IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Okta FastPass Phishing Detection
editOkta FastPass Phishing Detection
editDetects when Okta FastPass prevents a user from authenticating to a phishing website.
Rule type: query
Rule indices:
- filebeat-*
- logs-okta*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: None (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Tactic: Initial Access
- Use Case: Identity and Access Audit
- Data Source: Okta
Version: 3
Rule authors:
- Austin Songer
Rule license: Elastic License v2
Investigation guide
editRule query
editevent.dataset:okta.system and event.category:authentication and okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:"FastPass declined phishing attempt"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Phishing
- ID: T1566
- Reference URL: https://attack.mitre.org/techniques/T1566/