Okta FastPass Phishing Detection
Detects when Okta FastPass prevents a known phishing site.
Sigma rule (View on GitHub)
1title: Okta FastPass Phishing Detection
2id: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e
3status: test
4description: Detects when Okta FastPass prevents a known phishing site.
5references:
6 - https://sec.okta.com/fastpassphishingdetection
7 - https://developer.okta.com/docs/reference/api/system-log/
8 - https://developer.okta.com/docs/reference/api/event-types/
9author: Austin Songer @austinsonger
10date: 2023-05-07
11tags:
12 - attack.initial-access
13 - attack.t1566
14logsource:
15 product: okta
16 service: okta
17detection:
18 selection:
19 outcome.reason: 'FastPass declined phishing attempt'
20 outcome.result: FAILURE
21 eventtype: user.authentication.auth_via_mfa
22 condition: selection
23falsepositives:
24 - Unlikely
25level: high
References
-
In the last two installments in our series on phishing resistance, we discussed <a href="https://sec.okta.com/articles/2022/09/phishing-resistance-and
Read More -
-
Related rules
- Download From Suspicious TLD - Blacklist
- Download From Suspicious TLD - Whitelist
- HTML Help HH.EXE Suspicious Child Process
- Phishing Pattern ISO in Archive
- Potential Initial Access via DLL Search Order Hijacking