Data Source

The connector ingests organization-level audit events from the Atlassian Cloud Organization Events API (REST, cursor-based polling, API Key auth with read:events:admin OAuth scope). Events span all Atlassian Cloud products under an organization: Jira, Confluence, Bitbucket, Trello, Opsgenie, Statuspage, and Loom.

Log Analytics table: AtlassianAuditEvents_CL

Atlassian retains 180 days of audit history on their platform.

Ingestion Mechanism

CCF/DCR-based, no Azure Function. Cursor-based pagination ensures no event gaps across polling cycles. Supports multiple instances (one per Atlassian organization ID), enabling MSSP or multi-tenant deployments.

The DCR transformKql extracts key fields at ingest time:

Sentinel fieldSource attribute
EventIdid
Actionattributes.action
ActorEmailattributes.actor.email
ActorIdattributes.actor.id
AuthTypeattributes.actor.auth.authType
AuthTokenLabelattributes.actor.auth.tokenLabel
OnBehalfOfEmailattributes.actor.onBehalfOf.email
SrcIpAddrattributes.location.ip
CountryNameattributes.location.countryName
Contextattributes.context (dynamic)
Containerattributes.container (dynamic)

A KQL parser alias function (AtlassianAuditEvents) is bundled for query ergonomics.

Detection Surface Unlocked

This connector surfaces org-level governance and identity activity that was previously unmonitorable in Sentinel for Atlassian Cloud deployments:

  • Account lifecycle: user access granted / revoked across all products
  • Authentication events: login successes/failures, MFA configuration changes, API token creation/deletion
  • Group management: group membership additions and removals
  • Product access: license assignments and revocations
  • Policy changes: organization policy updates, domain verification events
  • Privileged actions: administrative actions performed on behalf of another user (OnBehalfOf actor chain)

No bundled Analytic Rules or Hunting Queries are included in this initial release. Detection engineers must build content against AtlassianAuditEvents_CL.

MITRE Coverage

No bundled detections ship with this release. Based on the ingested event categories, this connector enables detection engineering coverage for:

  • T1078 (Valid Accounts) via authentication success/failure event monitoring
  • T1136 (Create Account) and T1531 (Account Access Removal) via user lifecycle events
  • T1098 (Account Manipulation) via group membership and policy change events
  • T1552 (Unsecured Credentials) via API token management events

Affected Files

Solutions/AtlassianOrganizationAudit/Data Connectors/AtlassianOrganizationAuditConnector_CCF/AtlassianOrganizationAudit_ConnectorDefinition.json
Solutions/AtlassianOrganizationAudit/Data Connectors/AtlassianOrganizationAuditConnector_CCF/AtlassianOrganizationAudit_DCR.json
Solutions/AtlassianOrganizationAudit/Data Connectors/AtlassianOrganizationAuditConnector_CCF/AtlassianOrganizationAudit_PollerConfig.json
Solutions/AtlassianOrganizationAudit/Data Connectors/AtlassianOrganizationAuditConnector_CCF/table_AtlassianAuditEvents.json
Solutions/AtlassianOrganizationAudit/Package/testParameters.json
Solutions/AtlassianOrganizationAudit/Parsers/parser_AtlassianAuditEventsAliasFunction.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_AtlassianOrganizationAudit.json, createUiDefinition.json, mainTemplate.json)