This detection rule identifies successful single sign-on (SSO) events to applications within Okta that are initiated from unrecognized or 'unknown' client devices, as indicated by the user-agent string. This monitoring is critical due to vulnerabilities in Okta's Classic Engine that can potentially allow attackers to exploit these circumstances, bypassing application-specific sign-on policies such as device and network restrictions. The detection threshold is based on events logged within the last nine months, targeting Okta's system events with types designated for successful SSO actions. The rule operates by detecting instances where the client device is categorized as 'unknown,' which raises red flags for potential unauthorized access using valid but stolen credentials. Investigative guidance is included to analyze events further and respond to incidents effectively, outlining steps to confirm anomalies and correctly attribute login attempts to legitimate users or suspected intruders.