Follow up FAQ from AMA - Defend your cloud: Level up security with Guard Premium

Hey folks! Our team recently hosted the Defend your cloud: Level up security with Guard Premium AMA webinar. 

Missed it? You can catch the replay here: Watch on-demand

It was fantastic to see so many folks excited to learn about all things Guard. My teammate and resident security expert, @Tygrr DosRemedios, was kind enough to give us the scoop on what’s coming in the world of Guard. We covered a lot of topics during the AMA, so we wanted to follow up with answers to your most common questions and a couple we didn’t get a chance to answer live. Take it away, Tygrr!

 

---

How can I assign users to Authentication policies during setup in Guard, rather than after they have successfully logged in?

Yes, you can assign users to authentication policies during setup before they've logged in for the first time.

Here’s how it works:

• When you provision new managed accounts (for example, by claiming your domain or inviting users), those users are automatically added to your organization’s default authentication policy. You can also create additional authentication policies and assign users to them at any time, including during initial setup.

• You do not have to wait until users have logged in to assign them to a policy. Assignment can be done proactively, so that when users log in for the first time, the correct authentication requirements (such as SSO or 2FA) are already enforced.

• You can change the default policy or assign users to specific policies as needed. This allows you to control which users are subject to which authentication requirements from the moment their accounts are created or claimed.

Let's say I have to submit a report on the alerts detected by Guard Premium to the CISO or C-Level. How can I export the data from the last year in CSV or PDF format? Could this be done via API?

In short, yes, you can export the data from Guard Premium directly to a CSV file via the Native UI – no API required! Here’s how:

• Option 1:

  • CSV Export (Native UI):

    • How:

Who can export: Organization admins and Guard Detect admins.

Date Range: You can filter alerts in the UI by date (e.g., last year) before exporting, ensuring your CSV contains only the relevant timeframe. Note: Guard Premium only retains alert data for 180 days (6 months) in the dashboard. For annual reporting, you should export data regularly to avoid losing older alerts.

For additional information, visit the support article here.

You can also use the GraphQL API - https://developer.atlassian.com/cloud/guard-detect/developer/getting-started/

 

Is there any plan to involve the AI prompt and response in Guard Premium ? MCP activities?

This is a top customer request and under active consideration on our roadmap! In short, there is no current native logging of AI prompt and response content in Guard Premium, but API usage and MCP activity are logged in Guard Premium, and more granular audit logging is planned. Additionally, admin controls for MCP access are being enhanced.

For the latest updates on tracking MCP activity, visit the support article here.

Is there any plan to add Rovo chat logs (prompt / response) in the Guard Premium Audit log?

Currently, Rovo Chat prompt and response logs are not included in the Audit log, even with Guard Premium enabled. There is no timeline to add this feature yet. However, if this is a feature you’re also keen to see for your organization, please submit feedback to our team here.

Does Guard Detect eliminate the need to monitor the Audit Log, or should both still be used together?

The answer is more is always better than less when it comes to security! However, we understand teams and individuals are time poor and the fatigue of combing through individual audit logs is very real. For this reason, we have created out of the box detections for user activity and scanning for sensitive data to help you get started quickly and also provided the alert detail interfaces in the Guard Detect UI so that you can quickly investigate this alert, the user, additional useful context like audit logs which we brough together in a single pane to help you remediate potential high risk incidents as quickly as possible.

We are doing our best to decrease time to resolution for you and supplying this information for your security team helps them also look across other SaaS tooling and those external audit logs so they can get the appropriate information to holistically diagnose an incident and continue to maintain a solid security posture.

 

Are there any plans on the roadmap to allow permissions to be distinguished between production and sandbox environments? Currently, the new Create Permissions appear to apply globally. For many organizations, having separate controls is essential, as it would enable greater flexibility for testing in sandbox environments while maintaining stricter governance in production.

This depends on whether you are on the centralized user management or original user management, because your experience of granting users, groups, and teams access to sandboxes will differ. 

In terms of centralized user management, I’ve got good news: in the production site, users, groups, and teams exist in the organization level, so they don’t need to be copied to the sandbox. And then after creating a sandbox, only the org admins are given access to the groups. The group names in your sandbox will be similar to the app group names. I believe this is scenario in question here. 

