Skip to content

[New Rule] Okta Multiple OS Names Detected for a Single DT Hash #5240

New issue
New issue
Open
#5241
Open
[New Rule] Okta Multiple OS Names Detected for a Single DT Hash#5240
#5241
Assignees
terrancedejesus
Labels
Domain: IdentityIntegration: Oktaokta related rulesRule: NewProposal for new rule
@terrancedejesus

Description

@terrancedejesus
terrancedejesus
opened on Oct 22, 2025

Overview

This rule detects suspicious authentication activity where a single Okta device token (DT) hash is associated with multiple different operating system names during authentication events. This behavior has been identified as a high-fidelity indicator of compromise in real-world incident response cases.

Background: What is a Device Token (DT) Hash?

Okta uses device tokens as a mechanism for device trust and recognition. The device token hash (dt_hash) is a unique identifier that Okta generates and associates with a specific device when it authenticates. This hash is designed to remain consistent for the same device across multiple authentication sessions.

The dt_hash helps Okta:

  • Track and identify trusted devices
  • Implement device-based conditional access policies
  • Detect anomalous authentication patterns
  • Provide context for security investigations

Why This Detection Matters

Under normal circumstances, a single device token hash should consistently report the same operating system name, as it represents a unique device with a fixed OS. When a single dt_hash is observed with multiple different OS names (e.g., the same hash appearing with both "Windows 10" and "macOS"), this indicates one of the following scenarios:

  1. Token Theft/Replay: An attacker has stolen or extracted the device token from a legitimate device and is replaying it from a different system with a different OS
  2. Session Hijacking: The device token has been compromised as part of a broader session hijacking attack
  3. Adversary Tooling: Attackers are using automation or tooling that manipulates user agent strings but reuses the same device token
  4. Token Manipulation: Direct manipulation or forgery of device tokens as part of an authentication bypass attempt

This detection has proven to be a high-fidelity signal in real incident response investigations, making it valuable for identifying active account compromise or authentication bypass attempts.

Rule Logic

The rule will use a threshold query type to identify when a single dt_hash value is associated with multiple distinct user_agent.os.name values during authentication events.

Query

data_stream.dataset: "okta.system" and okta.debug_context.debug_data.dt_hash: * and user_agent.os.name: * and event.action: ("user.authentication.verify" or "user.authentication.auth_via_mfa")

Threshold Configuration

  • Threshold field: okta.debug_context.debug_data.dt_hash
  • Unique fields: user_agent.os.name
  • Threshold value: >= 2 unique OS platforms for a single DT hash

Metadata

Metadata

Assignees

Labels

Domain: IdentityIntegration: Oktaokta related rulesRule: NewProposal for new rule

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions