> For the complete documentation index, see [llms.txt](https://docs.scanner.dev/scanner/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/atlassian.md). # Atlassian This guide walks through how to set up Atlassian audit logs as a source in Scanner Collect, using direct API integration with the [Atlassian admin org events API](https://developer.atlassian.com/cloud/admin/organization/rest/api-group-events/#api-v1-orgs-orgid-events-stream-get). We'll assume that you want Scanner to both store the logs in S3 and index them for search and detection. ### Step 1: Create a New Source In the Scanner UI, go to the Collect tab. * From the Overview page click the '+' icon in the upper right corner * Select create new **Collect Rule** * Choose **Atlassian**, then click Continue. * On the **Select a Log Type** screen, choose **Atlassian: Audit**. Click Continue. ### Step 2: Configure the Collect Rule Source * Set a **Display Name**, such as `my-org-atlassian-audit`. Click Next. ### Step 3: Authenticate with Atlassian * If you've previously created an Atlassian connection, select it from the list and skip to Step 4. * Otherwise, select **New Atlassian Connection** and fill in: * **Connection Name**: A recognizable name for this connection. * **Organization ID**: The UUID of your Atlassian organization (see below). * **API Key**: The API key value (see below). If you already have an Organization ID and API key, paste them into the Scanner connection form. Otherwise, create them in Atlassian: 1. Sign in at `admin.atlassian.com` as an organization admin. 2. Open the organization, then go to **Organization settings** → **API keys**. 3. Click **Create API key**, give it a name (e.g. `scanner-audit-logs`), and grant it access to read audit log events. 4. On the **Copy API key** screen, copy both the **Organization ID** and the **API key**. The API key cannot be recovered after you leave this screen, so save it somewhere safe (e.g. a password manager) before continuing. 5. Paste both values into the Scanner connection form. Click Next. ### Step 4: Configure the Collect Rule Destination * Choose the S3 Bucket where the raw Atlassian audit logs should be stored. * Enter a **Bucket Prefix** (recommended, e.g. `atlassian/audit/`) to organize the data path in your bucket and avoid collisions with other sources. Click Next. ### Step 5: Review and Create the Collect Rule Review your Collect Rule settings on the **Final Review** screen. Click **Create Collect Rule**. ### Step 6: Index Logs to Scanner * Click "Index Logs to Scanner" to set up an index rule for the logs collected in your S3 Bucket. * Set a name for the index rule, such as `index-rule-for-my-org-atlassian-audit-source`. Click Next. ### Step 7: Configure the Index Rule Origin * Select the S3 Bucket you configured in Step 4. * Provide the same Bucket Prefix you used in Step 4. * Use the default Log Format of Json / Zstd. Click Next. ### Step 8: Configure the Index Rule Destination * Choose the Scanner Index where logs will be made searchable, creating a new index if desired. Click Next. ### Step 9: Transform and Enrich * (Optional) Add transformation or enrichment steps if needed. Click Next. ### Step 10: Timestamp Extraction Leave the default setting: extract timestamp from field `attributes.time`. This field is included in every Atlassian audit log event and reflects when the event occurred. Click Next. ### Step 11: Review and Create the Index Rule Review your configuration settings before creating the index rule. Click **Create Index Rule**. ## What Happens Next Once created: * Scanner will poll the Atlassian admin org events API every **5 minutes**. * New events will be written to your S3 bucket, under the specified key prefix. * Logs will then be indexed for search and detections using the Scanner index you selected in Step 8. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources/atlassian.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.