Atlassian Logs

Overview

Panther has the ability to fetch Atlassian event logs by querying the Atlassian Organizations REST API. Panther is specifically monitoring the following Atlassian events:

• Administrative actions, related to settings or other organization pages

• Actions that organization admins take related to the organization’s security policies

How to onboard Atlassian logs to Panther

In order to set up Atlassian as a log source in Panther, you'll need to authorize Panther in Atlassian by generating a scope-less API key in your Atlassian account and then setting up Atlassian as a log source in Panther.

Prerequisites

• Your organization has an Atlassian Guard Standard, Cloud Enterprise, or Atlassian Guard Premium plan.

  • The Atlassian What activities does the audit log include? documentation states, "Atlassian Guard Premium offers full access to logs for all apps. Cloud Enterprise and Atlassian Cloud Premium plans grant log access specifically for the apps for which you have those plans."

  • Learn more about Atlassian Guard here.

• Your Atlassian user has the organization admin role.

Step 1: Generate an API key in Atlassian

1. From your organization at admin.atlassian.com, select Settings > API keys.

2. Click Create API key.

3. Enter a descriptive API key name.

   • By default, the key expires one week after creation. To change the expiration date, pick a new date under Expires on. The maximum you can extend your expiration date is up to one year from creation date.

4. Click Create to save the API key.

5. Copy the values for your Organization ID and API key.

   • You'll need these values to access your organization in Step 2.

   • Make sure you store these values in a safe place, as Atlassian will not display them again.

6. Click Done. The new key will appear in your list of API keys.

Step 2: Create a new Atlassian log source in Panther

1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Select Atlassian from the list of available log sources. Click Start Source Setup.

4. On the next screen, enter a descriptive name for the source e.g., My Atlassian Event logs.

5. Click Setup.

6. On the Set Credentials page, fill in the form:

   • Organization: Enter your Atlassian organization ID that you generated in the previous steps of this documentation.

   • API Key: Enter your Atlassian API Key that you generated in the previous steps of this documentation.

7. Click Setup. You will be directed to a success screen:\

   

   • You can optionally enable one or more Detection Packs.

   • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\

     

Supported log types

Atlassian.Audit

The audit log of events from an organization.

Reference: Atlassian Documentation on Audit Logs & Events.