From 72732c85c4123395d73f04764e5246ee02d2b5a9 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 28 Nov 2023 08:26:16 -0600 Subject: [PATCH] [New Rule] Okta FastPass Phishing (#2782) * Create initial_access_fastpass_phishing.toml * Rename initial_access_fastpass_phishing.toml to initial_access_okta_fastpass_phishing.toml * Update initial_access_okta_fastpass_phishing.toml * Update initial_access_okta_fastpass_phishing.toml * Update initial_access_okta_fastpass_phishing.toml * Update initial_access_okta_fastpass_phishing.toml * Update initial_access_okta_fastpass_phishing.toml * Update initial_access_okta_fastpass_phishing.toml * Update initial_access_okta_fastpass_phishing.toml * Update initial_access_okta_fastpass_phishing.toml * Update initial_access_okta_fastpass_phishing.toml * Update initial_access_okta_fastpass_phishing.toml * Update initial_access_okta_fastpass_phishing.toml * Update initial_access_okta_fastpass_phishing.toml * Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml * Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml * Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml * Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml * Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit 1f47e3c1a97d7e580e69dc926f0692d337dc61f6) --- ...initial_access_okta_fastpass_phishing.toml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 rules/integrations/okta/initial_access_okta_fastpass_phishing.toml diff --git a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml new file mode 100644 index 00000000000..dc6875ef138 --- /dev/null +++ b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2023/05/07" +integration = ["okta"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/11/07" + +[rule] +author = ["Austin Songer"] +description = """ +Detects when Okta FastPass prevents a user from authenticating to a phishing website. +""" + +index = ["filebeat-*", "logs-okta*"] +language = "kuery" +license = "Elastic License v2" +name = "Okta FastPass Phishing Detection" +note = """## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +This rule requires Okta to have the following turned on: + +Okta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console. +""" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://sec.okta.com/fastpassphishingdetection", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" +] +risk_score = 47 +rule_id = "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e" +severity = "medium" +tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:okta.system and event.category:authentication and + okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:"FastPass declined phishing attempt" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/"