This detection rule identifies when a user creates an API key within the Okta system. The log entry to look for is associated with the system event 'system.api_token.create,' which indicates a successful creation of an API token. This activity is usually part of identity and access management practices, but should be monitored closely to prevent unauthorized access to applications via API keys. Given its primary function, this rule informs administrators of potentially sensitive actions taken by users, specifically related to elevated credentials. Responses to the creation of an API key may involve validating the action with the user, as highlighted in the runbook with the suggestion to reach out to the user if needed.