Bitbucket Global Permission Changed
Detects global permissions change activity.
Sigma rule (View on GitHub)
1title: Bitbucket Global Permission Changed
2id: aac6c4f4-87c7-4961-96ac-c3fd3a42c310
3status: experimental
4description: Detects global permissions change activity.
5references:
6 - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
7 - https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html
8author: Muhammad Faisal (@faisalusuf)
9date: 2024-02-25
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1098
14logsource:
15 product: bitbucket
16 service: audit
17 definition: 'Requirements: "Advance" log level is required to receive these audit events.'
18detection:
19 selection:
20 auditType.category: 'Permissions'
21 auditType.action:
22 - 'Global permission remove request'
23 - 'Global permission removed'
24 - 'Global permission granted'
25 - 'Global permission requested'
26 condition: selection
27falsepositives:
28 - Legitimate user activity.
29level: medium
References
Related rules
- User Added to Local Administrator Group
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted