Bitbucket User Login Failure Via SSH
Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
Sigma rule (View on GitHub)
1title: Bitbucket User Login Failure Via SSH
2id: d3f90469-fb05-42ce-b67d-0fded91bbef3
3status: test
4description: |
5 Detects SSH user login access failures.
6 Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
7references:
8 - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
9 - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
10author: Muhammad Faisal (@faisalusuf)
11date: 2024-02-25
12tags:
13 - attack.lateral-movement
14 - attack.credential-access
15 - attack.t1021.004
16 - attack.t1110
17logsource:
18 product: bitbucket
19 service: audit
20 definition: 'Requirements: "Advance" log level is required to receive these audit events.'
21detection:
22 selection:
23 auditType.category: 'Authentication'
24 auditType.action: 'User login failed(SSH)'
25 condition: selection
26falsepositives:
27 - Legitimate user wrong password attempts.
28level: medium
References
Related rules
- Bitbucket Global SSH Settings Changed
- Bitbucket User Login Failure
- APT31 Judgement Panda Activity
- External Remote RDP Logon from Public IP
- External Remote SMB Logon from Public IP