if the behavior of creating okta api tokens is expected, consider adding exceptions to this rule to filter false positives.

t1136
okta
elastic

Techniques

T1136

Sample rules

Attempt to Create Okta API Token

source: elastic
technicques:
- T1136

Description

Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization’s network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.

Detection logic

event.dataset:okta.system and event.action:system.api_token.create