Okta FastPass Phishing Detection
editOkta FastPass Phishing Detection
editDetects when Okta FastPass prevents a user from authenticating to a phishing website.
Rule type: query
Rule indices:
- filebeat-*
- logs-okta*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: None (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
- https://sec.okta.com/fastpassphishingdetection
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
- https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security
- https://www.elastic.co/security-labs/starter-guide-to-understanding-okta
Tags:
- Tactic: Initial Access
- Use Case: Identity and Access Audit
- Data Source: Okta
Version: 307
Rule authors:
- Austin Songer
Rule license: Elastic License v2
Investigation guide
editSetup
editThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
This rule requires Okta to have the following turned on:
Okta Identity Engine - select Phishing Resistance for FastPass under Settings > Features in the Admin Console.
Rule query
editevent.dataset:okta.system and event.category:authentication and okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:"FastPass declined phishing attempt"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Phishing
- ID: T1566
- Reference URL: https://attack.mitre.org/techniques/T1566/