Content scanning detections monitor for potentially sensitive data being added to Confluence pages. We monitor for the following data:
Credentials
Financial data
Identity data
You can also create custom content scanning detections to monitor for data sensitive to your organization.
How it works
When a Confluence page is published or updated, we scan the content of the update and generate an alert if we find text that matches our detection criteria.
The alert contains information about the page, the person who published the Confluence page, and suggested investigation and remediation steps.
What text is scanned?
We scan:
Confluence page or blog post body.
Confluence page and blog post title.
We don’t scan:
Confluence whiteboards, databases, and live pages.
Comments on pages and blog posts.
Other free-text areas such as labels, space descriptions, or templates.
Content is scanned on create and update
We scan the content at the point a new page, blog post is created or an existing page is updated.
This means if an existing Confluence page already contained sensitive data at the point it is updated, we’ll generate an alert, because the entire page body is scanned when the page is updated.
There’s currently no way to scan all your existing content (without it being updated).
Permission to view content
The content scanning alert includes the name of the page or blog post that contains potentially sensitive data.
If you have permission to see the page or blog post, you’ll see a preview of the content. If you don’t have permission, you’ll only see the title.
Admins with Confluence product access may be able to use their admin key to view the content, if that’s appropriate in your organization.
Attributing the detected data to the actor
The actor is the person who published the Confluence page. This means that there are some situations where the actor may not be the person who added the sensitive data, such as when two or more people contribute to a Confluence draft.
Content scanning detections
What is considered sensitive differs between organizations. We provide a number of common detections, such as credit card numbers, passwords, and US Social Security Numbers.
To see a comprehensive list of the content we scan for, go to Detections > Content scanning.
Credentials
API tokens and private keys are used for authentication and encryption. For example if you wanted to connect Jira to your continuous integration tool, you may use an API token. If an API token or private key is compromised, critical security measures can be bypassed to access and exfiltrate data.
When a user publishes or updates a page, we scan the content for text that may be an API token or private key.
Example: A team lead in a software team is onboarding several new team members this month. To make sure they can get up and running quickly, the team lead adds the API key for their CI/CD tool to a Confluence page in their team’s private space.
Your team is alerted shortly after data in the format of an API key is added to the page. They can investigate the alert, then ask the team lead to remove the data, purge the page history, and revoke the API key. |
Financial data
Financial information is among the most sensitive data an organization holds. Handling this data may be controlled by law, and penalties for data loss and breaches can be significant. It can also leave the person whose data has been compromised at risk of identity theft and liable for any financial obligations made with stolen credentials.
When a user publishes or updates a page, we scan the content for text that may be credit card numbers, International Bank Account Number (IBAN), and Bitcoin addresses.
Example: Your big customer conference is coming up, and it’s all hands on deck. To make life easier, the manager of your events team adds their company credit card to a Confluence page, so that staff working on the event don’t need to ask for it when making bookings and paying deposits.
Your team is alerted shortly after a number that looks like a credit card is added to the page. They can investigate the alert, then ask the manager to remove the card number and purge the page history. |
Identity data
Sensitive data, that may include personal data, is some of the most important data an organization possesses. Its loss can result in serious damage to the individuals whose information has been compromised.
When a user publishes or updates a page, we scan the content for text that may be a US Social Security Number (SSN).
Example: Your HR system is undergoing an upgrade, and is unavailable for a few hours. A recruiter in your team decides to record a new hire’s details on a Confluence page until they’re able to enter it into the official system. They’re confident that the data will be safe, because they restricted the page to themself, and plan to delete it as soon as the system is back online.
Your team is alerted shortly after a number that looks like a Social Security Number (SSN) is added to the page. They can investigate the alert, then ask the recruiter to delete the page and purge the trash. |
To see a comprehensive list of the content we scan for, go to Detections > Content scanning.
Data sensitive to your organization
All organizations are different and so is the data that may be considered sensitive to each organization. You can create a custom content scanning detection to send an an alert when text containing terms and phrases considered sensitive in your organization are found when a user publishes or updates a page.
Example: Your company is working on acquiring another company, Black Bear Inc. The transaction has been given the codename Ursus. At the request of the Mergers and Acquisitions team, your security team creates a custom content scanning detection for variations on the codename and company name, and add a number of exclusions for the restricted pages the team are working in. Your team is alerted when a page is published that contains the words Ursa and Bear. They investigate the alert and see that the actor is a member of the mergers and acquisitions team. They confirm with the actor that the page is appropriately restricted then mark the alert as expected behavior. |