This detection rule focuses on monitoring the creation of API tokens within Okta, a popular identity management service. API tokens are critical for services and applications that require programmatic access to the Okta API and understanding when they are created is essential for maintaining security and oversight. The rule triggers when an event with the type `system.api_token.create` is logged. It captures various attributes associated with the token creation, including the time of the event, host details, user information, and network-related data. By organizing this data into a table format and aggregating it over 1-second intervals, the rule aids in quick detection of instances where API tokens are issued, which may indicate credential access or misuse of alternate authentication materials. Security teams can use this information to confirm legitimate uses or investigate potential malicious activities.