Asana content export initiated by user

This rule is part of a beta feature. To learn more, contact Support.
asana

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

Set up the asana integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect mass downloading of Asana attachments, which may represent data exfiltration of sensitive files.

Strategy

This rule monitors Asana audit logs for attachment_downloaded events performed by a user and triggers an alert, with varying severity based on the quantity of attachments download.

An attachment object represents any file attached to a task in Asana, whether it’s an uploaded file or one associated through a third-party service such as Dropbox or Google Drive.

Triage & Response

  • Verify the identity of the actor ({{@usr.email}}) and determine if they have legitimate business reasons to download multiple attachments.
  • Review which attachments were downloaded and determine their sensitivity level.
  • Analyze the actor’s normal access patterns to identify deviations from typical behavior.
  • Evaluate if the downloads occurred from unusual geographic locations or IP addresses.
  • If malicious activity is suspected, begin your security incident response process.

References