Detectionhightest

Okta FastPass Phishing Detection

Detects when Okta FastPass prevents a known phishing site.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Sun May 07ee39a9f7-5a79-4b0a-9815-d36b3cf28d3eidentity

Log Source

Oktaokta

ProductOkta← raw: okta

Serviceokta← raw: okta

Detection Logic

detection:
    selection:
        outcome.reason: 'FastPass declined phishing attempt'
        outcome.result: FAILURE
        eventtype: user.authentication.auth_via_mfa
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1566 · Phishing

Rule Metadata

Rule ID

ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e

Status

test

Level

high

Type

Detection

Created

Sun May 07

Author

Austin Songer

Path

rules/identity/okta/okta_fastpass_phishing_detection.yml

Raw Tags

attack.initial-accessattack.t1566

View on GitHub