-
Notifications
You must be signed in to change notification settings - Fork 0
Splunk:Alerts:Jira
index=jira auditorlog sourcetype=atlassian_jira_log "name=Permission keys, value=ADMINISTER_PROJECTS" | rex field=_raw "Permission scheme name, value=(?<scheme>.+?)}" | rex field=_raw "name=Security type, value=(?<browse_type>.+?)\}," | rex field=_raw "name=Parameter, value=(?<admin>.+?)\}\]" | rex field=_raw "summary=(?<action>.+?)," | eval alert = "Admin ".summary." on ".scheme." to ".admin | table alert
index=jira auditorlog sourcetype=atlassian_jira_log "name=Permission keys, value=BROWSE_PROJECTS" | rex field=_raw "Event{author=(?<whom>.+?)," | rex field=_raw "Permission scheme name, value=(?<scheme>.+?)}" | rex field=_raw "name=Security type, value=(?<browse_type>.+?)\}," | rex field=_raw "name=Parameter, value=(?<browser>.+?)\}\]" | eval alert = "User/group ".browser." is granted BROWSE permissions on ".scheme." by ".whom | table alert
index=jira auditorlog sourcetype=atlassian_jira_log "summary=Custom field" | rex field=_raw "summary=Custom field (?<action>.+?), object=(?<field_name>.+?)," | search (action=deleted)| eval alert = "Custom Field ".field_name." ".action | table alert
index="jira" sourcetype=atlassian_jira_log c.a.j.security.login.JiraSeraphAuthenticator | rex field=_raw ".*Error occurred while trying to authenticate user '(?<whom>.+?)'.*" | stats count(whom) as failures
index="jira" source=/opt/atlassian/jira/log/atlassian-jira-incoming-mail.log "javax.mail.AuthenticationFailedException" | eval alert = "IMAP Error"
index=jira auditorlog sourcetype=atlassian_jira_log "summary=Users assigned to project role" | rex field=_raw "object=(?<project>.+?)," | rex field=_raw "name=Project role, value=(?<role>.+?)}" | rex field=_raw "name=User names, value=(?<whom>.+?)}"| search role="Administrators" | table project,role,whom | eval alert = "User ".whom." is granted an ".role." role in ".project
index=jira auditorlog sourcetype=atlassian_jira_log "summary=User joined groups," | rex field=_raw "summary=(?<summary>.+?)," | rex field=_raw "User name, value=(?<username>.+?)}" | rex field=_raw "name=Groups joined, value=(?<group>.+?)}" | table username,group | search group=*admin* | eval alert = "User ".username." is added to admin group ".group
index=jira auditorlog sourcetype=atlassian_jira_log "summary=Application link created" | rex field=_raw "{name=Application name, value=(?<app>.+?)}" | eval alert = "New application link ".app." created" | table alert
index=jira auditorlog sourcetype=atlassian_jira_log "summary=Custom field" | rex field=_raw "summary=Custom field (?<action>.+?), object=(?<field_name>.+?)," | search (action=deleted)| eval alert = "Custom Field ".field_name." ".action | table alert
index=jira auditorlog sourcetype=atlassian_jira_log "category=Global permissions" | rex field=_raw "summary=Global permission (?<action>.+?),.*value=(?<target>.+?)}.*,.*name=Permission type, value=(?<perm>.+?)}" | eval alert="New global permission: ".perm." ".action." for ".value | table alert
index=jira auditorlog sourcetype=atlassian_jira_log "summary=User added," | rex field=_raw "summary=(?<summary>.+?)," | rex field=_raw "author=(?<admin>.+?)," | rex field=_raw "User name, value=(?<username>.+?)}" | eval alert = "Jira-Internal User ".username." added" | where not admin in("KNOWN-ADMIN-USERNAME", "OTHER-KNOWN-ADMIN-USERNAME")
index=jira auditorlog sourcetype=atlassian_jira_log "category=Plugins" | rex field=_raw "summary=Plugin(?<action>.+?), object=(?<plugin>.+?)," | eval alert = "Plugin ".plugin." is".action | table alert
- Backup-and-Restore
- Console
- Emergencies
- Housekeeping
- Integrations-and-External-Programs
- Search
- Throttles
- Usage