Asana content export initiated by user

This rule is part of a beta feature. To learn more, contact Support.
asana

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

Set up the asana integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect mass downloading of Asana attachments, which may represent data exfiltration of sensitive files.

Strategy

This rule monitors Asana audit logs for attachment_downloaded events performed by a user and triggers an alert, with varying severity based on the quantity of attachments download.

An attachment object represents any file attached to a task in Asana, whether it’s an uploaded file or one associated through a third-party service such as Dropbox or Google Drive.

Triage & Response

  • Verify the identity of the actor ({{@usr.email}}) and determine if they have legitimate business reasons to download multiple attachments.
  • Review which attachments were downloaded and determine their sensitivity level.
  • Analyze the actor’s normal access patterns to identify deviations from typical behavior.
  • Evaluate if the downloads occurred from unusual geographic locations or IP addresses.
  • If malicious activity is suspected, begin your security incident response process.

References