Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Atlassian

This guide walks through how to set up Atlassian audit logs as a source in Scanner Collect, using direct API integration with the Atlassian admin org events API.

We'll assume that you want Scanner to both store the logs in S3 and index them for search and detection.

Step 1: Create a New Source

In the Scanner UI, go to the Collect tab.

  • From the Overview page click the '+' icon in the upper right corner

  • Select create new Collect Rule

  • Choose Atlassian, then click Continue.

  • On the Select a Log Type screen, choose Atlassian: Audit.

Click Continue.

Step 2: Configure the Collect Rule Source

  • Set a Display Name, such as my-org-atlassian-audit.

Click Next.

Step 3: Authenticate with Atlassian

  • If you've previously created an Atlassian connection, select it from the list and skip to Step 4.

  • Otherwise, select New Atlassian Connection and fill in:

    • Connection Name: A recognizable name for this connection.

    • Organization ID: The UUID of your Atlassian organization (see below).

    • API Key: The API key value (see below).

If you already have an Organization ID and API key, paste them into the Scanner connection form. Otherwise, create them in Atlassian:

  1. Sign in at admin.atlassian.com as an organization admin.

  2. Open the organization, then go to Organization settingsAPI keys.

  3. Click Create API key, give it a name (e.g. scanner-audit-logs), and grant it access to read audit log events.

  4. On the Copy API key screen, copy both the Organization ID and the API key. The API key cannot be recovered after you leave this screen, so save it somewhere safe (e.g. a password manager) before continuing.

  5. Paste both values into the Scanner connection form.

Click Next.

Step 4: Configure the Collect Rule Destination

  • Choose the S3 Bucket where the raw Atlassian audit logs should be stored.

  • Enter a Bucket Prefix (recommended, e.g. atlassian/audit/) to organize the data path in your bucket and avoid collisions with other sources.

Click Next.

Step 5: Review and Create the Collect Rule

Review your Collect Rule settings on the Final Review screen.

Click Create Collect Rule.

Step 6: Index Logs to Scanner

  • Click "Index Logs to Scanner" to set up an index rule for the logs collected in your S3 Bucket.

  • Set a name for the index rule, such as index-rule-for-my-org-atlassian-audit-source.

Click Next.

Step 7: Configure the Index Rule Origin

  • Select the S3 Bucket you configured in Step 4.

  • Provide the same Bucket Prefix you used in Step 4.

  • Use the default Log Format of Json / Zstd.

Click Next.

Step 8: Configure the Index Rule Destination

  • Choose the Scanner Index where logs will be made searchable, creating a new index if desired.

Click Next.

Step 9: Transform and Enrich

  • (Optional) Add transformation or enrichment steps if needed.

Click Next.

Step 10: Timestamp Extraction

Leave the default setting: extract timestamp from field attributes.time. This field is included in every Atlassian audit log event and reflects when the event occurred.

Click Next.

Step 11: Review and Create the Index Rule

Review your configuration settings before creating the index rule.

Click Create Index Rule.

What Happens Next

Once created:

  • Scanner will poll the Atlassian admin org events API every 5 minutes.

  • New events will be written to your S3 bucket, under the specified key prefix.

  • Logs will then be indexed for search and detections using the Scanner index you selected in Step 8.

Previous1PasswordNextAuth0

Last updated

Was this helpful?