Zendesk API token is created

zendesk

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the zendesk integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an API token is created in Zendesk Admin Center.

Strategy

Monitor Zendesk audit logs to look for events with an @source_label value of "Zendesk API: Active API tokens" and @evt.category:create. API tokens are auto-generated passwords in the Zendesk Admin Center. API tokens can be used to impersonate anyone in the account, including admins.

Triage and response

  1. Determine if the user {{@usr.name}} intended to create a new API token.
  2. If the API token is not required for a legitimate business use case, delete the token.