• Products
  • Documentation
  • Resources

What events are detected?

Beacon will soon be part of Atlassian Guard. Read the blog

Beacon beta (soon to be Guard Detect) helps teams detect, investigate, and respond to suspicious user activity and potentially sensitive data across Atlassian cloud products like Jira, Confluence, and Atlassian administration.

There are two types of detections:

  • User activity - these detections analyze user actions, and notify you about potentially suspicious behavior.

  • Content scanning - these detections focus on data, and alert you when potentially sensitive data is added to Confluence pages.

User activity detections

We monitor your organization for five types of activity:

  • Authorization and access events

  • Data exfiltration events

  • Unusual user activity

  • Product configuration events

  • Integration change events

Authorization and access events

These are important to monitor as threat actors, whether internal or external, commonly target highly privileged user accounts, like organization admins, to gain access to an organization’s data. Detecting changes in access can help mitigate compromised accounts or abuse of legitimate accounts.

Detections in this category include:

  • Access and password changes such as admins logging in as another user (user impersonation), organization admin changes, and org admin password resets.

  • Policy changes such as changes to IP allowlist policies, authentication policies, and adding or removing verified domains.

  • Admin API key creation

Example: An IT administrator is planning to leave the company, but wants to secretly maintain their access to the company’s internal Confluence spaces and Jira projects. They create a separate admin account that doesn’t adhere to the company's authentication policies, which will allow them to log in even after they’ve left the company.

We detect and alert teams when a new organization admin account is added, enabling you to investigate and remediate the threat before the account can be abused.

Data exfiltration events

Your organization’s data is one of your most precious assets. It’s also susceptible to both outsider and insider threats.

During a data exfiltration event, a threat actor attempts to steal sensitive or proprietary data from your organization, sharing it beyond your organization’s protected systems, and posing a risk to your business. By detecting potential data exfiltration events, your team can investigate them, and if needed, remediate them before the actor is able to use the stolen data.

We detect and alert your team to events involving:

  • Exporting data such as Confluence page and space exports, Confluence site backups, Atlassian Access audit log exports, and identity provider configuration changes.

Example: An employee in your finance department has resigned from their position, and is working their last week at your organization. They want to save a set of Confluence pages that contain information on a strategic initiative they worked on last year for their own personal reference. They export 11 Confluence pages related to the project to PDFs within 30 minutes and send them to their personal email to save on their personal computer.

By alerting your team when a user exports an anomalous amount of Confluence pages over a short period of time, your team can investigate the event and determine if the employee breached their employment agreement.

Unusual user activity

Any user with access to your organization’s systems also has the power to abuse them. While following the principle of least privilege can restrict the average insider’s access to highly protected systems, nearly all users will still require access to sensitive data and systems in order to do their work.

But monitoring user activity at scale is extremely challenging or unfeasible for most security teams. By automating user activity monitoring, you get visibility into exceptional users and can hone in on suspicious behavior before it escalates.

We detect and alert your team to events involving:

  • Suspicious search activity in Confluence

  • Jira issue and Confluence page crawling

Example: A business analyst recently downloaded a new piece of productivity software that also happened to contain a strain of commodity malware. The malware authors now have the same level of access to Confluence as the business analyst user and start searching for sensitive information they can steal or use to maintain access.

Your team would receive an alert that the business analyst user account was making several suspicious searches on Confluence that appeared abnormal, enabling you to investigate the activity and address the root cause.

Product configuration events

Insecure configurations can occur intentionally by malicious actors, but can also be a result of an accident made by an inexperienced administrator. Whether the actor is well-intended or not, insecure configurations can potentially affect all of your company’s hosted data.

By monitoring product configuration events across your organization, your team can see insecure configurations or accidental changes when they’re made to avoid downstream impact.

We detect and alert your team to events involving:

  • Public configuration: Application tunnel creation and removal, and anonymous or public access changes to Jira, Confluence, and Bitbucket.

  • Organization admin changes

Example: One of your newly onboarded admins is attempting to create an application tunnel from your Atlassian Cloud site to a Data Center instance of Confluence, and inadvertently deletes an existing application tunnel in the process.

With the application tunnel deleted, normal users were unable to access sites and projects they needed for several hours, causing many delays for the business.

