Okta FastPass Phishing Detection

edit

Detects when Okta FastPass prevents a user from authenticating to a phishing website.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Tactic: Initial Access
  • Use Case: Identity and Access Audit
  • Data Source: Okta

Version: 3

Rule authors:

  • Austin Songer

Rule license: Elastic License v2

Investigation guide

edit

Setup

edit

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

This rule requires Okta to have the following turned on:

Okta Identity Engine - select Phishing Resistance for FastPass under Settings > Features in the Admin Console.

Rule query

edit
event.dataset:okta.system and event.category:authentication and
  okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:"FastPass declined phishing attempt"

Framework: MITRE ATT&CKTM