EDR signals for custom expressions

When you use the Okta Expression Language (EL) to create custom expressions for devices, you can use the trust signals collected by Okta Verify from endpoint detection and response (EDR) vendors. Okta calculates a risk score based on multiple device properties such as account activity or inactivity, account metadata, or password strength. All these factors provide a comprehensive view of your device security.

CrowdStrike

This table lists the device provider attributes (trust signals) that Okta Verify can collect from CrowdStrike.

Attribute	Description
device.provider.zta.os	Integer determined by CrowdStrike The higher the number, the more trusted the device device.provider.zta.os <= 60
device.provider.zta.overall	Integer determined by CrowdStrike The higher the number, the more trusted the device device.provider.zta.overall >= 60
device.provider.zta.sensorConfig	CrowdStrike number represents an enum (Integer) device.provider.zta.sensorConfig == 20
device.provider.zta.csSerialNumber	Serial number of the device determined by CrowdStrike (String) device.provider.zta.csSerialNumber == device.profile.serialNumber
device.provider.zta.cid	CrowdStrike customer ID (String) device.provider.zta.cid == "my-crowdstrike-customer-id"
device.provider.zta.csPlatform	The OS platform of the device determined by CrowdStrike (String) device.provider.zta.csPlatform == "Windows 11"
device.provider.zta.aid	CrowdStrike agent ID (String) device.provider.zta.aid == "dev-agent-id"
device.provider.zta.expirationDateTime	Expiration date and time of these signals determined by CrowdStrike (String) device.provider.zta.expirationDateTime.parseUnixTime() > DateTime.now()
device.provider.zta.issuedDateTime	Issued date and time of these signals determined by CrowdStrike (String) device.provider.zta.issuedDateTime.parseUnixTime() < DateTime.now()

If you use CrowdStrike, sign in to your account and read these CrowdStrike guides:

• US-1 cloud Zero Trust Assessment console user guide

• US-2 cloud Zero Trust Assessment console user guide

• EU-1 cloud Zero Trust Assessment console user guide

• US-GOV-1 cloud Zero Trust Assessment console user guide

Windows Security Center

This table lists the device provider attributes (trust signals) that Okta Verify can collect from Windows Security Center.

Attribute	Description
device.provider.wsc.antiVirus	Obtains the status of all anti-virus products on the device (String) Returns the status of the attribute with the appropriate signal. device.provider.wsc.antiVirus == "GOOD" Signals: GOOD: There's no action required. NOT_MONITORED: Windows Security Center doesn't monitor the firewall status. POOR: The device could be at risk. SNOOZE: Windows Security Center is in a snooze state, so it doesn't protect the device. UNKNOWN: Okta Verify didn't collect the signal.
device.provider.wsc.fireWall	Obtains the status of the firewall on the device (String)
device.provider.wsc.autoUpdateSettings	Obtains the status of the auto-update settings on the device (String)
device.provider.wsc.internetSettings	Obtains the status of the internet settings on the device (String)
device.provider.wsc.userAccountControl	Obtains the status of the User Account Control on the device (String)
device.provider.wsc.securityCenterService	Obtains the status of the Windows Security Center service (String)

Related topics

Endpoint security integrations

Get started with endpoint security integrations