Detectionhightest

Okta FastPass Phishing Detection

Detects when Okta FastPass prevents a known phishing site.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Sun May 07Updated Mon Apr 27ee39a9f7-5a79-4b0a-9815-d36b3cf28d3eidentity

Log Source

Oktaokta

ProductOkta← raw: okta

Serviceokta← raw: okta

Detection Logic

detection:
    selection:
        outcome.reason: 'FastPass declined phishing attempt'
        outcome.result: FAILURE
        eventType: user.authentication.auth_via_mfa
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1566 · Phishing

Rule Metadata

Rule ID

ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e

Status

test

Level

high

Type

Detection

Created

Sun May 07

Modified

Mon Apr 27

Author

Austin Songer

Path

rules/identity/okta/okta_fastpass_phishing_detection.yml

Raw Tags

attack.initial-accessattack.t1566

View on GitHub