Zendesk API token is created

zendesk

Classification:

attack

Set up the zendesk integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an API token is created in Zendesk Admin Center.

Strategy

Monitor Zendesk audit logs to look for events with an @source_label value of "Zendesk API: Active API tokens" and @evt.category:create. API tokens are auto-generated passwords in the Zendesk Admin Center. API tokens can be used to impersonate anyone in the account, including admins.

Triage and response

  1. Determine if the user {{@usr.name}} intended to create a new API token.
  2. If the API token is not required for a legitimate business use case, delete the token.