Notifications
Clear all
Topic starter
09/06/2026 11:22 pm
TL;DR: Browser-side identity and download behaviour is becoming governable in real time, as Push Security’s monthly update adds custom detections, file download telemetry, password-entry blocking for non-password fields, and a 30-day events window, giving security teams more control points in the browser and more data for triage and response.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- Push Security’s Events page now displays up to 30 days of data, instead of 7.
Questions worth separating out
Q: How should security teams use browser detections to stop identity abuse?
A: Security teams should map browser detections to the specific actions that precede misuse, such as suspicious DOM interactions, unusual request patterns, or policy-violating page behaviour.
Q: When do file download events become useful for investigation and response?
A: File download events become useful when teams need to connect browser activity to potential exfiltration, malware staging, or unsafe content transfer.
Q: What breaks when password entry is not blocked in non-password fields?
A: When password entry is not blocked in non-password fields, users can accidentally place secrets into application logs, support traces, or analytics fields that were never meant to hold credentials.
Practitioner guidance
- Build custom detections around identity abuse patterns Use browser telemetry to detect specific DOM elements, request patterns, headers, and responses that map to risky credential use, policy violations, or red-team test cases.
- Ingest file download events into your SIEM Route download metadata, unsafe flags, and browser-constructed file events into central logging so analysts can correlate downloads with session context, user identity, and downstream alerts.
- Block password entry into non-password fields Enable controls in core applications, especially identity provider sign-in flows, to prevent accidental secret leakage into logs and support channels when users paste or type credentials into the wrong field.
What's in the full announcement
Push Security's full update covers the operational detail this post intentionally leaves for the source:
- YAML rule examples for custom detections against specific browser elements, requests, headers, and responses
- Configuration steps for file download telemetry across employee groups and browser profiles
- Operational guidance for handling unsafe downloads and browser-constructed files in SIEM or SOAR
- Settings guidance for preventing password entry into non-password fields in core applications
👉 Read Push Security’s update on browser detections, download telemetry, and password protection →
Browser detections and file download telemetry: what changes for IAM teams?
Explore further
10/06/2026 1:41 am
Browser telemetry is becoming a control plane, not just an observation layer. The practical meaning of this update is that identity teams can now attach policy to browser behaviour at the point where many risky actions occur. That is especially relevant for service accounts, human users, and emerging agent-driven workflows that operate through web interfaces. The broader governance shift is from post-event review to in-session enforcement, which is where modern misuse is most likely to surface.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why browser-side telemetry must be paired with identity inventory and investigation workflows.
A question worth separating out:
Q: Who should own browser telemetry when the console keeps only 30 days of events?
A: Security operations should own the short-term triage workflow, while logging, detection engineering, and IAM teams should ensure the events are forwarded into SIEM or SOAR for longer retention and correlation. The console window is helpful, but it is not a substitute for durable evidence handling or audit-ready retention.
👉 Read our full editorial: Push expands browser detections and file download telemetry
