Skip to main content

Atlassian admin API token created

ID:atlassian_admin_api_token_created
Data type:Atlassian
Severity:
Low
MITRE ATT&CK:TA0003:T1098

Description

AlphaSOC detected the creation of an API token for an Atlassian account with administrative privileges. Threat actors who gain access to administrative accounts often create API tokens to establish persistent access to the environment, allowing them to maintain control even if passwords are changed or multi-factor authentication is enabled.

Impact

The creation of unauthorized admin API tokens can provide threat actors with long-term administrative access to Atlassian services, including Jira, Confluence, and other connected applications. This can lead to data exfiltration, service disruption, privilege escalation, and unauthorized configuration changes within the organization's Atlassian infrastructure.

Severity

SeverityCondition
Low
Atlassian admin API token created

Investigation and Remediation

Review Atlassian audit logs for any suspicious activities performed using the new token and verify whether the token creation was authorized. If unauthorized, immediately revoke the token, reset compromised admin account credentials, and conduct a comprehensive audit of the Atlassian environment.