Okta FastPass Phishing Detection

calendar Dec 12, 2023 · Tactic: Initial Access Use Case: Identity and Access Audit Data Source: Okta  ·
Share on: linkedin copy

Detects when Okta FastPass prevents a user from authenticating to a phishing website.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/05/07"
 3integration = ["okta"]
 4maturity = "production"
 5min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
 6min_stack_version = "8.10.0"
 7updated_date = "2023/11/07"
 8
 9[rule]
10author = ["Austin Songer"]
11description = """
12Detects when Okta FastPass prevents a user from authenticating to a phishing website.
13"""
14
15index = ["filebeat-*", "logs-okta*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Okta FastPass Phishing Detection"
19note = """## Setup
20
21The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
22
23This rule requires Okta to have the following turned on:
24
25Okta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.
26"""
27references = [
28    "https://developer.okta.com/docs/reference/api/system-log/",
29    "https://developer.okta.com/docs/reference/api/event-types/",
30    "https://sec.okta.com/fastpassphishingdetection",
31    "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
32]
33risk_score = 47
34rule_id = "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e"
35severity = "medium"
36tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:okta.system and event.category:authentication and
42  okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:"FastPass declined phishing attempt"
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1566"
50name = "Phishing"
51reference = "https://attack.mitre.org/techniques/T1566/"
52
53
54[rule.threat.tactic]
55id = "TA0001"
56name = "Initial Access"
57reference = "https://attack.mitre.org/tactics/TA0001/"

Setup

The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

This rule requires Okta to have the following turned on:

Okta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.

References

  • System Log | Okta Developer

    Secure, scalable, and highly available authentication and user management for any app.


    Read More

  • Event Types | Okta Developer

    Secure, scalable, and highly available authentication and user management for any app.


    Read More

  • Detecting Real-Time Phishing Attacks

    In the last two installments in our series on phishing resistance, we discussed phishing resistant authenticators and how to gather signals about phishing lures directly from your users. Now let’s drill down into detection and response: what signals does Okta’s System Log provide that are indicative of in-flight phishing campaigns?


    Read More

  • Cross-Tenant Impersonation: Prevention and Detection

    Summary Okta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Organization (tenant). When successful, the threat actor demonstrated novel methods of lateral movement and defense evasion. These methods are preventable and present several detection opportunities for defenders. In recent weeks, multiple US-based Okta customers have reported a consistent pattern of so


    Read More

Related rules

to-top