The detection rule monitors for suspicious attempts to create Okta API tokens, which could indicate unauthorized access or actions within an organization. API tokens are key for managing identity and access tasks, and adversaries may exploit them to gain persistent access, alter user accounts, or change security settings. The rule leverages specific Okta system event log data to detect when a new API token is created, focusing on particular dataset and action combinations: event.dataset:okta.system and event.action:system.api_token.create. A detailed investigative approach is outlined to validate the legitimacy of the token creation, which involves examining user behavior, timestamps, IP addresses, and recent activity associated with the token. The rule also highlights potential false positives, such as routine administrative tasks and automated integrations, suggesting the creation of exceptions for verified users and known environments. In the event of unauthorized creation, immediate remediation steps include revoking the compromised token, reviewing recent activities, resetting credentials for affected accounts, and enhancing monitoring for future incidents.