Skip to content
Threat Feed
high advisory

Okta API Token Creation Detection

Detection of new Okta API token creation, potentially indicating account compromise or unauthorized access leading to persistence and administrative control.

The creation of new API tokens within an Okta tenant is a critical event to monitor, as it can signal account takeover or malicious insider activity. This activity is detected using OktaIm2 logs ingested through the Splunk Add-on for Okta Identity Cloud. The creation of an API token allows an attacker to bypass normal authentication controls, enabling them to perform administrative actions and access sensitive data. The system.api_token.create command is the key indicator in the Okta logs. Defenders should closely monitor these events, as threat actors can leverage these tokens for persistence, data exfiltration, and further malicious activities within the Okta environment.

Attack Chain

  1. An attacker gains unauthorized access to an Okta user account, potentially through credential stuffing, phishing, or malware.
  2. The attacker authenticates to the Okta environment using the compromised credentials.
  3. The attacker navigates to the Okta admin console (or uses the Okta API via command line tools).
  4. The attacker executes the system.api_token.create command to generate a new API token. This action is logged in the OktaIm2 logs.
  5. The attacker uses the newly created API token to authenticate directly to the Okta API, bypassing standard MFA or login requirements.
  6. The attacker leverages the API token to enumerate users, groups, and applications within the Okta tenant.
  7. The attacker modifies user permissions, adds new applications, or performs other administrative actions.
  8. The attacker maintains persistence within the Okta environment through continued use of the API token.

Impact

A successful Okta API token creation attack can lead to complete compromise of the Okta tenant. This may result in unauthorized access to sensitive applications and data, modification of user permissions, and deployment of malicious applications within the organization's ecosystem. The impact includes data breaches, service disruption, and reputational damage. The risk is heightened if the compromised Okta tenant is used for Single Sign-On (SSO) across multiple applications, as the attacker can gain access to all integrated systems.

Recommendation

  • Deploy the Sigma rule Okta New API Token Created to detect unauthorized API token creation attempts in your Okta environment.
  • Enable the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553) to collect OktaIm2 logs.
  • Review Okta logs for unusual system.api_token.create events originating from unfamiliar IP addresses or user agents.
  • Implement strict access controls and Multi-Factor Authentication (MFA) for all Okta administrator accounts to prevent account compromise.
  • Monitor for unusual API activity after the creation of new tokens.
  • Investigate any alerts generated by the Okta New API Token Created rule and validate the legitimacy of the token creation event.

Detection coverage 2

Okta New API Token Created

high

Detects the creation of a new API token in Okta, which could indicate malicious activity.

sigma tactics: persistence techniques: T1078.001 sources: webserver, linux

Okta API Token Creation from Uncommon Source IP

medium

Detects Okta API token creation from an IP address not normally associated with Okta administration.

sigma tactics: persistence techniques: T1078.001 sources: webserver, linux

Detection queries are available on the platform. Get full rules →