Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0002 ✕ technique: T1134 ✕
Show ATT&CK heatmapOkta API Token Created Informational Identity Threat Module 1 variation
A user created a new API token in Okta.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Access Token Manipulation: Make and Impersonate Token (T1134.003) Command and Scripting Interpreter: Cloud API (T1059.009) Account Manipulation: Additional Cloud Credentials (T1098.001)Required data: Okta Audit LogDetector tags: Okta Audit AnalyticsAttacker's goals: An attacker's goal is to gain unauthorized access, compromise user accounts, and perform malicious actions within an organization's systems, potentially leading to data breaches, account takeovers, and the escalation of privileges.Investigative actions: Review the actions taken by the user that created the token. Follow the operations made using this API token by the ID token. Contact the user who created the API token and ensure that the API token is needed.Variations
An Okta API token was generated with suspicious characteristics
Low overridden
A user created a new API token in Okta with suspicious conditions. overridden