Learn about security solutions and standards
Care about security? We do too. Learn what Atlassian does and what you can do too.
What user activity is detected?
Guard Detect helps teams detect, investigate, and respond to suspicious user activity and potentially sensitive data across Atlassian cloud products like Jira, Confluence, and Atlassian administration.
There are two types of detections:
User activity - these detections analyze user actions, and notify you about potentially suspicious behavior.
Content scanning - these detections focus on data, and alert you when potentially sensitive data is added to Confluence pages. What sensitive data is detected?
User activity detections
We monitor your organization for five types of activity:
Authorization and access events
Data exfiltration events
Unusual user activity
Product configuration events
Integration change events
Authorization and access events
These are important to monitor as threat actors, whether internal or external, commonly target highly privileged user accounts, like organization admins, to gain access to an organization’s data. Detecting changes in access can help mitigate compromised accounts or abuse of legitimate accounts.
Detections in this category include:
Access and password changes such as admins logging in as another user (user impersonation), organization admin changes, and org admin password resets.
Policy changes such as changes to IP allowlist policies, authentication policies, and adding or removing verified domains.
Admin API key creation
Example: An IT administrator is planning to leave the company, but wants to secretly maintain their access to the company’s internal Confluence spaces and Jira projects. They create a separate admin account that doesn’t adhere to the company's authentication policies, which will allow them to log in even after they’ve left the company. We detect and alert teams when a new organization admin account is added, enabling you to investigate and remediate the threat before the account can be abused. |
Data exfiltration events
Your organization’s data is one of your most precious assets. It’s also susceptible to both outsider and insider threats.
During a data exfiltration event, a threat actor attempts to steal sensitive or proprietary data from your organization, sharing it beyond your organization’s protected systems, and posing a risk to your business. By detecting potential data exfiltration events, your team can investigate them, and if needed, remediate them before the actor is able to use the stolen data.
We detect and alert your team to events involving:
Exporting data such as Confluence page and space exports, Confluence site backups, Atlassian Access audit log exports, and identity provider configuration changes.
Example: An employee in your finance department has resigned from their position, and is working their last week at your organization. They want to save a set of Confluence pages that contain information on a strategic initiative they worked on last year for their own personal reference. They export 11 Confluence pages related to the project to PDFs within 30 minutes and send them to their personal email to save on their personal computer. By alerting your team when a user exports an anomalous amount of Confluence pages over a short period of time, your team can investigate the event and determine if the employee breached their employment agreement. |
Unusual user activity
Any user with access to your organization’s systems also has the power to abuse them. While following the principle of least privilege can restrict the average insider’s access to highly protected systems, nearly all users will still require access to sensitive data and systems in order to do their work.
But monitoring user activity at scale is extremely challenging or unfeasible for most security teams. By automating user activity monitoring, you get visibility into exceptional users and can hone in on suspicious behavior before it escalates.
We detect and alert your team to events involving:
Suspicious search activity in Confluence
Jira issue and Confluence page crawling
Example: A business analyst recently downloaded a new piece of productivity software that also happened to contain a strain of commodity malware. The malware authors now have the same level of access to Confluence as the business analyst user and start searching for sensitive information they can steal or use to maintain access. Your team would receive an alert that the business analyst user account was making several suspicious searches on Confluence that appeared abnormal, enabling you to investigate the activity and address the root cause. |
Product configuration events
Insecure configurations can occur intentionally by malicious actors, but can also be a result of an accident made by an inexperienced administrator. Whether the actor is well-intended or not, insecure configurations can potentially affect all of your company’s hosted data.
By monitoring product configuration events across your organization, your team can see insecure configurations or accidental changes when they’re made to avoid downstream impact.
We detect and alert your team to events involving:
Public configuration: Application tunnel creation and removal, and anonymous or public access changes to Jira, Confluence, and Bitbucket.
Organization admin changes
Guard Detect access
Example: One of your newly onboarded admins is attempting to create an application tunnel from your Atlassian Cloud site to a Data Center instance of Confluence, and inadvertently deletes an existing application tunnel in the process. With the application tunnel deleted, normal users were unable to access sites and projects they needed for several hours, causing many delays for the business. As your team is alerted when new application tunnels are created or deleted, they would be made aware of the change and have the context they need to triage and remediate the issue before it caused a significant disruption for the employees that depend on it for their work. |
Integration change events
When you install a third party app from the Atlassian Marketplace, it may affect one — or many — users in your cloud site. Keeping track of which apps have access to your systems, and what type of access they have is critical to protecting your business.
We detect and alert your team to events involving:
Marketplace app installation and removal: currently, these detections only fire for Forge apps, and when 3LO apps are installed for an org for the first time.
Example: A senior leader on your marketing team is working on a strategic update for the entire organization and wants to add a new custom chart app to Confluence to help better illustrate the information they’re presenting. Though your team only allows Cloud-Fortified apps within your suite, this app doesn’t fall into that category. But they’re one of your earliest employees and have maintained highly privileged access throughout their tenure, enabling them to install the new app without approval. Your team is alerted to the new Marketplace app installation as soon as it happens. They can investigate the alert, where they determine that this app does not meet internal standards, and remove it promptly. |
To see a comprehensive list of the events being monitored, go to Detections > User activity.
Was this helpful?
Still need help?
The Atlassian Community is here for you.