Asana Personal Access Token
Service Name: Asana
Service Description: Asana is a web and mobile application designed to help teams organize, track, and manage their work. It provides project management tools that enable teams to collaborate effectively, track tasks, and meet deadlines.
Service Address: https://asana.com/
Validation Type: API Auth
IP Allow list: IP restrictions are available at the organization level through Asana Enterprise plans with SCIM provisioning.
Secret Access Scope: Grants programmatic access to Asana resources and data, including projects, tasks, teams, and user information based on the token owner's permissions.
Secret Revokement URL: https://app.asana.com/0/developer-console
Secret Example: 1/123456789012345678901234
Suspicious Activity Investigation Instructions:
- Review Asana audit logs for unusual activity (available on Business and Enterprise plans).
- Check for unauthorized project access or task modifications.
- Monitor for unusual API calls or data exports.
- Verify if there are any new integrations or apps connected to your Asana workspace.
- Review task history and comments for signs of unauthorized access.
Mitigation Instructions:
- Log in to your Asana account and navigate to "My Profile Settings".
- Go to the "Apps" tab.
- Find the "Developer Apps" section and click on "Manage Developer Apps".
- Locate the compromised Personal Access Token and click "Revoke".
- Create a new token if needed with appropriate scopes.
- Consider enabling SAML authentication and SCIM provisioning if available on your plan.
- Review and update team member access permissions as needed.
- Enable two-factor authentication for all users in your organization.