Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when an Okta API token is created or updated with unrestricted network access, with elevated severity when the action originates from a suspicious or proxied IP address.

Strategy

This rule monitors Okta logs for successful system.api_token.create or system.api_token.update events where @debugContext.debugData.networkConnection is set to ANYWHERE, highlighted by the team at Okta. API tokens configured with unrestricted network access can be used from any IP address, removing a key layer of defense that limits token abuse if credentials are compromised. The rule generates a medium-severity signal when the token grant originates from an IP flagged by threat intelligence as malicious or suspicious, or when @securityContext.isProxy is true. A low-severity signal is generated for all other unrestricted token grants made outside a corporate VPN.

Triage and response

• Determine if {{@usr.email}} had a legitimate reason to create or modify an API token with unrestricted network access.
• Review the source IP address and geolocation of the request to assess whether it aligns with expected activity for the user.
• Check if the token was created through the Okta Admin Console or programmatically, and verify whether the action corresponds to an approved change request.
• Examine recent authentication activity for {{@usr.email}} to identify signs of account compromise prior to the token operation.
• Identify any API calls made using the newly created or modified token to determine if it has already been used for unauthorized access.
• Verify whether the ANYWHERE network setting is required for the token’s intended use case, or if it can be scoped to specific IP ranges.