Detectionmediumtest

Okta API Token Created

Detects when a API token is created

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Austin SongerCreated Sun Sep 12Updated Sun Oct 0919951c21-229d-4ccb-8774-b993c3ff3c5cidentity

Log Source

Oktaokta

ProductOkta← raw: okta

Serviceokta← raw: okta

Detection Logic

detection:
    selection:
        eventtype: system.api_token.create
    condition: selection

False Positives

Legitimate creation of an API token by authorized users

References

MITRE ATT&CK

Tactics

Rule Metadata

Rule ID

19951c21-229d-4ccb-8774-b993c3ff3c5c

Status

test

Level

medium

Type

Detection

Created

Sun Sep 12

Modified

Sun Oct 09

Author

Path

rules/identity/okta/okta_api_token_created.yml

Raw Tags

attack.persistence