Asana role change to admin or super-admin detected

This rule is part of a beta feature. To learn more, contact Support.
asana

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Identify role changes to admin or super-admin, as these could indicate privilege escalation attempts or improper access assignments.

Strategy

This rule monitors log events specifically for changes where roles are elevated to admin or super-admin. It aims to detect unauthorized access or misconfigurations that could impact system security.

Triage and response

  1. Examine the logs to identify the user {{@usr.email}} whose role was changed to admin or super-admin and determine the initiator of the change {{@resource.email}}.
  2. Confirm if the role change was expected or authorized by consulting relevant stakeholders or referring to change management records.
  3. Analyze whether the user or initiator has recently engaged in unusual or high-risk activities, which could indicate a compromised account or intentional misuse.
  4. If the role change is unauthorized, consider reverting the role, notifying affected parties, and initiating a security review.