Atlassian Bitbucket Integration
<div class="condensed-table">
| | |
| --- | --- |
| Version | 2.3.0 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Community |
</div>
The Bitbucket integration collects audit logs from the audit log files or the audit API.
For more information on auditing in Bitbucket and how it can be configured, see View and configure the audit log on Atlassian’s website.
The Bitbucket integration collects audit logs from the audit log files or the audit API from self hosted Bitbucket Data Center. It has been tested with Bitbucket 7.18.1 but is expected to work with newer versions. This has not been tested with Bitbucket Cloud and is not expected to work.
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| bitbucket.audit.affected_objects | Affected Objects | flattened |
| bitbucket.audit.changed_values | Changed Values | flattened |
| bitbucket.audit.extra_attributes | Extra Attributes | flattened |
| bitbucket.audit.method | Method | keyword |
| bitbucket.audit.type.action | Action | keyword |
| bitbucket.audit.type.actionI18nKey | actionI18nKey | keyword |
| bitbucket.audit.type.area | Area | keyword |
| bitbucket.audit.type.category | Category | keyword |
| bitbucket.audit.type.categoryI18nKey | categoryI18nKey | keyword |
| bitbucket.audit.type.level | Audit Level | keyword |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Input type | keyword |
| log.offset | Log offset | long |
**Example**
An example event for audit looks as following:
{
"@timestamp": "2021-11-27T18:10:57.316Z",
"agent": {
"ephemeral_id": "c1c6859f-88f5-4ae8-ad40-5c0c9fe933d1",
"id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.0.0-beta1"
},
"bitbucket": {
"audit": {
"affected_objects": [
{
"id": "3",
"name": "AT",
"type": "PROJECT"
}
],
"extra_attributes": [
{
"name": "target",
"nameI18nKey": "bitbucket.audit.attribute.legacy.target",
"value": "AT"
}
],
"method": "Browser",
"type": {
"action": "Project created",
"actionI18nKey": "bitbucket.service.project.audit.action.projectcreated",
"category": "Projects",
"categoryI18nKey": "bitbucket.service.audit.category.projects"
}
}
},
"data_stream": {
"dataset": "atlassian_bitbucket.audit",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
"snapshot": false,
"version": "8.0.0-beta1"
},
"event": {
"action": "bitbucket.service.project.audit.action.projectcreated",
"agent_id_status": "verified",
"category": [
"configuration"
],
"created": "2021-12-24T00:39:23.076Z",
"dataset": "atlassian_bitbucket.audit",
"ingested": "2021-12-24T00:39:24Z",
"kind": "event",
"original": "{\"affectedObjects\":[{\"id\":\"3\",\"name\":\"AT\",\"type\":\"PROJECT\"}],\"author\":{\"avatarUri\":\"\",\"id\":\"2\",\"name\":\"admin\",\"type\":\"NORMAL\",\"uri\":\"http://bitbucket.internal:7990/users/admin\"},\"changedValues\":[],\"extraAttributes\":[{\"name\":\"target\",\"nameI18nKey\":\"bitbucket.audit.attribute.legacy.target\",\"value\":\"AT\"}],\"method\":\"Browser\",\"node\":\"8767044c-1b98-4d64-82db-ef29af8c3792\",\"source\":\"10.100.100.2\",\"system\":\"http://bitbucket.internal:7990\",\"timestamp\":\"2021-11-27T18:10:57.316Z\",\"type\":{\"action\":\"Project created\",\"actionI18nKey\":\"bitbucket.service.project.audit.action.projectcreated\",\"category\":\"Projects\",\"categoryI18nKey\":\"bitbucket.service.audit.category.projects\"}}",
"type": [
"creation"
]
},
"input": {
"type": "httpjson"
},
"related": {
"hosts": [
"bitbucket.internal"
],
"ip": [
"10.100.100.2"
],
"user": [
"admin"
]
},
"service": {
"address": "http://bitbucket.internal:7990"
},
"source": {
"address": "10.100.100.2",
"ip": "10.100.100.2"
},
"tags": [
"preserve_original_event",
"forwarded",
"bitbucket-audit"
],
"user": {
"id": "2",
"name": "admin"
}
}
**Changelog**
| Version | Details | Kibana version(s) |
|---|---|---|
| 2.3.0 | pass:[] Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 2.2.2 | pass:[] Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines. |
8.13.0 or higher |
| 2.2.1 | pass:[] Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines. |
