Connect Atlassian to Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender, which correlates signals from across the Microsoft Defender suite and provides incident-level detection, investigation, and powerful response capabilities. For more information, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.
This article provides instructions for connecting Microsoft Defender for Cloud Apps to your existing Atlassian products using the App Connector APIs. This connection gives you visibility into and control over your organization's Atlassian use.
The connector will cover all users in your organization that use the Atlassian platform, and will show activities from Confluence, Jira, and specific Bitbucket activities. For more information about Atlassian activities, see Atlassian audit log activities.
- The Atlassian Access plan is required.
- You must be signed as an Organization admin to Atlassian.
How to connect Atlassian to Defender for Cloud Apps
Sign in to the Atlassian Admin portal with an admin account.
Go to Settings -> API keys and then Create API key. (Atlassian documentation for creating API keys can also be found here).
Give the following values to the API key:
Name: You can give any name. The recommended name is Microsoft Defender for Cloud Apps so you can be aware for this integration.
Expires on: Set the expiration date as one year from the date of creation (this is the Atlassian maximum time for the expiration date).
According to Atlassian API requirements, you'll need to create every year an API key for this integration.
After selecting Create, copy the Organization ID and the API key. You'll need it later.
Verify your domain: To see your Atlassian users and their activities in Defender for Cloud Apps, you need to verify your domain. In Atlassian, domains are used to determine which user accounts can be managed by your organization. You won't see users and their activities if their domains aren't verified in the Atlassian configuration. To verify domains in Atlassian see Verify a domain to manage accounts.
Configure Defender for Cloud Apps
In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors.
In the App connectors page, select +Connect an app, followed by Atlassian.
In the next window, give the instance a descriptive name, and select Next.
In the next page, enter the Organization ID and API key you saved before.
- The first connection can take up to four hours to get all users and their activities.
- The activities that will display are the activities that were generated from the moment the connector is connected.
- Activities from the "Atlassian Access" audit log are fetched by Defender for Cloud apps. Other activities aren't fetched currently. See Product Audit Logs.
- After the connector’s Status is marked as Connected, the connector is live and works.
Revoke and renew API keys
Microsoft recommends using short lived keys or tokens for connecting apps as a security best practice.
We recommend refreshing the Atlassian API key every 6 months as a best practice. To refresh the key, revoke the existing API key and generate a new key.
To revoke API key, navigate to admin.atlassian.com > Settings > API keys, determine the API key used for integration and select Revoke.
Recreate an API key in the Atlassian admin portal with the steps described above.
Afterwards, go to the App Connectors page in the Microsoft 365 Defender portal and edit the connector:
Enter the new generated new API key and select Connect Atlassian.
In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors. Make sure the status of the connected App Connector is Connected.
By default, the API key is valid for 1 year and expires automatically after a year.
- 1000 requests per minute (per API key/connector instance)
- For more information about the Atlassian API limitation, see Atlassian admin REST APIs.
- Activities will be shown in Defender for Cloud Apps only for users with a verified domain.
- The API key has a maximum expiration period of one year. After one year, you'll need to create another API key from the Atlassian Admin portal and replace it for the old API Key in the Defender for Cloud Apps console.
- You won't be able to see in Defender for Cloud Apps whether a user is an admin or not.
- System activities are shown with the Atlassian Internal System account name.
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.