Hello all! My name is Sam, and I’m a member of Asana’s Product team. Today, I’m excited to announce the launch of Asana’s new Audit Log API. This new feature is designed to provide admins in Enterprise organizations visibility into key security and compliance events within their organizations. We expect that Enterprise organizations may want to leverage our Audit Log API to:
- Set up proactive alerting with a Security Information and Event Management (SIEM) tool (we also launched an Asana-built Splunk app today, which you can learn more about here!)
- Conduct reactive investigations when a security incident takes place
- Visualize key domain data in aggregate to identify security trends
You can visit the developer docs here for full details around each event and the API endpoint. We’re currently capturing over 75 event types across a range of categories; I included a full list at the bottom of this post. Each event includes standard details like actor and resource, and some events additionally include custom schema specific to the type of event.
The Audit Log API endpoint is accessible to Enterprise organizations and, like our SCIM endpoint, is authenticated via a Service Account. We retain audit logs for 90 days after we capture them, though you can maintain a longer retention period via your SIEM or storage solution of choice.
We expect to add new events over time and we’ll share them on this post when we do, so please do follow this post if you’d like to learn about updates as they come. Thanks, and happy Wednesday!
Full list of events:
- Logins : user_login_succeeded, user_login_failed, user_logged_out
- User Updates : user_invited, user_deprovisioned, user_reprovisioned, user_forgot_password_started, user_password_reset, user_password_changed, user_two_factor_auth_e nabled , user_two_factor_auth _disabled
- Content Export : workspace_export_started , search_report_export_started , workspace_teams_export_started , workspace_members_export_started, division_teams_export_started , project_csv_export_started
- Access Control : project_share_link_enabled , project_share_link_disabled , project_view_link_enabled, project_view_link_disabled, team_privacy_settings_changed , team_member_added , team_member_removed , project_member_added , project_member_removed , project_privacy_settings_changed
- Apps : user_app_authorized, user_app_revoked, user _ personal_access_token_authorized , user _ personal_access_token_revoked , service_account_created, service_account_deleted , service_account_name_changed, team_harvest_integration_enabled , team_harvest_integration_disabled
- Creation : team_created
- Admin Settings : workspace_google_sso_ settings_changed, workspace_saml_settings_changed , workspace_saml_url_changed, workspace_password_requirements_changed , workspace_force_password_reset , workspace_guest_invite_permissions_changed , workspace_file_attachment_options_changed , workspace_default_team_privacy_settings_changed , workspace_wide_reporting_enabled, workspace_wide_reporting_disabled, workspace_associated_email_domain_ added, workspace_associated_email_domain_ removed, workspace_require_two_factor_auth_disabled, workspace_require_two_factor_auth_disabled, workspace_share_links_enabled, workspace_share_links_disabled
- Roles : user_workspace_admin_role_changed, user_division_admin_role_changed
- Deletion : task_deleted , task_permanently_deleted , task_undeleted , project_deleted , project_undeleted , portfolio_deleted , portfolio_undeleted , goal_deleted , goal_undeleted , custom_field_deleted , custom_field_undeleted, message_deleted , message_undeleted , message_permanently_deleted, status_update _deleted , status_update _undeleted , status_update_permanently_deleted, team_deleted , team_undeleted , attachment_deleted , attachment_undeleted , comment_deleted , comment_undeleted
Hello! Just a quick note to announce that as of today (1/24/22), we’ve started capturing three new audit log events for Enterprise domains: workspace_announcement_created, workspace_announcement_removed, and workspace_default_session_duration_changed. These events are captured in our developer documentation here.
Hello! Another quick note here to announce that as of Friday (2/04/22), we’ve started capturing two more audit log events for Enterprise domains: attachment_downloaded and attachment_uploaded . Like with our other audit log events, more information can be found in our developer documentation here.
Hello again! Just a quick note that as of 3/3/22, we began capturing three new events for Enterprise domains: task_template_deleted, task_template_undeleted, project_template_deleted, and project_template_undeleted. These events are captured in our developer documentation here.
Hi all! Just a quick note that we recently began capturing six new audit events to cover new features in Asana. Those are: workspace_form_link_authentication_required_enabled, workspace_form_link_authentication_required_disabled, workspace_app_admin_approval_setting_changed, workspace_personal_access_token_enabled, workspace_personal_access_token_disabled, and workspace_require_app_approvals_of_type_changed. All audit events are captured in our developer documentation here.
