[elitistphoenix]

Was the self hosted environment running a AV like the Crowdstrike agent? Or was it running different AV and that's why you chose to use Crowdstrike as someone different?

I guess no need to specific names. I'm just using that as examples.

[tptacek]

What's an AV going to do about the fact that Okta got popped?

[de-moray]

Perhaps the parent commenter was referring to the section in the report which stating the IOCs indicated that the attackers used the known third-party command and control system named Sliver. There are multiple public yara signatures for Sliver.

[tptacek]

Ahh, that makes sense. Thanks!