Bitbucket Global Permission Changed

 1title: Bitbucket Global Permission Changed
 2id: aac6c4f4-87c7-4961-96ac-c3fd3a42c310
 3status: experimental
 4description: Detects global permissions change activity.
 5references:
 6    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
 7    - https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html
 8author: Muhammad Faisal (@faisalusuf)
 9date: 2024-02-25
10tags:
11    - attack.persistence
12    - attack.privilege-escalation
13    - attack.t1098
14logsource:
15    product: bitbucket
16    service: audit
17    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
18detection:
19    selection:
20        auditType.category: 'Permissions'
21        auditType.action:
22            - 'Global permission remove request'
23            - 'Global permission removed'
24            - 'Global permission granted'
25            - 'Global permission requested'
26    condition: selection
27falsepositives:
28    - Legitimate user activity.
29level: medium

References

• Audit log events | Bitbucket Data Center 9.3 | Atlassian Documentation

  Audit log events

  
  Read More

• Global permissions | Bitbucket Data Center 9.3 | Atlassian Documentation

  Global permissions

  
  Read More

Related rules

• GCP Access Policy Deleted
• User Added to Local Administrator Group
• A Member Was Added to a Security-Enabled Global Group
• A Member Was Removed From a Security-Enabled Global Group
• A New Trust Was Created To A Domain