Current Behaviour:
Currently, the org. audit log only has the capability of reporting events related to a managed user or claimed domain, but not external users. An "external user" is a user who's Atlassian account email address is not on any of the organization's verified domains or claimed accounts.

It is currently not possible to audit how, where and when external users are authenticating on a Cloud site where they are considered an external user.

Suggested Improvement:
In the context of "external user security", external users are authenticating against a particular Cloud site or Atlassian organization.  Currently, there aren't any logging events or triggers that support this action. Current audit log logic displays events triggered by Atlassian account related actions, but not authentication events related to a specific Cloud site.

For example:

• A managed(internal) user logs in to their Atlassian account which causes the "Logged in to account" activity event to be displayed in the org. audit log. This event is not displayed for an external user - however, this event itself is not an indicator that the user has accessed any Cloud site data
• It's possible that an Atlassian account user is accessing data belonging to an organization other than your own - i.e. their own Cloud site
• For an external user, the "external user security" flow starts when the external user tries to access a specific Cloud site/org. where "External user security" features have been enabled - the org. audit log should be able to track these events where an user is attempting to authenticate and is an external user

Include audit log triggers and events/actions regarding:

• The authentication method/flow the external user used to authenticate against a specific Cloud site i.e. Atlassian account credentials or social login
• If enforced MFA for external users is configured on the organization - display events relating to MFA auth. attempts on a Cloud site where they are an external user
• When enforced SSO for external users is available(https://www.atlassian.com/wac/roadmap/cloud/enforce-sso-for-external-users-eap?p=0c383c38-90), display events relating to the enforced SSO for external users login flow

Why this is important
As "External User Security" supports MFA and will support enforced SSO for external users, it is important that org. admins have the ability to audit external users' auth. and sign-on activities.