/
okta_phishing_detection_with_fastpass_origin_check.yml
48 lines (48 loc) · 2.11 KB
/
okta_phishing_detection_with_fastpass_origin_check.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: Okta Phishing Detection with FastPass Origin Check
id: f4ca0057-cbf3-44f8-82ea-4e330ee901d3
version: 1
date: '2023-03-09'
author: Okta, Inc, Michael Haag, Splunk
type: TTP
status: experimental
data_source: []
description: The following analytic identifies when Okta''s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies.
Okta''s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers.
search: '`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt"
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`'
how_to_implement: This search is specific to Okta and requires Okta logs to be
ingested in your Splunk deployment.
known_false_positives: Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed.
references:
- https://sec.okta.com/fastpassphishingdetection
tags:
analytic_story:
- Okta Account Takeover
asset_type: Infrastructure
confidence: 100
impact: 100
message: Okta FastPass has prevented $user$ from authenticating to a malicious site.
mitre_attack_id:
- T1078
- T1078.001
- T1556
observable:
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventType
- client.userAgent.rawUserAgent
- client.userAgent.browser
- outcome.reason
- displayMessage
risk_score: 100
security_domain: access