JIRA integration with IBM QRadar SIEM

We need to have JIRA logs to be integrated with QRadar. So that any malicious activity can be detected and hence rectified.

We need logs like the following:

• Who accessed JIRA
• Which user was logged in at what time
• Which user was created/modified/deleted
• Time of all the activities performed
• Which activity was performed by which user and from which IP
• QRadar alerts when some malicious action is performed on JIRA Platform

Ok, so the Jira application doesn't trap most of that in any way that would be easy to get to in the application. 

For example "time of all activities performed" - yep, there's a full issue history, so you could read that to see when changes were made, but doing so would be an incredibly heavy load to do it for all issues, and it might not catch all that you're thinking of - Jira certainly doesn't bother logging view activity beyond "person looked at something so I'll record it as one of the five recent things they can go back to later"

What you'll need to do is enable access logs on your server and then tell Qradar how to read them.  I usually do that at a proxy level (I rarely run Jira on its own, there's always a load balancer or proxy in front of it because it makes logging and SSL a lot easier).  Specifically:

• Who accessed JIRA
  • access logs will have a user name
• Which user was logged in at what time
  • access logs have a time-stamp
  • Note that you can not tell when people "log out" unless they explicitly click the log out button.  You have to consider people logged in from their last logged action until the end of the session (time-out)
• Time of all the activities performed
  • access logs have the url hit which tells you broadly what the activity was and the time
• Which activity was performed by which user and from which IP
  • access logs contain the urls, but it may get complicated because you cannot tell from them whether the user committed a change or not, nor what the change was

The two that fall outside that:

• Which user was created/modified/deleted
  • This depends on what user directory you are using.  If it's the internal one, then you can read the internal audit log over REST to see this.  If you're using an external directory, you should be looking to monitor change in that system, not Jira

• QRadar alerts when some malicious action is performed on JIRA Platform
  • You'll have to define "malicious action" and think about how to detect it.  That might be a look at the logs, but there's a pile of other things it might be, and is likely to be wider than just Jira with you needing to look at your networking too.

One last point here - you've tagged this question with "Cloud", which would make it all moot.  You don't have any access to anything you'd need to do this integration with Cloud (except the audit log)

Good day, where i can find all of these logs except atlassian-security.log? Thought which logs are usefull to implement to Qradar?

Welcome to the Atlassian Community!

You will need to ask the server admins what access logging they have set up, they'll be able to tell you where the logs are for it.