For original user management - When you copy data from the production site to the sandbox, users, groups, and teams are copied separately. Users will be automatically added to the sandbox team. However, users will not be automatically added to the sandbox group and must be manually added by inviting them to the sandbox. When you copy data from the production site to the sandbox, the users and groups are also copied, but users are not automatically added to any groups. The group names in your sandbox will be similar to the app group names. Sounds like this second option might be better to get the granularity they require.

 

We’re currently trialing Guard Premium, but we’ve found that the documentation for setting up the SIEM webhook is quite limited. Has anyone successfully connected Guard Premium to either Cribl or Crowdstrike Next-Gen SIEM? When attempting to connect the webhook URL, we’re encountering this error: “Unexpected GraphQL error: Error testing the subscription URL.”

There will be some instances where a 3rd party tool cannot accept incoming webhooks just due to the nature of their tech limitations. We recommend starting a ticket with our support team to further explore the issue and bring this to our engineering teams attention - sometimes it’s out of our hands or it could be a bug on our end but we want to make sure to catch any errors on our side when it comes to these technical blockers. 

Are there any native integrations supported from Guard to SIEM?

No SIEMs are natively supported by Guard with direct, out-of-the-box integrations. However, you can connect to any SIEM that supports receiving webhook data! Guard Premium supports configurable webhooks, which is how other organizations like yourself achieve SIEM integrations at this time.

Is it possible to enhance the detection sensitivity or prioritize staff members who are departing?

Yes, you can adjust detection sensitivity! Here’s how you can fine tune alerts:

• Change the sensitivity of a user activity detection

• Disable any content scanning detection rules you don’t need

• Exclude certain pages from content scanning detections

For more detailed instructions, visit the support article here.

Is it mandatory to have Atlassian Guard in order to integrate with the Atlassian app connector in Microsoft Defender for Cloud Apps? Or can the integration work without a Guard subscription?

Yes! You will need a subscription to Atlassian Guard Standard first. After that, you can connect Microsoft Defender for Cloud Apps to your existing Atlassian products using the App Connector APIs. 

How does Guard Premium integrate with existing systems like Slack or Jira? Would love to hear some real-world examples or tips on making the most of these integrations.

The good news is we integrate with both! You can send alerts to one or more Slack channels via the Guard Detect UI when clicking on the Integrations tab. As for Jira, you can forward any of the alerts to any Jira project of your liking. We find a lot of security teams operate out of a Jira Service Management queue so they can triage and work through those with ease.  

What are the data residency considerations for Guard Premium features, especially regarding data egress, processing, and storage for content scanning?

We don’t have this actively ready for consumption but our team is working on this right now so please stay tuned for this coming in the next few months with precise details attached! 

I'm trying to get Guard Detect alerts to appear in a Microsoft Teams chat. Does anyone have a sample JSON for an Adaptive Card that works for this use case?

We’ve already set it up so you can easily forward that information without any need for a custom hack on your end. To send alerts to Microsoft Teams, you’ll need to create an incoming webhook using Workflows in Microsoft Teams. Then add the webhook URL within Guard Detect under the Integrations tab, where you’ll see Teams. 

Can you give us a sneak peek at what’s coming up for Guard? Are there any plans to let Atlassian Analytics users pull in data from Guard? I think it would be really valuable to cross-reference security incident trends with product rollouts or feature launches. This kind of integration could help us see if new features impact the number of detected security incidents and open up some interesting analysis opportunities!

We have a ton of huge features coming in the next few months that we are VERY excited to share. First is full site scanning across an organization for PII or sensitive data - you’ll be able to configure detections and run scans across all sites for any compliance or auditing purposes. We also have auto-classifications, so in those use cases where your team is dreading the manual effort of applying these labels to individual pages or work items - you can configure criteria that scans context on a page and then automatically applies a label to that page above the normal default you would have set.

We are also shipping a new Org Wide Data Security Policy - this means instead of org wide defaults being open and having to choose specific containers to apply these rules to, we allow you to keep everything closed off. Ex: Instead of having to choose individual Classification levels to apply something like blocking all exports, you’ll be able to say I want to block all exports across the org.

