updated query logic

Author: terrancedejesus

rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml

@@ -64,16 +64,13 @@ timestamp_override = "event.ingested"
 type = "threshold"
 
 query = '''
-data_stream.dataset: "okta.system" and
-    event.action: (
+data_stream.dataset: "okta.system"
+    and not okta.debug_context.debug_data.dt_hash: "-"
+    and user_agent.os.name: *
+    and event.action: (
         "user.authentication.verify" or
         "user.authentication.auth_via_mfa"
-    ) and
-    (
-        okta.debug_context.debug_data.dt_hash: * and
-        not okta.debug_context.debug_data.dt_hash: "-"
-    ) and
-    user_agent.os.name: *
+    )
 '''