8.13.0 or higher |
| 2.2.0 | pass:[] Enhancement (View pull request) Allow @custom pipeline access to event.original without setting preserve_original_event. |
8.13.0 or higher |
| 2.1.0 | pass:[] Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 2.0.0 | pass:[] Enhancement (View pull request) Make event.type field conform to ECS field definition. |
8.12.0 or higher |
| 1.23.0 | pass:[] Enhancement (View pull request) Set sensitive values as secret. |
8.12.0 or higher |
| 1.22.2 | pass:[] Enhancement (View pull request) Changed owners |
8.7.1 or higher |
| 1.22.1 | pass:[] Bug fix (View pull request) Fix exclude_files pattern. |
8.7.1 or higher |
| 1.22.0 | pass:[] Enhancement (View pull request) Limit request tracer log count to five. |
8.7.1 or higher |
| 1.21.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.11.0. |
8.7.1 or higher |
| 1.20.0 | pass:[] Enhancement (View pull request) Improve event.original check to avoid errors if set. |
8.7.1 or higher |
| 1.19.0 | pass:[] Enhancement (View pull request) Set community owner type. |
8.7.1 or higher |
| 1.18.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.10.0. |
8.7.1 or higher |
| 1.17.0 | pass:[] Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest. |
8.7.1 or higher |
| 1.16.0 | pass:[] Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
8.7.1 or higher |
| 1.15.0 | pass:[] Enhancement (View pull request) Add ability to set condition for logfile logs. |
8.7.1 or higher |
| 1.14.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.9.0. |
8.7.1 or higher |
| 1.13.0 | pass:[] Enhancement (View pull request) Document duration units. |
8.7.1 or higher |
| 1.12.0 | pass:[] Enhancement (View pull request) Document valid duration units. |
8.7.1 or higher |
| 1.11.0 | pass:[] Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. |
8.7.1 or higher |
| 1.10.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.8.0. |
8.7.1 or higher |
| 1.9.0 | pass:[] Enhancement (View pull request) Add a new flag to enable request tracing |
8.7.1 or higher |
| 1.8.0 | pass:[] Enhancement (View pull request) Update package-spec version to 2.7.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.7.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.7.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.6.1 | pass:[] Enhancement (View pull request) Added categories and/or subcategories. |
7.16.0 or higher 8.0.0 or higher |
| 1.6.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.6.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.5.1 | pass:[] Bug fix (View pull request) Fix handling of messages with no events. |
7.16.0 or higher 8.0.0 or higher |
| 1.5.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.5.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.4.1 | pass:[] Enhancement (View pull request) Use ECS geo.location definition. |
7.16.0 or higher 8.0.0 or higher |
| 1.4.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.4.0 |
7.16.0 or higher 8.0.0 or higher |
| 1.3.1 | pass:[] Bug fix (View pull request) Fix proxy URL documentation rendering. |
7.16.0 or higher 8.0.0 or higher |
| 1.3.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.3.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.2.2 | pass:[] Bug fix (View pull request) Add correct field mapping for event.created |
— |
| 1.2.1 | pass:[] Enhancement (View pull request) Update Readme |
7.16.0 or higher 8.0.0 or higher |
| 1.2.0 | pass:[] Enhancement (View pull request) Update to ECS 8.2 |
— |
| 1.1.1 | pass:[] Enhancement (View pull request) Add documentation for multi-fields |
7.16.0 or higher 8.0.0 or higher |
| 1.1.0 | pass:[] Enhancement (View pull request) Update to ECS 8.0 |
7.16.0 or higher 8.0.0 or higher |
| 1.0.1 | pass:[] Bug fix (View pull request) Regenerate test files using the new GeoIP database |
7.16.0 or higher 8.0.0 or higher |
| 1.0.0 | pass:[] Enhancement (View pull request) Initial draft of the package |
7.16.0 or higher 8.0.0 or higher |