Atlassian Audit Logs
Atlassian audit logs allow you to view the audit events that have occurred in your Atlassian organization. To view more info about audit logs including what types of events are tracked you can view more info on the Atlassian docs
In order to ingest your Atlassian audit logs, you must be an Atlassian Access customer.
To see if you already have access navigate to your Atlassian admin panel https://admin.atlassian.com and go to Security -> Audit Log.
From there if you have access you will see your events otherwise you will see a link to signup for access.
RunReveal will backfill your audit logs to the last 7 days of events. Once the processor has caught up, RunReveal will import new audit logs roughly every 60 seconds.
Setup
Give your Atlassian source a descriptive name to help find it later. The two fields we require from your Atlassian account are your Organization ID and an API Key.
Atlassian API Key
Create an API Key in Atlassian to give RunReveal access to your audit logs. From your Atlassian admin panel,
navigate to Settings -> API keys. From here you can create a new API key.
Give the new key a name and choose an expiration date. Atlassian allows date no further than 1 year in the future. Copy the Organization ID and the API key fields to your RunReveal source.
Make sure to generate a new API key before the expiration date and update RunReveal with the new key to continue receiving events without disruption.
Verify Its working
Once added the source logs should begin flowing within a minute.
You can validate we are receiving your logs by running the following SQL query.
SELECT * FROM runreveal.logs WHERE sourceType = 'atlassian' LIMIT 1Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: atlassian_logs (59 columns)
atlassian_logs (59 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
| Column | Type |
|---|---|
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
readOnly | Bool |
rawLog | String |
type | String |
action | String |
actor_id | String |
actor_name | String |
actor_email | String |
auth_type | String |
token_id | String |
token_label | String |
actor_self | String |
context_id | String |
context_type | String |
context_self | String |
context_alt | String |
container_id | String |
container_type | String |
container_self | String |
container_alt | String |
location_ip | String |
country_name | String |
region_name | String |
city | String |
self_link | String |
message_content | String |
message_format | String |