Atlassian Logs
Panther supports pulling logs directly from Atlassian.

Overview

Panther has the ability to fetch Atlassian event logs by querying the Atlassian Organizations REST API. Panther is specifically monitoring the following Atlassian events:
  • Administrative actions, related to settings or other organization pages
  • Actions that organization admins take related to the organization’s security policies
In order to set up Atlassian as a log source in Panther, you'll need to authorize Panther in Atlassian by generating an API key in your Atlassian account and then set up Atlassian as a log source in Panther.

How to onboard Atlassian logs to Panther

Step 1: Generate an API key in Atlassian

  1. 1.
    From your organization at admin.atlassian.com, select Settings > API keys.
  2. 2.
    Click Create API key in the top right.
  3. 3.
    Enter a descriptive API key name.
    • By default, the key expires one week after creation.
    • To change the expiration date, pick a new date under Expires on.
    • Note: The maximum you can extend your expiration date is up to one year from creation date.
  4. 4.
    Click Create to save the API key.
  5. 5.
    Copy the values for your Organization ID and API key.
    • You'll need these values to access your organization in Step 2.
    • Make sure you store these values in a safe place, as Atlassian will not display them again.
  6. 6.
    Click Done. The new key will appear in your list of API keys.
Note: If you have trouble creating the API key, reference Atlassian's docs.

Step 2: Create a new Atlassian log source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Integrations > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select Atlassian from the list of available log sources. Click Start Source Setup.
  5. 5.
    On the next screen, enter a memorable name for the source e.g., My Atlassian Event logs.
  6. 6.
    Click Continue Setup.
  7. 7.
    On the Set Credentials page, fill in the form:
    • Organization: Enter your Atlassian organization ID that you generated in the previous steps of this documentation.
    • API Key: Enter your Atlassian API Key that you generated in the previous steps of this documentation.
  8. 8.
    Click Continue Setup.
  9. 9.
    You will be directed to a confirmation screen where you can set up a log drop-off alarm.
    • This feature sends an error message if logs aren't received within a specified time interval.
  10. 10.
    Click Finish Setup.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

Atlassian.Audit

The audit log of events from an organization.
1
schema: Atlassian.Audit
2
parser:
3
native:
4
name: Atlassian.Audit
5
description: The audit log of events from an organization.
6
referenceURL: https://developer.atlassian.com/cloud/admin/organization/rest/api-group-orgs/#api-orgs-orgid-events-get
7
version: 0
8
fields:
9
- name: type
10
required: true
11
description: Type name of the event object
12
type: string
13
- name: id
14
required: true
15
description: Unique identifier of the event object
16
type: string
17
- name: attributes
18
required: true
19
description: Attributes of the event object
20
type: object
21
fields:
22
- name: time
23
description: The date and time of the event
24
type: string
25
timeFormat: rfc3339
26
isEventTime: true
27
- name: action
28
description: Kind of action associated with the event. The complete list can be accessed with event-actions API
29
type: string
30
- name: actor
31
description: Actor associated with the event
32
type: object
33
fields:
34
- name: id
35
description: Unique identifier of the event actor
36
type: string
37
- name: name
38
description: Name of the actor who performed the event
39
type: string
40
indicators:
41
- username
42
- name: email
43
description: Email of the actor who performed the event
44
type: string
45
indicators:
46
- email
47
- name: links
48
description: Profile of the actor whc performed the event
49
type: object
50
fields:
51
- name: self
52
description: The event self link
53
type: string
54
- name: alt
55
description: The event alt link
56
type: string
57
- name: context
58
description: One or more entities that the action was performed against
59
type: array
60
element:
61
type: object
62
fields:
63
- name: id
64
description: Unique identifier of the event context
65
type: string
66
- name: type
67
description: Event context type
68
type: string
69
- name: attributes
70
description: Event context attributes
71
type: json
72
- name: links
73
description: Event context self or alt link
74
type: object
75
fields:
76
- name: self
77
description: The event self link
78
type: string
79
- name: alt
80
description: The event alt link
81
type: string
82
indicators:
83
- url
84
- name: container
85
description: List of containers associated with the events
86
type: array
87
element:
88
type: object
89
fields:
90
- name: id
91
description: Unique identifier of the event container
92
type: string
93
- name: type
94
description: Type name of the event container object
95
type: string
96
- name: attributes
97
description: Attributes of the event container object
98
type: json
99
- name: links
100
description: Links for the event container object
101
type: object
102
fields:
103
- name: self
104
description: The event self link
105
type: string
106
- name: alt
107
description: The event alt link
108
type: string
109
- name: location
110
description: Location where the action was performed
111
type: object
112
fields:
113
- name: ip
114
description: IP address of the actor location
115
type: string
116
indicators:
117
- ip
118
- name: geo
119
description: Geo location of the IP address
120
type: string
121
- name: countryName
122
description: Country location according to the IP address
123
type: string
124
- name: regionName
125
description: Region location according to the IP address
126
type: string
127
- name: city
128
description: City location according to the IP address
129
type: string
130
- name: message
131
description: Message associated with the event object
132
type: object
133
fields:
134
- name: content
135
description: Message content associated with the event
136
type: string
137
- name: format
138
description: Message format with the event
139
type: string
140
- name: relations
141
description: Relations associated with the event object
142
type: json
143
- name: links
144
required: true
145
description: URL to fetch this resource
146
type: object
147
fields:
148
- name: self
149
description: The event self link
150
type: string
151
- name: alt
152
description: The event alt link
153
type: string
Copied!
Last modified 18d ago