For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-008-4ba.md. A documentation index is available at /llms.txt.

OneLogin API Token Created

onelogin

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Goal

Detect when a new OneLogin API token is created.

Strategy

This rule lets you monitor the OneLogin generated audit event to detect when a new API token is created.

Triage and response

  1. Contact the user who created the API token and ensure that the API token is needed.