EDR signals for custom expressions

When you use the Okta Expression Language (EL) to create custom expressions for devices, you can use the trust signals collected by Okta Verify from endpoint detection and response (EDR) vendors. Okta calculates a risk score based on multiple device properties such as account activity or inactivity, account metadata, or password strength. All these factors provide a comprehensive view of your device security.

CrowdStrike

This table lists the device provider attributes (trust signals) that Okta Verify can collect from CrowdStrike.

Attribute

Description

device.provider.zta.os Integer determined by CrowdStrike

The higher the number, the more trusted the device

device.provider.zta.os <= 60

device.provider.zta.overall Integer determined by CrowdStrike

The higher the number, the more trusted the device

device.provider.zta.overall >= 60

device.provider.zta.sensorConfig CrowdStrike number represents an enum (Integer)

device.provider.zta.sensorConfig == 20

device.provider.zta.csSerialNumber Serial number of the device determined by CrowdStrike (String)

device.provider.zta.csSerialNumber == device.profile.serialNumber

device.provider.zta.cid CrowdStrike customer ID (String)

device.provider.zta.cid == "my-crowdstrike-customer-id"

device.provider.zta.csPlatform The OS platform of the device determined by CrowdStrike (String)

device.provider.zta.csPlatform == "Windows 11"

device.provider.zta.aid CrowdStrike agent ID (String)

device.provider.zta.aid == "dev-agent-id"

device.provider.zta.expirationDateTime Expiration date and time of these signals determined by CrowdStrike (String)

device.provider.zta.expirationDateTime.parseUnixTime() > DateTime.now()

device.provider.zta.issuedDateTime Issued date and time of these signals determined by CrowdStrike (String)

device.provider.zta.issuedDateTime.parseUnixTime() < DateTime.now()

If you use CrowdStrike, sign in to your account and read these CrowdStrike guides:

Windows Security Center

This table lists the device provider attributes (trust signals) that Okta Verify can collect from Windows Security Center.

Attribute

Description

device.provider.wsc.antiVirus Obtains the status of all anti-virus products on the device (String)

Returns the status of the attribute with the appropriate signal. device.provider.wsc.antiVirus == "GOOD"

Signals:

  • GOOD: There's no action required.

  • NOT_MONITORED: Windows Security Center doesn't monitor the firewall status.

  • POOR: The device could be at risk.

  • SNOOZE: Windows Security Center is in a snooze state, so it doesn't protect the device.

  • UNKNOWN: Okta Verify didn't collect the signal.

device.provider.wsc.fireWall Obtains the status of the firewall on the device (String)
device.provider.wsc.autoUpdateSettings Obtains the status of the auto-update settings on the device (String)
device.provider.wsc.internetSettings Obtains the status of the internet settings on the device (String)
device.provider.wsc.userAccountControl Obtains the status of the User Account Control on the device (String)
device.provider.wsc.securityCenterService Obtains the status of the Windows Security Center service (String)

Related topics

Endpoint security integrations

Get started with endpoint security integrations