Get the context you need to investigate suspicious searches with our enhanced alert

Audrey Garcia — Tue, 03 Sep 2024 16:01:34 GMT

Hi Atlassian Community,

The Guard Premium team is thrilled to announce improvements to our suspicious search term alert, which is designed to give you even greater insight into potential security threats. This update brings the context you need to ensure you have the most actionable information at your fingertips.

Currently, Guard Detect sends an alert when suspicious search activity is detected in Confluence, such as searches for credentials, passwords, cryptocurrency, and other sensitive or confidential content.

To help your security team investigate and determine whether the search is indeed suspicious, you can now see the actor’s search terms and other contextual search queries made at the same time as the suspicious search, as well as a list of pages viewed by the actor around the same time.

Not all searches are suspicious, so the additional context makes it easier for your security team to determine the actor’s intent.

What's new

We heard your concerns that it was difficult to analyze and investigate an alert that only included the category of search term, so we’ve added a lot more information to help.

Before and after view of the suspicious search alert

See actual search terms

Context is everything, so the donut chart has been replaced with a table containing the actor’s actual search query. We include both the suspicious search terms, and other terms queried around the same time, to provide richer context that may help illuminate the actor’s intent.

It’s important to note that Guard Detect users can only see a person’s search query in the context of a security alert, and only for the purpose of investigating the alert.

Powerful filters to make sense of the data fast

In situations where suspicious search activity is high, being able to interrogate an alert, and quickly see the terms in each category can save precious minutes for your security team. For example, select credentials to see only the queries related to credentials highlighted in the list.

Connect searches to page view activity

The final piece of the puzzle is the actor’s behavior. The Pages viewed tab gives your team quick access to a list of pages the actor viewed around the time of the suspicious search. This helps build a picture of the actor’s intent, and helps your security team to act quickly if sensitive data has been accessed.

See the new alert in action

Here’s an example alert that shows the new alert in action.

Animated gif showing new alert filters and pages viewed

Why this matters

These improvements are designed to give your security team the tools they need to investigate alerts more effectively. By providing search queries, and contextual information, we aim to help your team investigate instances of potential attacker exploitation activity which may result in access to sensitive information.

How to access the suspicious search alerts

The new suspicious search alert is now live and available to all Guard Premium customers. When suspicious search activity is detected, an alert will be generated. From there, view the alert details to explore the new improvements.

We believe these updates will significantly enhance your ability to detect and respond to suspicious activities within your organization. As always, please share your feedback and know we’re here to support you.

Cheers,

The Atlassian Guard Premium Team

article Get the context you need to investigate suspicious searches with our enhanced alert in Articles