Monitor security threats
Proactively detect potentially suspicious activity, such as changes to critical system configurations, and the granting of system administrator access in your Data Center products. Stay informed of these events using email notifications and a central in-product tracking hub from where you can view, search, and categorize security alerts. These alerts contain charts with more details on the actions performed by the same users.
By default, the Security monitoring and alerts feature is available to system administrators on the following Data Center versions:
- Jira 10.0 and later
- Confluence 9.1 and later
- Bitbucket 9.1 and later
System admins can grant other people access to this data, such as members of the security team, so they can further investigate the potentially suspicious activity and take the necessary action.
Before you begin
To receive security alerts, you’ll need:
- A valid SMTP mail server.
- System administrator permissions or membership in a custom group named
security-monitoring-alerts
.
To view the security alerts in the product tracking hub, you’ll need:
- System administrator permissions or membership in a custom group named
security-monitoring-alerts
.
Grant access to others
By default, only system admins receive security alerts. You can notify others by adding them to the security-monitoring-alerts
custom group introduced for this feature. Note that if you set up this group and have at least one active user, only group members will receive the email alerts. System admins won't receive the email alerts but can access the Security alerts page within the product.
If you prefer to use a different group to receive alerts, you can configure the name of your group using the following system property:
plugin.lighthouse.security.group.name=<your-group-name>
For clustered instances, configure the system property on all nodes.
View the security alerts
To view the alerts, navigate to the Administration settings page, and then select Security alerts under Users & Security.
You can also access this page directly at <instance_base_url>/plugins/servlet/lighthouse
.
This page gives you an overview of each event. You can filter by alert, date, actor and status. You can also update the status from this page.
To discover more information about an alert, click on its link in the Alert column. A new page will appear, containing additional details, insights and links.
List of security alerts
The following events trigger alerts.
- Allowlist changes
- Announcement banner changes
- Auditing configuration changes
- Authentication configuration change
- New app installation
- Security configuration changes (not all changes are tracked)
- Security group (security-monitoring-alerts) changes
- Sysadmin and admin group changes
- Sysadmin and admin user detail changes
- Sysadmin and admin user permission changes
- User directory changes
- Site or instance backup and restore
Known limitations
There are a couple of limitations to be aware of for this functionality.
Area | Limitation |
---|---|
Admin permissions | Admin and sysadmin permission changes have a 5-second refresh delay. Alerts may not trigger if permissions are granted and removed (both actions complete) within this period. |
Admin password reset over LDAP | When passwords are changed over LDAP, alerts are not triggered. |
Alert ID gaps | Alert IDs may skip numbers on an Oracle database. To monitor, search the logs for the string [Atlassian Lighthouse] Error while alerting and notifying , which is logged when an alert fails to create. |
Audit log | The Security monitoring and alerts feature depends on alerts from the Audit log. It monitors all audit events, ignoring any coverage rules and exclusions. If an audit event isn't generated, no alert will be detected. |
Troubleshooting
Disabling all alerts
You can disable all alerts by disabling the app from the Manage apps section of Administration. The app name is Atlassian Security Monitoring and Alerts. In future versions, this app will be required and you won't be able to disable it.
Disabling specific alerts
You can disable specific alerts using the following system property: plugin.lighthouse.disabled.alert.types
Its value is a comma-delimited list of alert IDs, listed below.
For example:
plugin.lighthouse.disabled.alert.types=advanced-auditing-config-modified, admin-group-deleted
List of alert IDs
advanced-auditing-config-modified
admin-group-deleted
admin-group-permission-added
admin-group-permission-deleted
admin-user-deleted
admin-user-added-to-group
admin-user-deleted-from-group
admin-user-logged-in-without-2sv
admin-user-permission-added
admin-user-permission-deleted
admin-user-permission-modified
admin-user-anonymized
admin-user-details-modified
admin-username-modified
admin-user-password-modified
user-added-to-security-group
user-removed-from-security-group
announcement-banner-added
announcement-banner-deleted
announcement-banner-updated
authentication-method-added
authentication-method-deleted
authentication-method-modified
basic-authentication-configuration-disabled
basic-authentication-configuration-enabled
allowlist-disabled
allowlist-enabled
allowlist-entry-added
allowlist-entry-deleted
allowlist-entry-modified
app-installed
configuration-changed
export-started
import-started
logging-enabled
logging-disabled
profiling-enabled
profiling-disabled
site-export-completed
site-import-completed
user-directory-added
user-directory-deleted
user-directory-updated