Okta Multiple OS Names Detected for a Single DT Hash

Last updated a month ago on 2025-10-22

Created a month ago on 2025-10-22

About

Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device token and is using it to impersonate a legitimate user from a different machine.

Tags

Domain: IdentityData Source: OktaData Source: Okta System LogsUse Case: Threat DetectionTactic: Credential AccessLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

↳ Steal Web Session Cookie (T1539)(opens in a new tab or window)

False Positive Examples

Applications will tag the operating system as null when the device is not recognized as a managed device. In environments where users frequently switch between managed and unmanaged devices, this may lead to false positives.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Threshold Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-okta.system-*
Related Integrations: okta(opens in a new tab or window)
Query

data_stream.dataset: "okta.system"
    and not okta.debug_context.debug_data.dt_hash: "-"
    and user_agent.os.name: *
    and event.action: (
        "user.authentication.verify" or
        "user.authentication.auth_via_mfa"
    )

Install detection rules in Elastic Security

Detect Okta Multiple OS Names Detected for a Single DT Hash in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).