Okta API Token Created

Apr 27, 2026 · attack.persistence ·

Detects when a API token is created

Sigma rule (View on GitHub)

 1title: Okta API Token Created
 2id: 19951c21-229d-4ccb-8774-b993c3ff3c5c
 3status: test
 4description: Detects when a API token is created
 5references:
 6    - https://developer.okta.com/docs/reference/api/system-log/
 7    - https://developer.okta.com/docs/reference/api/event-types/
 8author: Austin Songer @austinsonger
 9date: 2021-09-12
10modified: 2026-04-27
11tags:
12    - attack.persistence
13logsource:
14    product: okta
15    service: okta
16detection:
17    selection:
18        eventType: system.api_token.create
19    condition: selection
20falsepositives:
21    - Legitimate creation of an API token by authorized users
22level: medium

References

System Log

Read More
Event Types | Okta Developer

Secure, scalable, and highly available authentication and user management for any app.

Read More

Related rules

Okta Admin Role Assigned to an User or Group
Okta Admin Role Assignment Created
Okta Identity Provider Created
OpenCanary - RDP New Connection Attempt
LiteLLM / TeamPCP Supply Chain Attack Indicators

Okta API Token Created

Sigma rule (View on GitHub)

References

System Log

Event Types | Okta Developer

Related rules