Okta Multiple OS Names Detected for a Single DT Hash

Status: production
Severity: high
Time window: 1h
Group by: okta.debug_context.debug_data.dt_hash
Author: Elastic
Source: github.com/elastic/detection-rules

Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device token and is using it to impersonate a legitimate user from a different machine.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1539` Steal Web Session Cookie

Event coverage

Provider	Event
Okta-user	user.authentication.auth_via_mfa
Okta-user	user.authentication.verify

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

First Occurrence of Okta User Session Started via Proxy (Elastic)
MFA Fatigue (OKTA) (Kusto)
Okta AiTM Phishing Attempt Blocked by FastPass (Panther)
Okta Fast Pass phishing Detection (Kusto)
Okta FastPass Phishing Detection (Sigma)
Okta FastPass Phishing Detection (Elastic)
Okta MFA Bruteforce Attack (YARA-L)
Okta Mismatch Between Source And Response For Verify Push Request (YARA-L)

Rule body elastic

[metadata]
creation_date = "2025/10/22"
integration = ["okta"]
maturity = "production"
updated_date = "2026/03/24"

[rule]
author = ["Elastic"]
description = """
Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is
highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly
indicates that an attacker has stolen a device token and is using it to impersonate a legitimate user from a
different machine.
"""
false_positives = [
    """
    Applications will tag the operating system as null when the device is not recognized as a managed device. In
    environments where users frequently switch between managed and unmanaged devices, this may lead to false positives.
    """,
]
from = "now-60m"
index = ["logs-okta.system-*"]
language = "kuery"
license = "Elastic License v2"
name = "Okta Multiple OS Names Detected for a Single DT Hash"
note = """## Triage and analysis

### Investigating Okta Multiple OS Names Detected for a Single DT Hash

This rule detects when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device token token and is using it to impersonate a legitimate user from a different machine.

### Possible investigation steps
- Review the `okta.debug_context.debug_data.dt_hash` field to identify the specific device
trust hash associated with multiple operating systems.
- Examine the `user.email` field to determine which user account is associated with the suspicious activity
- Analyze the `source.ip` field to identify the IP addresses from which the different operating systems were reported. Look for any unusual or unexpected locations.
- Review the `user_agent.os.name` field to see the different operating systems reported for the
same dt_hash. This will help identify the nature of the anomaly.
- Check the `event.action` field to understand the context of the authentication events (e.g., MFA verification, standard authentication).
- Investigate the timeline of events to see when the different operating systems were reported for the same dt_hash. Look for patterns or sequences that may indicate malicious activity.
- Correlate this activity with other security events in your environment, such as failed login attempts, unusual access patterns, or alerts from endpoint security solutions.

### False positive analysis
- Applications will tag the operating system as null when the device is not recognized as a managed device
- In environments where users frequently switch between managed and unmanaged devices, this may lead to false positives.

### Response and remediation
- Immediately investigate the user account associated with the suspicious activity to determine if it has been compromised.
- If compromise is confirmed, reset the user's credentials and enforce multi-factor authentication (MFA)
- Revoke any active sessions associated with the compromised account to prevent further unauthorized access.
- Review and monitor the affected dt_hash for any further suspicious activity.
- Educate users about the importance of device security and the risks associated with device tokens.
- Implement additional monitoring for device token tokens and consider using conditional access policies to restrict access based on device compliance status.
"""
risk_score = 73
rule_id = "fb3ca230-af4e-11f0-900d-f661ea17fbcc"
severity = "high"
tags = [
    "Domain: Identity",
    "Data Source: Okta",
    "Data Source: Okta System Logs",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Resources: Investigation Guide"
]
timestamp_override = "event.ingested"
type = "threshold"

query = '''
data_stream.dataset: "okta.system"
    and not okta.debug_context.debug_data.dt_hash: "-"
    and user_agent.os.name: *
    and event.action: (
        "user.authentication.verify" or
        "user.authentication.auth_via_mfa"
    )
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1539"
name = "Steal Web Session Cookie"
reference = "https://attack.mitre.org/techniques/T1539/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "okta.debug_context.debug_data.dt_hash",
    "user.email",
    "source.ip",
    "user_agent.os.name",
    "event.action",
]

[rule.threshold]
field = ["okta.debug_context.debug_data.dt_hash"]
value = 1
[[rule.threshold.cardinality]]
field = "user_agent.os.name"
value = 2

Stages and Predicates

Stage 1: `kuery`

data_stream.dataset: "okta.system"
    and not okta.debug_context.debug_data.dt_hash: "-"
    and user_agent.os.name: *
    and event.action: (
        "user.authentication.verify" or
        "user.authentication.auth_via_mfa"
    )

Threshold: gte 1
Cardinality: user_agent.os.name ≥ 2

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`okta.debug_context.debug_data.dt_hash`	eq	`-`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`data_stream.dataset`	eq	`okta.system`
`event.action`	in	`user.authentication.auth_via_mfa` `user.authentication.verify`
`user_agent.os.name`	is_not_null	(no value, null check)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Okta Multiple OS Names Detected for a Single DT Hash

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `kuery`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Okta Multiple OS Names Detected for a Single DT Hash

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: kuery

Exclusions

Indicators

Stage 1: `kuery`