Okta API Token Created
Detects when a API token is created
Sigma rule (View on GitHub)
1title: Okta API Token Created
2id: 19951c21-229d-4ccb-8774-b993c3ff3c5c
3status: test
4description: Detects when a API token is created
5references:
6 - https://developer.okta.com/docs/reference/api/system-log/
7 - https://developer.okta.com/docs/reference/api/event-types/
8author: Austin Songer @austinsonger
9date: 2021/09/12
10modified: 2022/10/09
11tags:
12 - attack.persistence
13logsource:
14 product: okta
15 service: okta
16detection:
17 selection:
18 eventtype: system.api_token.create
19 condition: selection
20falsepositives:
21 - Legitimate creation of an API token by authorized users
22level: medium
References
Related rules
- Okta Admin Role Assigned to an User or Group
- Okta MFA Reset or Deactivated
- Loading of Kernel Module via Insmod
- Setuid and Setgid
- Systemd Service Reload or Start