Learn about security solutions and standards
Care about security? We do too. Learn what Atlassian does and what you can do too.
We send an alert when certain activities happen in your organization, such as when a policy is changed or a large number of pages are exported. While these activities may be suspicious, often they are just someone doing their job.
To reduce noise and allow your team to focus on the most important alerts, you can choose to exclude some user accounts from user activity detections. For example, you might exclude the admins who manage requests for new Marketplace apps from the Marketplace app install and removal detection so that an alert isn’t generated every time they install an app as part of their day-to-day work.
You can’t exclude groups, teams, or roles.
Who can do this? |
If you’ve investigated an alert and determined that it’s a false positive, you can choose to exclude the actor so that the detection won’t generate alerts for that person in future.
To exclude a page from an alert:
In Guard Detect, select the alert.
In the recommended remediation steps, select Exclude user.
Confirm the page details, and select Exclude user.
The user will be added to the list of excluded users for that detection. You can remove someone from the list of excluded users at any time.
If the activity was performed by an admin API key when you select Exclude user, we’ll exclude the Admin API key from that alert. This is the only way to exclude admin API keys.
If you know in advance that a user should not generate user activity alerts, you can choose to exclude them from the detection itself. This is particularly useful for teams that are responsible for performing organization and product administration tasks on a regular basis.
To exclude a user from the detection:
In Guard Detect, select Detections > User activity from the header.
Select the detection you want to add an exclusion for.
Select View exclusions.
Select Exclude user.
Search for the user, then select Exclude user.
The user will be added to the list of excluded users for that detection. You can remove someone from the list of excluded users at any time.
At any time you can remove people from the list of excluded users.
To remove an exclusion:
In Guard Detect, select Detections > User activity from the header.
Select the detection you want to view exclusions for.
Select View exclusions.
Select Remove next to the user you want to remove.
The user will be removed from the list of excluded users. This means alerts will be generated when this user performs an action.
Was this helpful?