This detection rule identifies potential session hijacking incidents within the Okta environment by monitoring for multiple device token hashes associated with a single Okta session. When an authenticated Okta actor produces more than one device token hash for a single session, it raises concerns about the integrity of the session, suggesting that it may be accessed by multiple devices or has been compromised. The detection logic utilizes ESQL to filter for specific actions in Okta system logs, focusing on events that do not include frequent changes in device token hashes typical of normal authentication processes. The rule aims to prevent unauthorized access to sensitive resources such as the Okta admin console and applications by alerting on this anomaly, thus enabling timely investigation and remediation efforts.