---
title: Okta API token granted excessive network access
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Okta API token granted excessive
  network access
---

# Okta API token granted excessive network access
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detects when an Okta API token is created or updated with unrestricted network access, with elevated severity when the action originates from a suspicious or proxied IP address.

## Strategy{% #strategy %}

This rule monitors Okta logs for successful `system.api_token.create` or `system.api_token.update` events where `@debugContext.debugData.networkConnection` is set to `ANYWHERE`, highlighted by the team at [Okta](https://github.com/okta/customer-detections). API tokens configured with unrestricted network access can be used from any IP address, removing a key layer of defense that limits token abuse if credentials are compromised. The rule generates a medium-severity signal when the token grant originates from an IP flagged by threat intelligence as malicious or suspicious, or when `@securityContext.isProxy` is `true`. A low-severity signal is generated for all other unrestricted token grants made outside a corporate VPN.

## Triage and response{% #triage-and-response %}

- Determine if `{{@usr.email}}` had a legitimate reason to create or modify an API token with unrestricted network access.
- Review the source IP address and geolocation of the request to assess whether it aligns with expected activity for the user.
- Check if the token was created through the Okta Admin Console or programmatically, and verify whether the action corresponds to an approved change request.
- Examine recent authentication activity for `{{@usr.email}}` to identify signs of account compromise prior to the token operation.
- Identify any API calls made using the newly created or modified token to determine if it has already been used for unauthorized access.
- Verify whether the `ANYWHERE` network setting is required for the token's intended use case, or if it can be scoped to specific IP ranges.