Okta New API Token Created
Description
The following analytic identifies when a new API token is created within an Okta tenant. An adversary may create a new API token to maintain persistence within the environment. Monitoring for new API tokens can help detect potential account takeover attempts or unauthorized access to Okta accounts.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Change
- Last Updated: 2022-09-21
- Author: Michael Haag, Mauricio Velazco, Splunk
- ID: c3d22720-35d3-4da4-bd0a-740d37192bd4
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
- Installation
- Delivery
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype All_Changes.src All_Changes.action All_Changes.object_category
| `drop_dm_object_name("All_Changes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_new_api_token_created_filter`
Macros
The SPL above uses the following Macros:
okta_new_api_token_created_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- signature
- eventType
- displayMessage
- client.device
- city
- state
- country
- user_agent
- outcome.reason
- outcome.result
- severity
How To Implement
The analytic leverages Okta OktaIm2 logs to be ingested using the Splunk Add-on for Okta Identity Cloud (https://splunkbase.splunk.com/app/6553).
Known False Positives
False positives may be present. Tune Okta and tune the analytic to ensure proper fidelity. Modify risk score as needed.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
64.0 | 80 | 80 | A new API token was created in Okta by [$user$]. Investigate further to determine if this was authorized. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://developer.okta.com/docs/reference/api/event-types/?q=security.threat.detected
- https://splunkbase.splunk.com/app/6553
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2