This detection rule for Okta focuses on identifying suspicious reuse of web session cookies. Specifically, it triggers when a session cookie, indicative of prior authentication, is utilized on a device with a different IP address and operating system/browser combination from which it initially originated. The logic captures relevant authentication events and extracts session hash data from the logs, which is then analyzed to detect discrepancies in geolocation (via source IP) and client environment (browser and OS). It stats the occurrences by user and session hash over a specified time window, flagging cases where the source IP count or distinct browser/OS types exceed specified thresholds, suggesting potential session hijacking. The rule is associated with threat actor groups recognized for targeting Okta sessions, linking it to notable techniques in credential theft and defense evasion.