Okta FastPass Phishing Detection
Detects when Okta FastPass prevents a user from authenticating to a phishing website.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/05/07"
3integration = ["okta"]
4maturity = "production"
5updated_date = "2024/12/09"
6min_stack_version = "8.15.0"
7min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
8
9[rule]
10author = ["Austin Songer"]
11description = "Detects when Okta FastPass prevents a user from authenticating to a phishing website.\n"
12index = ["filebeat-*", "logs-okta*"]
13language = "kuery"
14license = "Elastic License v2"
15name = "Okta FastPass Phishing Detection"
16note = """## Setup
17
18The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
19
20This rule requires Okta to have the following turned on:
21
22Okta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.
23"""
24references = [
25 "https://developer.okta.com/docs/reference/api/system-log/",
26 "https://developer.okta.com/docs/reference/api/event-types/",
27 "https://sec.okta.com/fastpassphishingdetection",
28 "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
29 "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
30 "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
31]
32risk_score = 47
33rule_id = "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e"
34severity = "medium"
35tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:okta.system and event.category:authentication and
41 okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:"FastPass declined phishing attempt"
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1566"
49name = "Phishing"
50reference = "https://attack.mitre.org/techniques/T1566/"
51
52
53[rule.threat.tactic]
54id = "TA0001"
55name = "Initial Access"
56reference = "https://attack.mitre.org/tactics/TA0001/"
Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
This rule requires Okta to have the following turned on:
Okta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.
References
-
-
-
In the last two installments in our series on phishing resistance, we discussed <a href="https://sec.okta.com/articles/2022/09/phishing-resistance-and
Read More -
SummaryOkta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Orga
Read More -
This article guides readers through establishing an Okta threat detection lab, emphasizing the importance of securing SaaS platforms like Okta. It details creating a lab environment with the Elastic Stack, integrating SIEM solutions, and Okta.
Read More -
This article delves into Okta's architecture and services, laying a solid foundation for threat research and detection engineering. Essential reading for those aiming to master threat hunting and detection in Okta environments.
Read More
Related rules
- First Occurrence of Okta User Session Started via Proxy
- New Okta Authentication Behavior Detected
- Okta Sign-In Events via Third-Party IdP
- Okta User Sessions Started from Different Geolocations
- Successful Application SSO from Rare Unknown Client Device