This detection rule alerts on the creation of a new API token in Zendesk which may indicate unauthorized access or credential theft. The rule is triggered by audit logs that show events related to API tokens. The primary action monitored is the creation of an API token, with the expectation that the creation is reviewed for legitimacy. The severity of this alert is marked as high due to the potential misuse of API tokens for unauthorized actions within the Zendesk platform. Further investigation is recommended upon triggering the alert, including validating the purpose of the generated token. If the reason for its creation is deemed unnecessary or suspicious, the token should be deleted immediately.