Monitoring JIRA for suspicious user activity

My company is in a very specialised industry with very few big players and very few new developments.  As as result, any activity to make new products/services is extremely valuable information.  My company is therefore understandably very concerned about data security.

In the past, confidential documents have found their way out of the company and into the hands of competitors, enabling them to use our new product ideas and try to get a similar product to market, or find some other way to steal our thunder when it is released.   Other times, sensitive customer information has been taken and distributed to the customer in an attempt to show that we do not properly protect sensitive customer information and therefore cannot be trusted/are incompetent etc.

So we needed a way to track who has accessed certain documents and discussions on JIRA, so that if such an incident occurs again, we can have some way to find out who did it, or at least narrow the options.

The things we wanted to achieve were:

  • be able to see who accessed Document-A between date X and Y.
  • have the system send an alarm email when a user downloads >50 binary files in 30 mins.

jira-user-filterThe solution we came up with was to use Sawmill which is a log analysis tool.  You install it on the web server and it parses log files regularly, updates it own database, and presents the information to you via a web interface.  You can set up various filters for the report information, and also set up email alarms such as above.  It was quite cheap and works well for our needs.   Probably there are other solutions, but this was the best I could find at the time.

I tried to use Sawmill for some other log analysis such as for my website, and for the SMTP mail server but it didnt work particularly well and I gave up on it without trying too much.  I use Google Analytics anyway for the website which is great, and I just look through the mail logs manually for now.

Advertisements

3 thoughts on “Monitoring JIRA for suspicious user activity

  1. Hy,

    Is it somehow possible to log admin activities in Jira, e.g.
    1/1/2011 Admin1 created Notification Scheme 1
    1/2/2011 Admin2 added User1
    … etc.

    Is this kind of logging possible in Jira?

    • Better to ask Atlassian this one.

      In Sawmill you can set up a search filter for URL patterns. So if you know what the URL for ‘add notification scheme’ is, then you can simply search in Sawmill for all hits on that URL in a given timeframe and see which users hit the URL and at what time. So I think you could achieve what you want to do, however it would be a little tedious to set up and complete. Therefore that solution would be only suitable for a one time analysis, rather than regular monitoring.

  2. Aha, thanks for your answer. I will ask Atlassian support the same thing as you suggested.

    Thanks again!

Comments are closed.