Monitor security threats

Administer Bitbucket Data Center

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Proactively detect potentially suspicious activity, such as changes to critical system configurations, and the granting of system administrator access in your Data Center products. Stay informed of these events using email notifications and a central in-product tracking hub from where you can view, search, and categorize security alerts. These alerts contain charts with more details on the actions performed by the same users.

By default, the Security monitoring and alerts feature is available to system administrators on the following Data Center versions:

  • Jira 10.0 and later
  • Confluence 9.1 and later
  • Bitbucket 9.1 and later

System admins can grant other people access to this data, such as members of the security team, so they can further investigate the potentially suspicious activity and take the necessary action.

Sample email security alert

Before you begin

To receive security alerts, you’ll need:

  • A valid SMTP mail server
  • System administrator permissions or membership in a custom group named security-monitoring-alerts.

To view the security alerts in the product tracking hub, you’ll need:

  • System administrator permissions or membership in a custom group named security-monitoring-alerts

Grant access to others

By default, only system admins receive security alerts. You can notify others by adding them to the security-monitoring-alerts custom group introduced for this feature. Note that if you set up this group and have at least one active user, only group members will receive the email alerts. System admins won't receive the email alerts but can access the Security alerts page within the product.

You can configure the name of this default group using the following system property:

plugin.lighthouse.security.group.name=<group-name>

For clustered instances, configure the system property on all nodes.

View the security alerts

To view the alerts, navigate to the Administration settings page, and then select Security alerts under Security.

Security alerts

You can also access this page directly at <instance_base_url>/plugins/servlet/lighthouse.

Chart details

List of security alerts

The following events trigger alerts.

All products

  • Allowlist changes
  • Announcement banner changes
  • Auditing configuration changes
  • Authentication configuration change
  • New app installation
  • Security configuration changes (not all changes are tracked)
  • Security group (security-monitoring-alerts) changes
  • Sysadmin and admin group changes
  • Sysadmin and admin user detail changes
  • Sysadmin and admin user permission changes
  • User directory changes

Confluence and Jira

  • Site or instance backup and restore

Bitbucket

  • Profiling and logging setting changes

Known limitations

There are a couple of limitations to be aware of for this functionality.

ProductAreaLimitation
All productsAdmin permissionsAdmin and sysadmin permission changes have a 5-second refresh delay. Alerts may not trigger if permissions are granted and removed (both actions complete) within this period.
All productsAdmin password reset over LDAPWhen passwords are changed over, alerts are not triggered.
All productsAlert ID gapsAlert IDs may skip numbers on an Oracle database. To monitor, search logs for the text [Atlassian Lighthouse] Error while alerting and notifying, which is logged when an alert fails to create.
All productsAtlassian Audit Plugin or the Audit log functionalityThe Security monitoring and alerts app depends on alerts from the Atlassian Auditing app. It monitors all audit events, ignoring any coverage rules and exclusions. If an audit event isn't generated, no alert will be detected.
BitbucketGlobal admin permissionsDeleted global admin/sysadmin permissions remain for up to 7 days. Alerts may not trigger if the user is re-added and deleted within this grace period.
JiraSite restoreDuring site restores, disabling outgoing email will prevent notifications from being sent.

Troubleshooting

Disabling all alerts

You can disable all alerts by disabling the app from the Manage apps section of Administration. The app name is Atlassian Security Monitoring and Alerts. In future versions, this app will be required and cannot be disabled.

Disabling specific alerts

You can disable specific alerts using the following system property: plugin.lighthouse.disabled.alert.types

Its value is a comma-delimited list of alert IDs, listed below. 

For example:

plugin.lighthouse.disabled.alert.types=advanced-auditing-config-modified, admin-group-deleted

List of AlertIDs

Auditing Configuration Modified: advanced-auditing-config-modified

Admin Group Deleted: admin-group-deleted

Admin Group Permission Added: admin-group-permission-added

Admin Group Permission Deleted: admin-group-permission-deleted

Admin User Deleted: admin-user-deleted

Admin User Added to Group: admin-user-added-to-group

Admin User Deleted from Group: admin-user-deleted-from-group

Admin User Permission Added: admin-user-permission-added

Admin User Permission Deleted: admin-user-permission-deleted

Admin User Permission Modified: admin-user-permission-modified

Admin User Anonymized: admin-user-anonymized

Admin User Details Changed: admin-user-details-modified

Admin Username Changed: admin-username-modified

Admin User Password Changed: admin-user-password-modified

User Added to Security Group: user-added-to-security-group

User Deleted from Security Group: user-removed-from-security-group

Announcement Banner Added: announcement-banner-added

Announcement Banner Deleted: announcement-banner-deleted

Announcement Banner Updated: announcement-banner-updated

Authentication Method Added: authentication-method-added

Authentication Method Deleted: authentication-method-deleted

Authentication Method Modified: authentication-method-modified

Basic Authentication Configuration Disabled: basic-authentication-configuration-disabled

Basic Authentication Configuration Enabled: basic-authentication-configuration-enabled

Allowlist Disabled: allowlist-disabled

Allowlist Enabled: allowlist-enabled

Allowlist Entry Added: allowlist-entry-added

Allowlist Entry Deleted: allowlist-entry-deleted

Allowlist Entry Modified: allowlist-entry-modified

App Installed: app-installed

Configuration Changed: configuration-changed

Export Started: export-started

Import Started: import-started

Logging Enabled: logging-enabled

Logging Disabled: logging-disabled

Profiling Enabled: profiling-enabled

Profiling Disabled: profiling-disabled

Site Export Completed: site-export-completed

Site Import Completed: site-import-completed

User Directory Added: user-directory-added

User Directory Deleted: user-directory-deleted

User Directory Updated: user-directory-updated


Last modified on Sep 6, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.