This detection rule is designed to monitor and identify the creation and deletion of API tokens within the Okta environment, which is essential for tracking changes to application access and maintaining security posture. Using Splunk as the logic format, the rule employs the `get_application_data` command to filter events where tokens are created (`eventType="system.api_token.create"`) or revoked (`eventType="system.api_token.revoke"`). The rule then processes the relevant details, such as the action taken and contextual information about the API token, by aggregating results into a stats table grouped by time and source IP. This monitoring can help security teams detect potential unauthorized access or misuse of API tokens that could compromise application security. By analyzing these events, organizations can respond quickly to any suspicious activity related to API tokens, which serve as critical components of application authentication and authorization protocols.