Just a quick note that we recently began capturing four new audit events to cover new features in Asana. Those are: workspace_logged_out_view_authentication_required_enabled, workspace_logged_out_view_authentication_required_disabled, workspace_form_is_embeddable_forms_enabled, and workspace_form_is_embeddable_forms_disabled. Audit events are captured in our developer documentation here .
Just a quick note that we recently began capturing three new audit events in Asana. Those are: portfolio_member_added, portfolio_member_removed, and workspace_security_contact_email_changed. Audit events are captured in our developer documentation here .
We recently began capturing one new audit event in Asana: workspace_app_recipient_emails_changed. Audit events are captured in our developer documentation here .
We recently began capturing one new audit event in Asana: workspace_attachment_export_started. Audit events are captured in our developer documentation here.
We recently discovered that we had not begun capturing the workspace_security_contact_email_changed event in the audit log for customer domains. This does not affect any other audit events, and the event is now being captured for all customer domains. If you have any questions, please contact firstname.lastname@example.org.
We recently began capturing one new audit event in Asana: workspace_baa_signed. Audit events are captured in our developer documentation here.
We recently began capturing several new audit events in Asana: workspace_job_title_field_editability_changed, workspace_department_field_editability_changed, story_deleted, story_undeleted, workspace_mobile_app_copy_paste_enabled, workspace_mobile_app_attachments_sharing_disabled, workspace_mobile_app_copy_paste_disabled, workspace_mobile_app_widgets_enabled, workspace_mobile_app_screen_capture_disabled, workspace_mobile_app_biometric_authentication_required_disabled, workspace_mobile_app_biometric_authentication_required_enabled, workspace_mobile_app_attachments_sharing_enabled, workspace_mobile_app_widgets_disabled, workspace_mobile_app_biometric_authentication_duration_changed, and workspace_mobile_app_screen_capture_enabled. Two events, workspace_job_title_field_editability_changed and workspace_department_field_editability_changed, showed up in our developer docs before we began capturing them for customer domains, but they are being captured as of today. Audit events are captured in our developer documentation here ; If you have any questions, please contact email@example.com.
We recently began capturing several new audit events in Asana: team_join_request_created,
object_export_started. Audit events are captured in our developer documentation here.
We recently began capturing one new audit event in Asana: workspace_machine_learning_product_feature_changed. Audit events are captured in our developer documentation here.
We recently began capturing several new audit events in Asana: workspace_deprovisioning_project_include_completed_tasks_enabled, workspace_deprovisioning_project_include_completed_tasks_disabled, workspace_deprovisioning_project_recipient_changed, workspace_create_deprovisioning_project_enabled, and workspace_create_deprovisioning_project_disabled. Audit events are captured in our developer documentation here.
We recently began capturing one new audit event in Asana: workspace_audit_log_export_started. Audit events are captured in our developer documentation here.
We recently discovered that when an admin used a new admin console feature to revoke the Personal Access Token (PAT) of a specific user who was in multiple Enterprise domains, we may have only captured a user_personal_access_token_revoked event in a single domain. This affected a very limited number of user_personal_access_token_revoked events for a short period of time, and it has been fixed. If you have any questions, please contact firstname.lastname@example.org.
Between 5/10/23 and 5/22/23, eight* of our roughly 130 audit log events were captured with an incorrect, generic actor. Exports of audit logs may have shown that incorrect actor detail.
The vast majority of those events now reflect the correct actor. We won’t be able to populate affected events with the additional context that’s typically included in an audit event, and three remaining event types may continue to reflect a generic actor. This bug was limited only to a subset of audit events during the specific time frame referenced.
If you initiated an export of audit logs during the affected time period, you may wish to re-export data for that timeframe. No other action is needed, and we apologize for the confusion caused by this bug. If you have any questions, please contact email@example.com.
*Affected audit log events that now reflect the correct actor include user_login_succeeded, user_login_failed, user_password_changed, user_personal_access_token_authorized, and user_app_authorized. Affected audit events that may reflect a generic actor include user_logged_out, user_app_revoked, and user_personal_access_token_revoked.
We recently began capturing two new audit events in Asana: bundle_deleted and bundle_installation_deleted. Audit events are captured in our developer documentation here.