"nodeType":263,"data":1047,"content":1048},{},[1049],{"nodeType":249,"data":1050,"content":1051},{},[1052,1057],{"nodeType":248,"value":1053,"marks":1054,"data":1056},"Monitoring for suspicious activity or high-risk changes",[1055],{"type":766},{},{"nodeType":248,"value":1058,"marks":1059,"data":1060}," such as MFA method changes or reuse of corporate SSO passwords on other apps.",[],{},{"nodeType":263,"data":1062,"content":1063},{},[1064],{"nodeType":249,"data":1065,"content":1066},{},[1067,1072],{"nodeType":248,"value":1068,"marks":1069,"data":1071},"Hardening identities and flagging poor hygiene behaviors",[1070],{"type":766},{},{"nodeType":248,"value":1073,"marks":1074,"data":1075},", such as logging into SSO-protected apps with local accounts or reusing passwords across business applications.",[],{},{"nodeType":263,"data":1077,"content":1078},{},[1079],{"nodeType":249,"data":1080,"content":1081},{},[1082,1087],{"nodeType":248,"value":1083,"marks":1084,"data":1086},"Detecting the use of stolen session tokens",[1085],{"type":766},{},{"nodeType":248,"value":1088,"marks":1089,"data":1090},", indicating a compromised identity and device, as discussed earlier.",[],{},{"nodeType":428,"data":1092,"content":1093},{},[1094],{"nodeType":248,"value":1095,"marks":1096,"data":1097},"Find out more",[],{},{"nodeType":249,"data":1099,"content":1100},{},[1101,1105,1113],{"nodeType":248,"value":1102,"marks":1103,"data":1104},"To see Push in action, ",[],{},{"nodeType":534,"data":1106,"content":1108},{"uri":1107},"/demo/",[1109],{"nodeType":248,"value":1110,"marks":1111,"data":1112},"book a demo",[],{},{"nodeType":248,"value":1114,"marks":1115,"data":1116},". We’ll be happy to show you our session theft detection feature, along with how we discover all the apps your employees are using, even the ones not behind SSO, and how we detect vulnerable identities and stop identity attacks with browser-based controls.",[],{},{"nodeType":249,"data":1118,"content":1119},{},[1120,1124,1131],{"nodeType":248,"value":1121,"marks":1122,"data":1123},"For technical setup details on the Push-Panther integration, refer to the ",[],{},{"nodeType":534,"data":1125,"content":1126},{"uri":839},[1127],{"nodeType":248,"value":1128,"marks":1129,"data":1130},"Panther documentation",[],{},{"nodeType":248,"value":1132,"marks":1133,"data":1134},".",[],{},"Combining the powers of Push and Panther to stop identity attacks","Push is excited to partner with Panther, bringing our unique browser telemetry to your SIEM.","2024-06-25T00:00:00.000Z","combining-the-powers-of-push-and-panther-to-stop-identity-attacks",{"items":1140},[1141,1145],{"sys":1142,"name":1144},{"id":1143},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":1146,"name":1148},{"id":1147},"5jk0kqjSdSK2L0YiistQjY","Release notes",{"items":1150},[1151],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1152},{"url":236},"better-together-identity-telemetry-from-push-smart-storage-and-searches-from","blog/better-together-identity-telemetry-from-push-smart-storage-and-searches-from",{"json":1156},{"data":1157,"content":1158,"nodeType":709},{},[1159],{"data":1160,"content":1161,"nodeType":249},{},[1162],{"data":1163,"marks":1164,"value":1165,"nodeType":248},{},[],"We’re thrilled to announce our partnership with Cribl to make it much easier to snapshot, transform, and query Push telemetry using Cribl’s data management solutions.\n","We’re thrilled to announce our partnership with Cribl to make it much easier to snapshot, transform, and query Push telemetry.",{"id":1168,"publishedAt":1169},"1sQvkmXRQaFGRpuE01KeF1","2025-06-03T14:22:38.727Z",{"items":1171},[1172],{"sys":1173,"name":1175},{"id":1174},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks","PSjN3cMhJSkCdzbkj8m80LyHYlClK7yxRZXVzdtmgQU",1784196730607]