This rule aims to detect new authentication behaviors identified by Okta's behavior detection system, such as logins from unfamiliar devices or locations. It leverages the data from the Okta logs indexed by Filebeat and utilizes the KQL query language for flexibility and precision in data retrieval. Key details such as 'okta.actor.id', 'okta.client.ip', and various device and user fields facilitate a comprehensive investigation into the authentication attempt. By analyzing this information, security professionals can ascertain whether the behavior is legitimate or if it poses a threat. The rule operates within a set interval and is intended for environments using the Okta Fleet integration or Filebeat module. Response strategies for detected events include reviewing user history, assessing device integrity, and taking corrective measures depending on the legitimacy of the authentication attempt.