The detection rule identifies suspicious activity related to session cookie usage in Okta environments by tracking changes in client IP address and User Agent information for a specific Device Token associated with a user. By monitoring policy evaluation events from successful authentication logs, the rule aims to uncover instances where an adversary might be trying to reuse a stolen web session cookie, which can compromise authentication protocols and potentially allow unauthorized access to accounts. The search leverages statistical functions to find instances where the same user exhibits multiple distinct values for relevant client attributes, flagging these as potential indicators of risky behavior. To implement this rule, organizations must be logging events from Okta through the Splunk platform, specifically using the Okta Identity Cloud Add-on. Potential false positives could arise from legitimate changes in user behavior, given varying organizational sizes and Okta configurations.