As your team is alerted when new application tunnels are created or deleted, they would be made aware of the change and have the context they need to triage and remediate the issue before it caused a significant disruption for the employees that depend on it for their work.

Integration change events

When you install a third party app from the Atlassian Marketplace, it may affect one — or many — users in your cloud site. Keeping track of which apps have access to your systems, and what type of access they have is critical to protecting your business.

We detect and alert your team to events involving:

  • Marketplace app installation and removal: currently, these detections only fire for Forge apps, and when 3LO apps are installed for an org for the first time.

Example: A senior leader on your marketing team is working on a strategic update for the entire organization and wants to add a new custom chart app to Confluence to help better illustrate the information they’re presenting. Though your team only allows Cloud-Fortified apps within your suite, this app doesn’t fall into that category. But they’re one of your earliest employees and have maintained highly privileged access throughout their tenure, enabling them to install the new app without approval.

Your team is alerted to the new Marketplace app installation as soon as it happens. They can investigate the alert, where they determine that this app does not meet internal standards, and remove it promptly.

To see a comprehensive list of the events being monitored, go to Detections > User activity.

Content scanning detections

Content scanning rules monitor for potentially sensitive data being added to Confluence pages.

The rules monitor for the following data:

  • Credentials

  • Financial data

  • Identity data

  • Data sensitive to your organization


Credentials include data like API tokens and private keys which are used for authentication and encryption. For example if you wanted to connect Jira to your continuous integration tool, you may use an API token. If an API token or private key is compromised, critical security measures can be bypassed to access and exfiltrate data.

When a user publishes or updates a page, we scan the content for text that may be credentials.

Example: A team lead in a software team is onboarding several new team members this month. To make sure they can get up and running quickly, the team lead adds the API key for their CI/CD tool to a Confluence page in their team’s private space.

Your team is alerted shortly after data in the format of an API key is added to the page. They can investigate the alert, then ask the team lead to remove the data, purge the page history, and revoke the API key.

Financial data

Financial information is among the most sensitive data an organization holds. Handling this data may be controlled by law, and penalties for data incidents can be significant. It can also leave the person whose data has been compromised at risk of identity theft and liable for any financial obligations made with stolen credentials.

When a user publishes or updates a page, we scan the content for text that may be credit card numbers, International Bank Account Number (IBAN), and Bitcoin addresses.

Example: Your big customer conference is coming up, and it’s all hands on deck. To make life easier, the manager of your events team adds their company credit card to a Confluence page, so that staff working on the event don’t need to ask for it when making bookings and paying deposits.

Your team is alerted shortly after a number that looks like a credit card is added to the page. They can investigate the alert, then ask the manager to remove the card number and purge the page history.

Identity data

Identity data, that may include personal data, is some of the most important data an organization possesses. Its loss can result in serious damage to the individuals whose information has been compromised.

When a user publishes or updates a page, we scan the content for text that may be a US Social Security Number (SSN).

Example: Your HR system is undergoing an upgrade, and is unavailable for a few hours. A recruiter in your team decides to record a new hire’s details on a Confluence page until they’re able to enter it into the official system. They’re confident that the data will be safe, because they restricted the page to themself, and plan to delete it as soon as the system is back online.

Your team is alerted shortly after a number that looks like a Social Security Number (SSN) is added to the page. They can investigate the alert, then ask the recruiter to delete the page and purge the trash.

To see a comprehensive list of the content we scan for, go to Detections > Content scanning.

Data sensitive to your organization

All organizations are different and so is the data that may be considered sensitive to each organization. You can create a custom content scanning detection to send an an alert when text containing terms and phrases considered sensitive in your organization are found when a user publishes or updates a page.

Example: Your company is working on acquiring another company, Black Bear Inc. The transaction has been given the codename Ursus. At the request of the Mergers and Acquisitions team, your security team creates a custom content scanning detection for variations on the codename and company name, and add a number of exclusions for the restricted pages the team are working in.

Your team is alerted when a page is published that contains the words Ursa and Bear. They investigate the alert and see that the actor is a member of the mergers and acquisitions team. They confirm with the actor that the page is appropriately restricted then mark the alert as expected behavior.

Additional Help