updated query logic

Author: terrancedejesus

rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

@@ -66,9 +66,15 @@ type = "threshold"
 
 query = '''
 data_stream.dataset: "okta.system" and
-    okta.debug_context.debug_data.dt_hash: * and
-    okta.device.os_platform: * and
-    event.action: ("user.authentication.verify" or "user.authentication.auth_via_mfa")
+    event.action: (
+        "user.authentication.verify" or
+        "user.authentication.auth_via_mfa"
+    ) and
+    (
+        okta.debug_context.debug_data.dt_hash: * and
+        not okta.debug_context.debug_data.dt_hash: "-"
+    ) and
+    user_agent.os.name: *
 '''