We are also working on becoming more Enterprise ready - this means we will be shipping Data Residency in the next few months to help you stay compliant in specific regions. This will also be available in FedRamp and Isolated Cloud environments so we’re super excited about that one especially! 

Regarding plans to let Atlassian Analytics users pull in data from Guard, this is a great question and the first time we’ve heard this feedback actually! We haven’t had this on the roadmap but we love incoming feature requests to deep dive into and understand the value and feasibility on our end. I definitely agree this would be REALLY valuable to cross-reference analytics for all the various needs across our orgs and their industries. Exploring the integration of security data in general could provide really actionable insights into the relationship between incidents and security posture. This approach supports proactive risk management and continuous improvement in product security.

I had heard that Atlassian has acquired another company to help expand scanning and detection — any update on that?

We did, Borneo! Those engineers are currently helping work on the big features we mentioned above. ☝️

I'd like to hear more about the upcoming blocking of downloads of Confluence attachments. For example, how can we set the criteria for blocking, what audit logs will be left when a user attempts to download a blocked attachment, etc. Will this feature be coming to Jira, and if so, when is it being considered? I'd also like to know if there is any consideration for integrating the audit logs with various monitoring tools.

We have this feature out already actually! You can prevent users from exporting or downloading content covered by this policy. Its blocks attachment downloads and export formats including XML, CSV, HTML, PDF, and Word. You will go into Admin, set up your classification levels first and then then you can apply this Data Security Policy into action. The cool part about this policy, is that once it’s set the option to even try to export or download is completely removed so users don’t see an option which results in no audit log event being recorded. 

We are considering this for Jira and it’s definitely on our roadmap but hasn’t been prioritized yet. As I mentioned before, we’re working on the list of those highly requested scanning features.

As far as audit log integrations, with Guard Premium you can currently forward all audit logs to the external tool of your choice and they get streamed in real time, as long as they accept those incoming webhooks. If there are any special requests or limitations, please let us know.

We’re planning to implement Atlassian Guard and have some questions about managing external users—such as suppliers—who aren’t part of our company domains but are available in our Identity Provider (IdP).

• How should we manage accounts for these external users through Atlassian Guard?

• Who is responsible for paying for Guard licenses for these users?

• Who manages their accounts?

• Are there any best practices for handling this setup?

All excellent questions! We’ll go in order of ask:

• “How should we manage accounts for these external users through Atlassian Guard?” We know it’s important that external or temporary users do not need to be added as managed accounts for your organizations so Atlassian has special external user security controls. Essentially, you can require an extra step of security when external users try to access your organization’s data.When you enable single sign-on, you will have to sync external users from your identity provider so they are not blocked from accessing the help portal. That’s it!

• “Who is responsible for paying for Guard licenses for these users?” External users with full product access are generally billed at the same rate as managed users. The billable user count for Guard Standard includes both managed accounts and billable external users. 

• “Who manages their accounts?” Your Org Admins! They can view billable external users via an export in Adminhub.

• “Are there any best practices for handling this setup?” We do have some public facing documentation here - let our team add this in the chat right now. https://support.atlassian.com/security-and-access-policies/docs/who-are-external-users/

Does Atlassian Guard support two-factor authentication (2FA) using email, where users receive a one-time password (OTP) by email to enter during login?

Guard Standard DOES offer two-step verification involving a verification code that you get from an authentication app on your smartphone or by text message on any mobile phone. 

Now, there are special circumstances where you don't have access to your security key, or phone or can't access your authentication app. In these cases, we are able to send you a recovery email with more information with the subject line “Steps to recover your Atlassian account”. This first email doesn’t contain a one-time link. 

Then after 24 hours, we’ll send you a second email with a one-time link. This link lets you access your account and takes you to the two-step verification settings page. You’ll follow the instructions in this email to disable two-step verification or enroll a new device. From there, you can reset up the 2FA.

---

 

Feel free to ask more below, or hear directly from our product team at their upcoming webinar (register here). 🥳