Asana

Asana - Project management tool for planning and tracking work.

Provider: Asana

Detection Rule MITRE Tactic MITRE Technique Criticality
Unauthorized Project Creation Initial Access Valid Accounts (T1078) Medium
Investigation Actions (APIs) Create an Asana task to review new project creation details (creator, timestamp, associated team).
Incident Creation Criteria If a new project is created by a user not authorized to create projects in a sensitive workspace (admin or privileged teams).
Suspicious Task Assignment to Admins Privilege Escalation Exploitation of Access Controls (T1068) High
Investigation Actions (APIs) Create an Asana task with task details (who assigned, what the task contains, admin names involved).
Incident Creation Criteria If a non-admin user assigns tasks to an admin without prior approval or outside of normal workflows.
High Volume Task Deletion Defense Evasion Indicator Removal on Host (T1070) High
Investigation Actions (APIs) Create an Asana task to review task deletion logs, task owners, and associated projects.
Incident Creation Criteria If a user deletes more than X tasks (threshold) within a short period (1 hour), particularly in high-privilege workspaces.
Unauthorized Access to Private Projects Persistence Valid Accounts (T1078) High
Investigation Actions (APIs) Create an Asana task to review project access logs, user roles, and any unauthorized changes in project permissions.
Incident Creation Criteria If a user not listed on a private project accesses it or changes permissions to add external members without admin knowledge.
Bulk Project Sharing with External Domains Exfiltration Exfiltration Over Web Services (T1567.002) High
Investigation Actions (APIs) Create an Asana task with project sharing details, including external domain and the number of projects shared.
Incident Creation Criteria If more than X projects (threshold) are shared with an external domain, especially involving sensitive projects or data.
API Token Misuse for Unauthorized Automation Execution Use Alternate Authentication Material (T1550.003) High
Investigation Actions (APIs) Create an Asana task with API token usage details (token issuer, activity logs, automated tasks created).
Incident Creation Criteria If an API token is used to access or create tasks in sensitive areas where the token should not have been authorized.
Unauthorized Custom Fields Creation Persistence Create or Modify System Process (T1543) Medium
Investigation Actions (APIs) Create an Asana task to audit custom fields created by non-authorized users, especially if linked to sensitive projects.
Incident Creation Criteria If a custom field is created or modified by a non-privileged user in projects where they are not authorized to make changes.
Mass Task Reassignment to External Users Exfiltration Account Manipulation (T1098) Medium
Investigation Actions (APIs) Create an Asana task with reassignment logs, reviewing tasks moved to external collaborators or outside of the organization’s domain.
Incident Creation Criteria If more than X tasks are reassigned to external users or collaborators, particularly for sensitive projects or workspaces.
Suspicious App Integration Initial Access Trusted Relationship (T1199) High
Investigation Actions (APIs) Create an Asana task with app integration details (app name, permissions requested, associated user, and workspace).
Incident Creation Criteria If an unknown third-party app is integrated with Asana and requests broad permissions to access tasks or data without review.
Unauthorized Project Deletion Impact Data Destruction (T1485) High
Investigation Actions (APIs) Create an Asana task to review the project deletion event, project ownership, and previous project state before deletion.
Incident Creation Criteria If a non-privileged user deletes a project in a sensitive workspace or deletes multiple projects within a short time frame.
Privilege Escalation via Admin Role Assignment Privilege Escalation Valid Accounts (T1078) High
Investigation Actions (APIs) Create an Asana task to review admin role assignment logs, new admin, and the actor who escalated privileges.
Incident Creation Criteria If a non-privileged user escalates their role or assigns themselves/another user to an admin role without appropriate permissions.
Task Comments Containing Sensitive Data Exfiltration Data Staged: Local Data Staging (T1074.001) Medium
Investigation Actions (APIs) Create an Asana task to review task comments flagged by DLP (Data Loss Prevention) for sensitive data like passwords or confidential files shared.
Incident Creation Criteria If sensitive keywords (e.g., "password", "confidential") are detected in task comments, particularly in external-facing tasks.
Unauthorized Change in Project Ownership Persistence Account Manipulation (T1098) High
Investigation Actions (APIs) Create an Asana task with ownership change logs, including who the new owner is, associated team, and project criticality.
Incident Creation Criteria If a project’s ownership is transferred to another user without admin review or if ownership is moved to an external collaborator.

APIs and Their Scopes

Detection Rule Required API API Scopes
UUnauthorized Project Creation Projects API default (read/write projects)
Suspicious Task Assignment to Admins Tasks API default (read/write tasks)
High Volume Task Deletion Tasks API default (read/write tasks)
Unauthorized Access to Private Projects Projects API default (read/write projects)
Bulk Project Sharing with External Domains Projects API default (read/write projects)
API Token Misuse for Unauthorized Automation API Token Management default (read/write)
Unauthorized Custom Fields Creation Custom Fields API default (read/write custom fields)
Mass Task Reassignment to External Users Tasks API default (read/write tasks)
Suspicious App Integration Apps API default (read/write apps)
Unauthorized Project Deletion Projects API default (read/write projects)
Privilege Escalation via Admin Role Assignment Teams API default (read/write teams)
Task Comments Containing Sensitive Data Tasks API default (read/write tasks)
Unauthorized Change in Project Ownership Projects API default (read/write projects)

Reports and Widgets for CISO

Report Name Widgets Description
Unauthorized Project Activities Bar chart of unauthorized projects created/deleted Summary of unauthorized project creations, deletions, and access changes.

List of recent unauthorized access events

Heatmap of project activity by user
Task Management Overview Pie chart of tasks assigned by role Overview of task assignments and changes, highlighting suspicious patterns.

List of recent unauthorized access events

Heatmap of project activity by user
Sensitive Data Exposure Number of sensitive comments flagged Overview of task comments or files containing sensitive data.

List of tasks with sensitive data

Trend chart of sensitive data occurrences over time
API Token Usage Audit Line graph of API token usage over time Analysis of API token usage to detect unauthorized or suspicious activities.

List of tokens with access violations

Pie chart of API calls by user role
User Access Review List of recent role changes (admin assignments) Summary of user access and role changes, focusing on privilege escalation.

Bar chart of user access levels

Summary table of inactive users
Third-Party App Integrations List of active integrations Report on third-party applications integrated with Asana and their access.

Pie chart of permissions requested by apps

Line graph of new app integrations over time
Task Deletion Activities Line graph of task deletion events over time Overview of task deletions, highlighting any mass deletions or suspicious activities.

List of users performing deletions

Bar chart of deletions by project
Project Sharing Analysis List of projects shared externally Analysis of project sharing activities, especially with external domains.

Pie chart of external shares by domain

Heatmap of sharing activities by user
Security Incident Trends Line graph of incidents over time Overview of security incidents related to Asana activities, tracked over time.

Pie chart of incident types

Summary table of open incidents by severity
Custom Fields Usage List of new custom fields created Analysis of custom fields created or modified, highlighting unauthorized changes.

Bar chart of custom fields usage by project

Line graph of modifications to custom fields over time