• Documentation

Investigate and remediate an alert

Guard Detect sends an alert when suspicious behavior or potentially sensitive data is detected. This is the point the work really begins for your admins or security team.

We aim to help you and your security team investigate the alert, determine whether the behavior is indeed suspicious, then take any necessary remediation actions as quickly as possible.

Who can do this?
Role: Organization admin
Plan: Atlassian Guard Premium

Investigate an alert

No two investigations will be the same, but here’s a high-level summary of the steps you might take during an investigation:

  • Review the alert description, this is the high-level summary of what happened.

  • Review the actor details, this is the person or account that performed the account.

  • Review the recommended investigation steps. These suggest actions you can take to verify whether the behavior or suspicious content is expected. Ultimately, you’ll need to decide whether these suggested actions are right for your company, depending on the context of the alert.

  • Review the remediation options. These provide quick access to common remediation actions, such as suspending the actor, or reversing a change.

  • Change the status of the alert to indicate the result of your investigation.

Actor details

Every alert includes basic actor details such as their name, job title, location, and current IP address. Dive deeper and you can see more about their activity and profile.

Actor activity

The actor activity sidebar shows the event that triggered the alert in context. It shows audit log events and alerts for actions the actor performed immediately before or after the current alert.

This can help you see at a glance if there are other suspicious behaviors, or give you some clue as to what the actor was doing at the time the alert was triggered.

Actor activity showing exported alert, and a data security policy deactivated alert from a few minutes earlier.

In this example, we can see that before exporting two spaces, the actor disabled a data security policy set up by an administrator. You could dive into that alert, to see if the policy was preventing export. Very quickly you can build up a picture of the actor’s movements.

Actor profile

The actor profile collects everything we know about the actor, including their job title, product access, roles, session and device information, location, and a searchable list of all audit log events and alerts related to that person.

It presents this information in one place, so it’s easy for you to spot discrepancies. For example, a login from a new device and location may suggest that a bad actor is using stolen credentials.

Actor profile showing a map with active sessions in California and Poland

The searchable list of audit log events and alerts makes it easy for the analyst to put together a timeline of events, and identify patterns of activity that individually may not be concerning, but together are suspicious.

Actor profile activity table with alerts and audit log events

Subject details and other context

The alert will also include information about the subject, which may be a person or an entity, such as a product, space, or admin configuration.

Many alerts also provide additional information that helps to place the activity in context, such as the product instance, space or project title, and classification level, if relevant.

Quick actions

Acting quickly can be essential when investigating an alert. Just as no two investigations are the same, the actions you may take will differ between organizations and types of threats.

We provide a number of recommended investigation steps on the alert, to guide you through the investigation. These can be very helpful as a jumping off point for you and your team.

They provide suggestions and quick links to the places in product and Atlassian Administration where you can get more information and context.

Investigation steps

Remediation options

Most alerts also include remediation options. These are provided to help your team act quickly. Although not all remediation options will be appropriate in every situation or your company’s unique circumstances, it’s useful for the team investigating the alert to see what options are available.

These range from suspending the actor’s access to all products in your organization, to more long-term actions such as applying a data security policy, or changing the product configuration.

Remediation steps

Suspend actor

A common remediation action is to suspend the actor. This temporarily removes all of their product access in your Atlassian organization. Because this action is easily reversed, this can be a useful step to take early in your investigation, to prevent any further activity.

You can suspend the actor from:

  • The actor activity sidebar

  • The actor profile

If you have the improved user management experience, you can suspend the actor immediately. If you have the original user management, we’ll take you to Atlassian Administration where you can either deactivate their account, or manually remove product access.

Track the status of the investigation

Good communication is essential during an investigation, and most organizations have procedures that need to be followed.

For a lightweight approach, you can set the status of the alert, so you team knows its being investigated, or has been closed. Alternatively, create a Jira issue to track the investigation and any remediation action that your team may need to take. This is particularly useful if you need to hand off to another team.

How to track the status of an alert

Still need help?

The Atlassian Community is here for you.