Asana user multi-factor authentication method disabled

This rule is part of a beta feature. To learn more, contact Support.
asana

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1556-modify-authentication-process

Set up the asana integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user has disabled two-factor authentication (2FA) for their account. This could indicate an attacker who is maintaining access to a compromised user account by weakening the account’s security controls.

Strategy

This rule monitors multi-factor authentication removal events across users and raises an alert if a user disables their registered method.

Triage and response

  1. Review logs to identify the user {{@usr.email}} who has disabled multi-factor authentication.
  2. Determine if the action was user-initiated or performed by an administrator by checking if the log indicates a specific initiator {{@resource.email}}.
  3. Investigate any recent login and action-related event logs within the Asana platform by {{@usr.email}} that could demonstrate anomalous behavior.
  4. If the change appears malicious, invoke your security incident response process. Next steps could include:
    • Temporarily suspend the affected account.
    • Rotate user credentials.
    • Work with the user to re-enroll in multi-factor authentication.
PREVIEWING: adelhajhassan/add_csi_driver_documentation