applications will tag the operating system as null when the device is not recognized as a managed device. in environments where users frequently switch between managed and unmanaged devices, this may lead to false positives.

t1539
okta
elastic

Techniques

T1539

Sample rules

Okta Multiple OS Names Detected for a Single DT Hash

source: elastic
technicques:
- T1539

Description

Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device token and is using it to impersonate a legitimate user from a different machine.

Detection logic

data_stream.dataset: "okta.system"
    and not okta.debug_context.debug_data.dt_hash: "-"
    and user_agent.os.name: *
    and event.action: (
        "user.authentication.verify" or
        "user.authentication.auth_via_mfa"
    )