This detection rule identifies the creation of a new API token within an Okta tenant using OktaIm2 logs ingested via the Splunk Add-on for Okta Identity Cloud. It specifically detects events related to the `system.api_token.create` command, which, when executed, can indicate potential account takeover attempts or unauthorized access. Such activities may allow attackers to maintain persistence, execute API calls, and access sensitive data within the Okta environment. The detection involves querying the 'Change' data model to count and summarize events over a time span of 5 minutes, providing insight into user actions, results, and commands related to API token creation. Given the nature of the event, a thorough investigation is recommended upon detection to ascertain authorization and legitimacy.