Name:Okta New API Token Created id:c3d22720-35d3-4da4-bd0a-740d37192bd4 version:5 date:2024-09-30 author:Michael Haag, Mauricio Velazco, Splunk status:production type:TTP Description:The following analytic detects the creation of a new API token within an Okta tenant. It uses OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud to identify events where the `system.api_token.create` command is executed. This activity is significant because creating a new API token can indicate potential account takeover attempts or unauthorized access, allowing an adversary to maintain persistence. If confirmed malicious, this could enable attackers to execute API calls, access sensitive data, and perform administrative actions within the Okta environment. Data_source:
-Okta
search:| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category | `drop_dm_object_name("All_Changes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_new_api_token_created_filter`
how_to_implement:The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553). known_false_positives:False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed. References: -https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected -https://splunkbase.splunk.com/app/6553 drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Okta Account Takeover' asset_type:Okta Tenant confidence:80 impact:80 message:A new API token was created in Okta by [$user$]. Investigate further to determine if this was authorized. mitre_attack_id: - 'T1078' - 'T1078.001' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'signature' - 'eventType' - 'displayMessage' - 'client.device' - 'city' - 'state' - 'country' - 'user_agent' - 'outcome.reason' - 'outcome.result' - 'severity' risk_score:64 security_domain:access
