EDR signals for custom expressions

When you use the Okta Expression Language (EL) to create custom expressions for devices, you can use the trust signals collected by Okta Verify from endpoint detection and response (EDR) vendors. Okta calculates a risk score based on multiple device properties such as account activity or inactivity, account metadata, or password strength. All these factors provide a comprehensive view of your device security.

CrowdStrike

This table lists the device provider attributes (trust signals) that Okta Verify can collect from CrowdStrike.

Attribute	Description	Type	Example
device.provider.zta.os	Defined by CrowdStrike. Obtains an integer. The higher the number, the more trustworthy the device.	Integer	device.provider.zta.os <= 60
device.provider.zta.overall	Defined by CrowdStrike. Obtains an integer. The higher the number, the more trustworthy the device.	Integer	device.provider.zta.overall >= 60
device.provider.zta.sensorConfig	Defined by CrowdStrike. Obtains a number that represents an enum.	Integer	device.provider.zta.sensorConfig == 2

If you use CrowdStrike, sign in to your account and read these Zero Trust Assessment user guides:

• US-1: https://falcon.crowdstrike.com/support/documentation/138/zero-trust-assessment

• US-2: https://falcon.us-2.crowdstrike.com/support/documentation/138/zero-trust-assessment

• EU-1: https://falcon.eu-1.crowdstrike.com/support/documentation/138/zero-trust-assessment

• US-GOV-1: https://falcon.laggar.gcw.crowdstrike.com/support/documentation/138/zero-trust-assessment

Windows Security Center

This table lists the device provider attributes (trust signals) that Okta Verify can collect from Windows Security Center.

Attribute	Description	Type	Example
device.provider.wsc.antiVirus	Obtains the status of all anti-virus products on the device.	String	Returns the status of the attribute with the appropriate signal. For example, device.provider.wsc.antiVirus == "GOOD". Signals: GOOD: There’s no action required. NOT_MONITORED: Windows Security Center doesn't monitor the firewall status. POOR: The device could be at risk. SNOOZE: Windows Security Center is in a snooze state, so it doesn't protect the device. UNKNOWN: Okta Verify didn't collect the signal.
device.provider.wsc.fireWall	Obtains the status of the firewall on the device.
device.provider.wsc.autoUpdateSettings	Obtains the status of the auto-update settings on the device.
device.provider.wsc.internetSettings	Obtains the status of the internet settings on the device.
device.provider.wsc.userAccountControl	Obtains the status of the User Account Control on the device.
device.provider.wsc.securityCenterService	Obtains the status of the Windows Security Center service.

Related topics

• Endpoint security integrations

• Get started with endpoint security integrations