EDR signals for custom expressions

When you use the Okta Expression Language (EL) to create custom expressions for devices, you can use the trust signals collected by Okta Verify from endpoint detection and response (EDR) vendors. Okta calculates a risk score based on multiple device properties such as account activity or inactivity, account metadata, or password strength. All these factors provide a comprehensive view of your device security.

Android Device Trust

This table lists the device provider attributes (trust signals) that Okta Verify can collect from Android Device Trust.

Attribute

Description
device.provider.azt.playProtectVerdict Configure the maximum risk threshold of the Google Play Protect scan. (String)

Signals:

NO_ISSUES: The scan didn't detect any issues. This is the most secure option.

MEDIUM_RISK: The scan detected potentially harmful apps.

HIGH_RISK: The scan detected harmful apps or the scan wasn't evaluated. This is the least secure option.

device.provider.azt.playProtectVerdict == 'NO_ISSUES'
device.provider.azt.deviceIntegrityLevel Configure how well a device can enforce app integrity. (List)

Signals:

MEETS_BASIC_INTEGRITY: The device passes basic system integrity checks. Devices on Android 13 or later require Android Platform Key Attestation. The device may not meet Android compatibility requirements and may not be approved to run Google Play services. For example, the device may be running an unrecognized version of Android.

MEETS_DEVICE_INTEGRITY: The app is running on an Android-powered device with Google Play services. The device passes system integrity checks and meets Android compatibility requirements.

MEETS_STRONG_INTEGRITY: The device has Google Play services and a strong guarantee of system integrity according to Android compatibility requirements. Devices on Android 13 or later must have had a security update in the last year.

device.provider.azt.deviceIntegrityLevel.contains('MEETS_STRONG_INTEGRITY')
device.provider.azt.screenLockComplexity Configure the screen lock complexity. (String)

Signals:

LOW: A pattern or PIN is set.

MEDIUM: A complex PIN, or alphabetic or alphanumeric screen lock with at least 4 digits is set.

HIGH: A complex 8-digit PIN, or 6-character alphabetic or alphanumeric screen lock is set.

device.provider.azt.screenLockComplexity == 'HIGH'
device.provider.azt.usbDebuggingDisabled Configure whether Android Debug Bridge (adb) over USB is disabled. (Boolean)

device.provider.azt.usbDebuggingDisabled == true
device.provider.azt.networkProxyDisabled Configure whether a device has a network proxy disabled. (Boolean)

device.provider.azt.networkProxyDisabled == true
device.provider.azt.wifiSecurityLevel Configure whether a device is on a password-protected Wi-Fi network. (String)

Signals:

SECURED: The device is connected to a password-protected Wi-Fi network.

NON_WIFI_TRANSPORT: The device isn't connected to a Wi-Fi network.

device.provider.azt.wifiSecurityLevel == 'SECURED' || device.provider.azt.wifiSecurityLevel == 'NON_WIFI_TRANSPORT'

CrowdStrike

This table lists the device provider attributes (trust signals) that Okta Verify can collect from CrowdStrike.

Attribute

Description
device.provider.zta.os Integer determined by CrowdStrike

The higher the number, the more trusted the device

device.provider.zta.os <= 60
device.provider.zta.overall Integer determined by CrowdStrike

The higher the number, the more trusted the device

device.provider.zta.overall >= 60
device.provider.zta.sensorConfig CrowdStrike number represents an enum (Integer)

device.provider.zta.sensorConfig == 20
device.provider.zta.csSerialNumber Serial number of the device determined by CrowdStrike (String)

device.provider.zta.csSerialNumber == device.profile.serialNumber
device.provider.zta.cid CrowdStrike customer ID (String)

device.provider.zta.cid == "my-crowdstrike-customer-id"
device.provider.zta.csPlatform The OS platform of the device determined by CrowdStrike (String)

device.provider.zta.csPlatform == "Windows 11"
device.provider.zta.aid CrowdStrike agent ID (String)

device.provider.zta.aid == "dev-agent-id"
device.provider.zta.expirationDateTime Expiration date and time of these signals determined by CrowdStrike (String)

device.provider.zta.expirationDateTime.parseUnixTime() > DateTime.now()
device.provider.zta.issuedDateTime Issued date and time of these signals determined by CrowdStrike (String)

device.provider.zta.issuedDateTime.parseUnixTime() < DateTime.now()

If you use CrowdStrike, sign in to your account and read these CrowdStrike guides:

Windows Security Center

This table lists the device provider attributes (trust signals) that Okta Verify can collect from Windows Security Center.

Attribute

Description
device.provider.wsc.antiVirus Obtains the status of all anti-virus products on the device. (String)

Returns the status of the attribute with the appropriate signal. device.provider.wsc.antiVirus == "GOOD"

Signals:

  • GOOD: There's no action required.

  • NOT_MONITORED: Windows Security Center doesn't monitor the firewall status.

  • POOR: The device could be at risk.

  • SNOOZE: Windows Security Center is in a snooze state, so it doesn't protect the device.

  • UNKNOWN: Okta Verify didn't collect the signal.
device.provider.wsc.fireWall Obtains the status of the firewall on the device. (String)
device.provider.wsc.autoUpdateSettings Obtains the status of the auto-update settings on the device. (String)
device.provider.wsc.internetSettings Obtains the status of the internet settings on the device. (String)
device.provider.wsc.userAccountControl Obtains the status of the User Account Control on the device. (String)
device.provider.wsc.securityCenterService Obtains the status of the Windows Security Center service (String)

Related topics

Endpoint security integrations

Get started with endpoint security integrations