Data Source
The connector ingests organization-level audit events from the Atlassian Cloud Organization Events API (REST, cursor-based polling, API Key auth with read:events:admin OAuth scope). Events span all Atlassian Cloud products under an organization: Jira, Confluence, Bitbucket, Trello, Opsgenie, Statuspage, and Loom.
Log Analytics table: AtlassianAuditEvents_CL
Atlassian retains 180 days of audit history on their platform.
Ingestion Mechanism
CCF/DCR-based, no Azure Function. Cursor-based pagination ensures no event gaps across polling cycles. Supports multiple instances (one per Atlassian organization ID), enabling MSSP or multi-tenant deployments.
The DCR transformKql extracts key fields at ingest time:
| Sentinel field | Source attribute |
|---|---|
| EventId | id |
| Action | attributes.action |
| ActorEmail | attributes.actor.email |
| ActorId | attributes.actor.id |
| AuthType | attributes.actor.auth.authType |
| AuthTokenLabel | attributes.actor.auth.tokenLabel |
| OnBehalfOfEmail | attributes.actor.onBehalfOf.email |
| SrcIpAddr | attributes.location.ip |
| CountryName | attributes.location.countryName |
| Context | attributes.context (dynamic) |
| Container | attributes.container (dynamic) |
A KQL parser alias function (AtlassianAuditEvents) is bundled for query ergonomics.
Detection Surface Unlocked
This connector surfaces org-level governance and identity activity that was previously unmonitorable in Sentinel for Atlassian Cloud deployments:
- Account lifecycle: user access granted / revoked across all products
- Authentication events: login successes/failures, MFA configuration changes, API token creation/deletion
- Group management: group membership additions and removals
- Product access: license assignments and revocations
- Policy changes: organization policy updates, domain verification events
- Privileged actions: administrative actions performed on behalf of another user (OnBehalfOf actor chain)
No bundled Analytic Rules or Hunting Queries are included in this initial release. Detection engineers must build content against AtlassianAuditEvents_CL.
MITRE Coverage
No bundled detections ship with this release. Based on the ingested event categories, this connector enables detection engineering coverage for:
- T1078 (Valid Accounts) via authentication success/failure event monitoring
- T1136 (Create Account) and T1531 (Account Access Removal) via user lifecycle events
- T1098 (Account Manipulation) via group membership and policy change events
- T1552 (Unsecured Credentials) via API token management events
Affected Files
Solutions/AtlassianOrganizationAudit/Data Connectors/AtlassianOrganizationAuditConnector_CCF/AtlassianOrganizationAudit_ConnectorDefinition.json
Solutions/AtlassianOrganizationAudit/Data Connectors/AtlassianOrganizationAuditConnector_CCF/AtlassianOrganizationAudit_DCR.json
Solutions/AtlassianOrganizationAudit/Data Connectors/AtlassianOrganizationAuditConnector_CCF/AtlassianOrganizationAudit_PollerConfig.json
Solutions/AtlassianOrganizationAudit/Data Connectors/AtlassianOrganizationAuditConnector_CCF/table_AtlassianAuditEvents.json
Solutions/AtlassianOrganizationAudit/Package/testParameters.json
Solutions/AtlassianOrganizationAudit/Parsers/parser_AtlassianAuditEventsAliasFunction.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_AtlassianOrganizationAudit.json, createUiDefinition.json, mainTemplate.json)