This detection rule monitors changes in the app approval settings within Asana workspaces specifically focusing on when an app approval requirement is disabled. The ruleset is intended to flag unauthorized alterations to this critical security control. When a user, such as the one identified in the test, disables app approval for all applications, it creates a potential attack vector for security incidents by allowing unrestricted app access. The logs capture significant user actions and parameters such as the user’s email, the client IP address, and the nature of the change in settings—indicating which parameter was altered and its previous value. Regular monitoring of such changes is crucial for maintaining security compliance and operational integrity. If it is determined that the user had a legitimate business reason for this change and that proper authorization was obtained, the alert may be deemed a false positive. Conversely, if no proper authorization is found, immediate action may be required to restore the prior app approval requirements.