diff --git a/rules/cloud/okta/okta_fastpass_phishing_detection.yml b/rules/cloud/okta/okta_fastpass_phishing_detection.yml
index cc810a1c1..212d69290 100644
--- a/rules/cloud/okta/okta_fastpass_phishing_detection.yml
+++ b/rules/cloud/okta/okta_fastpass_phishing_detection.yml
@@ -16,11 +16,11 @@ logsource:
     service: okta
 detection:
     selection:
-        displaymessage: FastPass declined phishing attempt
-        status: FAILURE
+        outcome.reason: 'FastPass declined phishing attempt'
+        outcome.result: FAILURE
         eventtype:
             - user.authentication.auth_via_mfa
     condition: selection
 falsepositives:
-    - Unknown
+    - Unlikely
 level: high