Atlassian audit logs carry high-value security and operational signals, yet the raw format makes them hard to use in day-to-day investigations. Nested JSON, arrays inside arrays, and localization keys turn routine questions into slow, manual work. For lean Security and IT teams, that friction shows up as delayed triage, fragile dashboards, and alerts that fire without enough context to act.
A recent engineering walkthrough at Graylog GO from Eddy Gurney, Principal Engineer at NETSCOUT, captured the practical path from raw Atlassian JSON to stable, searchable audit events. The core insight is simple: parsing improves legibility, modeling produces decisions. When teams model audit data at the edge, they get complete visibility into “who did what and when,” smarter detection through consistent context, and hard cost savings by keeping ingestion and processing efficient.
Why Atlassian Audit JSON Slows Investigations
Atlassian audit records often include:
- Nested objects that hide the fields analysts care about most
- Arrays where meaning shifts by index across events
- Localization and internationalization keys that create noise
- Fields present in theory but difficult to query consistently in practice
When that structure stays intact, analysts spend their time normalizing and interpreting JSON rather than investigating behavior. That slows triage, makes dashboards brittle, and forces alerts to fire without enough context to act confidently.
Four Pipeline Attempts, Four Dead Ends
My first instinct was the same as many teams: parse and clean the JSON inside the SIEM using pipelines. The goal was to promote key fields into something searchable and dashboard-friendly.
Attempt 1: parse_json
This worked for top-level fields but left arrays and nested objects mostly untouched. The event still looked like a puzzle. Search and aggregation stayed awkward because the data that mattered lived in deep structures.
Attempt 2: flatten_json
Flattening seemed promising until index-based fields showed up. When the same concept appears in different array positions across events, queries become fragile. Dashboards work until one event shape changes and everything shifts.
Attempt 3: Regex cleanup
Regex removed some clutter, yet the core problem remained. Arrays were still JSON blobs that did not behave like reliable fields.
Attempt 4: JSONPath extraction
JSONPath gave clean fields, but scaling it required hand-building paths for dozens of attributes across many event variants. It also introduced ongoing processing cost inside the cluster.
All four approaches shared the same pattern: they pushed complexity around rather than removing it. The log processing work stayed centralized and heavy, which is the least forgiving place to do it at scale.
See Eddy walk through the first attempts with parse_json and flatten_json, and why each approach broke down when faced with Atlassian’s nested structures.
The Move That Unlocked Clarity: Model JSON at the Edge
The breakthrough came when I stopped trying to make pipelines do surgery on every Atlassian event and instead moved the hard work upstream.
Using Filebeat with a JavaScript processor, I normalized, denoised, and enriched the audit JSON before it ever landed in the SIEM. This edge approach delivered three advantages immediately:
- Events arrived with stable fields, ready for search and dashboards
- The central cluster stayed focused on indexing and analysis, not deep parsing
- The data model became consistent across varied Atlassian audit event shapes
What The Edge Processor Did
The Filebeat script handled the parts that made Atlassian audit JSON painful:
- Converted arrays like affectedObjects into stable, named fields
- Dropped internationalization keys that added clutter
- Corrected timestamps and standardized formats
- Rewrote nested change values into human-readable strings
- Produced predictable field names that matched investigation workflows
Instead of carrying index-based blobs, events arrived modeled around the entities teams actually investigate.
Parsing vs Modeling: The Difference That Matters
Parsing extracts fields. Modeling creates an event schema that stays stable over time and supports decisions.
A modeled Atlassian audit event makes it easy to answer:
- Which user or service account performed the action
- Which project or workspace was affected
- What permission or configuration changed
- When the change occurred and what else was happening around it
- Whether the pattern matches normal administrative behavior
Modeling also enables consistent correlation. A permissions change can be grouped reliably. A burst of admin actions can be measured accurately. Trend lines do not break because an array index shifted.
This approach aligns with a risk-over-noise workflow, where the goal is complete visibility organized around entities, smarter detection through context, and hard cost savings by reducing rework.
From Modeled Events to Dashboards That Drive Action
Once edge modeling handled the complexity, the SIEM-side pipeline work became lightweight. My team kept central processing focused on high-value enrichments such as DNS lookups and small field normalization, not heavy extraction.
That shift unlocked dashboards and alerts that stayed dependable:
- Stable fields produced glanceable dashboards
- Ranked views of permission changes highlighted what mattered
- Activity bursts became easy to spot and explain
- Alerts became more reliable because the underlying data was consistent
The practical outcome was speed. Analysts could decide quickly whether an event was noise or required action because the event arrived with context already attached.
See the payoff: management-friendly dashboards and daily threshold alerts built on clean, modeled data.
How to Apply this Approach to Atlassian Audit Logs
- Who changed permissions today
- Which projects saw unusual administrative activity
- Which automation accounts acted outside their normal pattern
- Which actions cluster around suspicious access behavior
Key Takeaways From Graylog GO
Atlassian audit JSON is valuable evidence, but raw structure blocks speed and clarity. Pipeline-heavy parsing tends to create fragile queries and higher processing cost. Modeling at the edge produces stable, searchable events that support reliable dashboards and faster investigations.
If your team spends too much time turning JSON into something usable, that work can move upstream. Modeled audit logs improve analyst experience, improve detection quality through consistent context, and reduce rework that drains lean teams.
Eddy Gurney is a Principal Engineer at NETSCOUT. This post is based on his presentation at Graylog GO, where he shared the architecture and lessons learned from operationalizing Atlassian audit logs at scale. Learn more and watch Eddy’s full presentation, or see how Graylog turns complex logs into clear, actionable insights with a demo.
