Okta FastPass Phishing Detection
Detects when Okta FastPass prevents a known phishing site.
Sigma rule (View on GitHub)
1title: Okta FastPass Phishing Detection
2id: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e
3status: test
4description: Detects when Okta FastPass prevents a known phishing site.
5references:
6 - https://sec.okta.com/fastpassphishingdetection
7 - https://developer.okta.com/docs/reference/api/system-log/
8 - https://developer.okta.com/docs/reference/api/event-types/
9author: Austin Songer @austinsonger
10date: 2023/05/07
11tags:
12 - attack.initial_access
13 - attack.t1566
14logsource:
15 product: okta
16 service: okta
17detection:
18 selection:
19 outcome.reason: 'FastPass declined phishing attempt'
20 outcome.result: FAILURE
21 eventtype: user.authentication.auth_via_mfa
22 condition: selection
23falsepositives:
24 - Unlikely
25level: high
References
-
In the last two installments in our series on phishing resistance, we discussed phishing resistant authenticators and how to gather signals about phishing lures directly from your users. Now let’s drill down into detection and response: what signals does Okta’s System Log provide that are indicative of in-flight phishing campaigns?
Read More -
-
Related rules
- Search-ms and WebDAV Suspicious Indicators in URL
- Download From Suspicious TLD - Whitelist
- Suspicious Microsoft OneNote Child Process
- Suspicious Execution via macOS Script Editor
- Potential Initial Access via DLL Search Order Hijacking