Request audit log data for a workspace
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Summary
The purpose of this KB article is to detail the process of requesting audit log data for a workspace, the prerequisites required for this request, and the limitations of what can be provided by support engineers.
Solution
Requirements
To request audit log data outside of what is already provided by the audit log present in Bitbucket Cloud, there needs to have been a security incident that has necessitated an audit of the activities conducted against a workspace
The existing audit log functionality within Bitbucket Cloud can be accessed by navigating to Workspace Settings > Audit Log - it captures the following events:
Event | Description |
|---|---|
account_property_changed | This records any change to the workspace settings overall, for example - The WorkspaceID is changed -2FA is enabled/disabled -Access controls are enabled/disabled |
addon_installed | This records any time an add-on is installed for the workspace |
addon_uninstalled | This records any time an add-on is uninstalled for the workspace |
addon_updated | This records any time an add-on is updated |
group_changed | This records any time a group is added/modified/deleted |
group_member_changed | This records any time a group member is added/deleted from a group or has their access changed |
invitation_accepted | This records any time a new member has accepted an invitation to join the workspace |
oauth_token_changed | This records any time an OAuth token is changed |
oauth_token_deleted | This records any time an OAuth token is deleted |
plan_changed | This records any time the workspace plan is changed (eg upgraded/downgraded) |
repository_changed | This records any time a repository is deleted/modified/added |
user_removed_from_plan | This records any time a user is deleted from the workspace |
The above audit logs present in the Bitbucket Cloud UI are general in nature and do not provide specific details about user activities, please refer to the procedure below if more data is required. Bitbucket Cloud event logs can now be tracked in Atlassian Access. With the Atlassian Access audit logs feature, organization admins will be able to trace critical Bitbucket user activity, including who, when, and what actions were performed.
Procedure
Once the prerequisites above have been met (ie there has been a security incident and the base audit log information is not sufficient), you will need to raise a support ticket providing the following details:
A brief description of the security incident, including the nature of the incident and the approximate timeframe that you would like the logs to cover
The affected workspace/repositories/users that you would like to request logs for
The type of logs that you would like to request (ie HTTPS clone/push/pull, SSH clone/push/pull, UI/API activity etc)
Our maximum log retention period is 30 days. Atlassian follows industry standard practices for log collection, storage, and access. Our company standards are driven by GDPR and ISO which both provide guidance that data collectors and processors should not keep data longer than necessary.
To familiarize yourself and understand more about our Security practices please refer to our publicly available security practices: https://www.atlassian.com/trust/security/security-practices
If you require logs outside of our retention policy, those can only be provided in case of legal action or receipt of a legal subpoena and can be submitted to our Legal team by following these guidelines: https://www.atlassian.com/trust/privacy/guidelines-for-law-enforcement
Was this helpful?