Expected Behaviour

Space Export alerts in Guard Detect should always list the triggering user as the actor. The correct user is available in the confluence_export_space_download audit event.

Actual Behaviour

Space Export alerts in Guard Detect sometimes list Confluence as the actor instead of the user who triggered the export.

Root Cause

This is likely related to a bug in Confluence audit logging (see CONFCLOUD-84551) where the following space export audit events inconsistently record the actor:

• confluence_audit_record_space_exported — always lists Confluence as the actor
• confluence_async_export_finished — inconsistently lists Confluence or the requesting user
• confluence_export_space_download — inconsistently lists Confluence or the requesting user

Guard Detect space export alerts appear to be sourcing the actor from an event that does not consistently contain the correct user.

Impact

Security alerts for space exports may show an incorrect actor, making it difficult for admins to identify who triggered a potentially sensitive export action.