Atlassian admin API token created
Description
AlphaSOC detected the creation of an API token for an Atlassian account with administrative privileges. Threat actors who gain access to administrative accounts often create API tokens to establish persistent access to the environment, allowing them to maintain control even if passwords are changed or multi-factor authentication is enabled.
Impact
The creation of unauthorized admin API tokens can provide threat actors with long-term administrative access to Atlassian services, including Jira, Confluence, and other connected applications. This can lead to data exfiltration, service disruption, privilege escalation, and unauthorized configuration changes within the organization's Atlassian infrastructure.
Severity
| Severity | Condition |
|---|---|
Low | Atlassian admin API token created |
Investigation and Remediation
Review Atlassian audit logs for any suspicious activities performed using the new token and verify whether the token creation was authorized. If unauthorized, immediately revoke the token, reset compromised admin account credentials, and conduct a comprehensive audit of the Atlassian environment.