Okta New API Token Created

name: Okta New API Token Created
id: c3d22720-35d3-4da4-bd0a-740d37192bd4
version: 12
date: '2026-03-10'
author: Michael Haag, Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic detects the creation of a new API token within an Okta tenant. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to identify events where the `system.api_token.create` command is executed. This activity is significant because creating a new API token can indicate potential account takeover attempts or unauthorized access, allowing an adversary to maintain persistence. If confirmed malicious, this could enable attackers to execute API calls, access sensitive data, and perform administrative actions within the Okta environment.
data_source:
    - Okta
search: |-
    | tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime FROM datamodel=Change
      WHERE All_Changes.action=created
        AND
        All_Changes.command=system.api_token.create
      BY _time span=5m All_Changes.user
         All_Changes.result All_Changes.command sourcetype
         All_Changes.src All_Changes.action All_Changes.object_category
         All_Changes.dest
    | `drop_dm_object_name("All_Changes")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `okta_new_api_token_created_filter`
how_to_implement: The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
known_false_positives: False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed.
references:
    - https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected
    - https://splunkbase.splunk.com/app/6553
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A new API token was created in Okta by [$user$]. Investigate further to determine if this was authorized.
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Okta Account Takeover
        - Scattered Lapsus$ Hunters
    asset_type: Okta Tenant
    mitre_attack_id:
        - T1078.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: access
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log
          source: Okta
          sourcetype: OktaIM2:log