• Documentation
Products
Documentation
Resources
Atlassian Support
/
Security and access policies Resources
/
Detect, investigate, and respond to threats
/
Manage detections

What sensitive data is detected?

We’re gradually rolling out content scanning for Jira. Your organization may not have these changes yet.

Content scanning detections monitor for potentially sensitive data being added to Confluence pages and Jira issues. We monitor for the following data:

  • Credentials

  • Financial data

  • Identity data

You can also create custom content scanning detections to monitor for data sensitive to your organization.

Who can do this?
Role: Organization admin, Guard Detect admin
Plan: Atlassian Guard Premium

How it works

When a Jira issue is created or updated, or a Confluence page is published or updated, we scan the content of the update and generate an alert if we find text that matches our detection criteria.

The alert contains information about the page, and the person who published the Confluence page or updated the Jira issue, and suggested investigation and remediation steps.

Sensitive data detected alert showing a page containing credit card numbers

What text is scanned?

We scan:

  • Confluence page or blog post body and title.

  • Jira issue summary, description, and any other field that contains free text.

We don’t scan:

  • Confluence whiteboards, databases, and live pages.

  • Comments on pages, blog posts, and issues.

  • Files attached to pages, blog posts, or issues.

  • Pre-populated Jira fields (such as drop down menus where the values come from the field configuration)

  • Other free-text areas such as labels, space descriptions, templates, sprint names, project descriptions, and field configurations.

  • Text entered via some third-party apps and macros.

Content is scanned on create and update

We scan the content at the point a new page, blog post, or issue is created or an existing page is updated.

This means:

  • If an existing Confluence page already contained sensitive data at the point it is updated, we’ll generate an alert, because the entire page body is scanned when the page is updated.

  • If an existing Jira issue already contained sensitive data at the point it is updated, we’ll only generate an alert if the field that contains the sensitive data is updated. We don’t scan fields that haven’t changed.

There’s currently no way to scan all your existing content (without it being updated).

Permission to view content

The content scanning alert includes the name of the page, blog post, or issue that contains potentially sensitive data.

If you have permission to see the page, blog post, or issue, you’ll see a preview of the content. If you don’t have permission, you’ll only see the title.

Admins with Confluence product access may be able to use their admin key to view the content, if that’s appropriate in your organization.

Attributing the detected data to the actor

The actor is the person who published the Confluence page, or updated the Jira issue. This means that there are some situations where the actor may not be the person who added the sensitive data, such as when two or more people contribute to a Confluence draft.

How it helps your organization

What is considered sensitive differs between organizations. We provide a number of common detections, such as credit card numbers, passwords, and US Social Security Numbers.

To see a comprehensive list of the content we scan for, go to Detections > Content scanning.

Credentials

Credentials include data like API tokens and private keys which are used for authentication and encryption. For example if you wanted to connect Jira to your continuous integration tool, you may use an API token. If an API token or private key is compromised, critical security measures can be bypassed to access and exfiltrate data.

Example: A team lead in a software team is onboarding several new team members this month. To make sure they can get up and running quickly, the team lead adds the API key for their CI/CD tool to a Confluence page in their team’s private space.

Your team is alerted shortly after data in the format of an API key is added to the page. They can investigate the alert, then ask the team lead to remove the data, purge the page history, and revoke the API key.

Financial data

Financial information is among the most sensitive data an organization holds. Handling this data may be controlled by law, and penalties for data incidents can be significant. It can also leave the person whose data has been compromised at risk of identity theft and liable for any financial obligations made with stolen credentials.

Example: Your big customer conference is coming up, and it’s all hands on deck. To make life easier, the manager of your events team adds their company credit card to a Confluence page, so that staff working on the event don’t need to ask for it when making bookings and paying deposits.

Your team is alerted shortly after a number that looks like a credit card is added to the page. They can investigate the alert, then ask the manager to remove the card number and purge the page history.

Identity data

Identity data, that may include personal data, is some of the most important data an organization possesses. Its loss can result in serious damage to the individuals whose information has been compromised.

Example: Your HR system is undergoing an upgrade, and is unavailable for a few hours. A recruiter in your team decides to record a new hire’s details on a Confluence page until they’re able to enter it into the official system. They’re confident that the data will be safe, because they restricted the page to themself, and plan to delete it as soon as the system is back online.

Your team is alerted shortly after a number that looks like a Social Security Number (SSN) is added to the page. They can investigate the alert, then ask the recruiter to delete the page and purge the trash.

Data sensitive to your organization

All organizations are different and so is the data that may be considered sensitive to each organization. You can create a custom content scanning detection to send an an alert when text containing terms and phrases considered sensitive in your organization are found when a user publishes or updates a page.

Example: Your company is working on acquiring another company, Black Bear Inc. The transaction has been given the codename Ursus. At the request of the Mergers and Acquisitions team, your security team creates a custom content scanning detection for variations on the codename and company name, and add a number of exclusions for the restricted pages the team are working in.

Your team is alerted when a page is published that contains the words Ursa and Bear. They investigate the alert and see that the actor is a member of the mergers and acquisitions team. They confirm with the actor that the page is appropriately restricted then mark the alert as expected behavior.

Known issues and limitations

Actor details may not be available

In Confluence, the actor is the person who published the page or blog post, so it’s good to check the page history to see who else may have contributed to that version.

In Jira products, we’re not always able to show the actor’s name in the alert. We recommend you check the issue history to see who updated the fields that contained the sensitive data, as it may not be the most recent updater.

Some Jira issues cannot be scanned

A very small proportion of Jira issues can’t be scanned. This includes when:

  • a rich text field contains more than 64 KB of data or contains data in an incompatible format.

  • the storage size of the issue is more than 1 MB

  • the issue has too many labels, comments, or worklogs.

Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageHow it worksWhat text is scanned?Content is scanned on create and updatePermission to view contentAttributing the detected data to the actorHow it helps your organizationCredentialsFinancial dataIdentity dataData sensitive to your organizationKnown issues and limitationsActor details may not be availableSome Jira issues cannot be scanned
CommunityQuestions, discussions, and articles