For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-xxo.md. A documentation index is available at /llms.txt.

Zendesk API token is created

zendesk

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Goal

Detect when an API token is created in Zendesk Admin Center.

Strategy

Monitor Zendesk audit logs to look for events with an @source_label value of "Zendesk API: Active API tokens" and @evt.category:create. API tokens are auto-generated passwords in the Zendesk Admin Center. API tokens can be used to impersonate anyone in the account, including admins.

Triage and response

  1. Determine if the user {{@usr.name}} intended to create a new API token.
  2. If the API token is not required for a legitimate business use case, delete the token.