Okta FastPass Phishing Detection | Elastic Security Solution [8.13]

› › ›

« Okta Brute Force or Password Spraying Attack Okta Sign-In Events via Third-Party IdP »

Okta FastPass Phishing Detectionedit

Detects when Okta FastPass prevents a user from authenticating to a phishing website.

Rule type: query

Rule indices:

filebeat-*
logs-okta*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Tactic: Initial Access
Use Case: Identity and Access Audit
Data Source: Okta

Version: 103

Rule authors:

Austin Songer

Rule license: Elastic License v2

Investigation guideedit

Setupedit

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

This rule requires Okta to have the following turned on:

Okta Identity Engine - select Phishing Resistance for FastPass under Settings > Features in the Admin Console.

Rule queryedit

event.dataset:okta.system and event.category:authentication and
  okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:"FastPass declined phishing attempt"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Phishing
- ID: T1566
- Reference URL: https://attack.mitre.org/techniques/T1566/

« Okta Brute Force or Password Spraying Attack Okta Sign-In Events via Third-Party IdP »