Trello

Trello - Visual collaboration tool for organizing tasks and projects.

Provider: Trello

Detection Rule

MITRE Tactic

MITRE Technique

Criticality

Unusual User Login Activity

Initial Access

T1078: Valid Accounts

High

Investigation Actions (APIs)	Retrieve user login history using the Trello API.
	Check IP address geolocation.
Incident Creation Criteria	Login from a previously unseen IP address or multiple failed logins followed by a successful one.

Changes to Board Settings

Privilege Escalation

T1068: Exploitation for Client Execution

Medium

Investigation Actions (APIs)	Get board activity logs to identify changes.
	Retrieve list of current board members.
Incident Creation Criteria	Unauthorized change in board privacy or membership roles.

High Frequency of Card Creation/Deletion

Impact

T1485: Data Destruction

Medium

Investigation Actions (APIs)	Pull activity logs for specific boards.
	Check for sudden spikes in card actions.
Incident Creation Criteria	More than X cards created or deleted in a short time frame (e.g., 10 in 1 hour).

Comment Activity Analysis

Exfiltration

T1041: Exfiltration Over Web Service

Medium

Investigation Actions (APIs)	Retrieve comments on cards using the Trello API.
	Analyze for spam or abusive content.
Incident Creation Criteria	High volume of comments (e.g., over 100 in a short period) on a single card.

File Attachments Monitoring

Exfiltration

T1560: Archive Collected Data

High

Investigation Actions (APIs)	Fetch attachments on cards and check file types.
	Identify high-risk files (e.g., .exe, .zip).
Incident Creation Criteria	Upload of sensitive file types detected on any card.

APIs and Their Scopes

Detection Rule	API	API Scopes
Unusual User Login Activity	/1/members/{memberId}/actions	read
Changes to Board Settings	/1/boards/{boardId}/actions	read
High Frequency of Card Creation/Deletion	/1/boards/{boardId}/cards	read
Comment Activity Analysis	/1/cards/{cardId}/actions	read
File Attachments Monitoring	/1/cards/{cardId}/attachments	read

Reports and Widgets for CISO

Report Name	Widgets	Description
User Activity Report	User Login Summary: Graph showing logins over time.	Overview of user interactions within Trello, highlighting key activities.
	Top Active Users: List of users with the most activity. Failed Logins: Bar chart of failed login attempts per user.
Anomalies and Alerts Report	Alerts Timeline: Timeline of alerts triggered.	Summary of detected anomalies and triggered alerts in Trello.
	Alert Categories: Pie chart categorizing alert types. Unusual Activity Overview: Table of users with unusual activity levels.
Board Changes Report	Recent Changes: List of recent board changes with timestamps.	Details significant changes made to board settings and membership.
	Board Member Changes: Bar chart showing changes in board membership. Board Privacy Settings: Table showing current privacy settings of all boards.
Sensitive File Uploads Report	File Uploads Summary: Line graph showing file uploads over time.	Highlights any sensitive file types uploaded to Trello.
	High-Risk Files Detected: List of sensitive files uploaded. Upload Sources: Bar chart showing user uploads by role.
Comment Activity Report	Comment Volume Trends: Line graph of comment activity over time.	Analysis of comment activities, identifying potential spam or abuse.
	Top Commenters: List of users with the highest comment volume. Spam Detection Summary: Table showing flagged comments for review.