Asana user multi-factor authentication method disabled

This rule is part of a beta feature. To learn more, contact Support.
asana

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1556-modify-authentication-process

Set up the asana integration.

Goal

Detect when a user has disabled two-factor authentication (2FA) for their account. This could indicate an attacker who is maintaining access to a compromised user account by weakening the account’s security controls.

Strategy

This rule monitors multi-factor authentication removal events across users and raises an alert if a user disables their registered method.

Triage and response

  1. Review logs to identify the user {{@usr.email}} who has disabled multi-factor authentication.
  2. Determine if the action was user-initiated or performed by an administrator by checking if the log indicates a specific initiator {{@resource.email}}.
  3. Investigate any recent login and action-related event logs within the Asana platform by {{@usr.email}} that could demonstrate anomalous behavior.
  4. If the change appears malicious, invoke your security incident response process. Next steps could include:
    • Temporarily suspend the affected account.
    • Rotate user credentials.
    • Work with the user to re-enroll in multi-factor authentication.