Bitbucket Global SSH Settings Changed

 1title: Bitbucket Global SSH Settings Changed
 2id: 16ab6143-510a-44e2-a615-bdb80b8317fc
 3status: experimental
 4description: Detects Bitbucket global SSH access configuration changes.
 5references:
 6    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
 7    - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
 8author: Muhammad Faisal (@faisalusuf)
 9date: 2024-02-25
10tags:
11    - attack.lateral-movement
12    - attack.defense-evasion
13    - attack.t1562.001
14    - attack.t1021.004
15logsource:
16    product: bitbucket
17    service: audit
18    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
19detection:
20    selection:
21        auditType.category: 'Global administration'
22        auditType.action: 'SSH settings changed'
23    condition: selection
24falsepositives:
25    - Legitimate user activity.
26level: medium

References

• Audit log events | Bitbucket Data Center 9.3 | Atlassian Documentation

  Audit log events

  
  Read More

• Enable SSH access to Git repositories | Bitbucket Data Center 9.3 | Atlassian Documentation

  Enable SSH access to Git repositories

  
  Read More

Related rules

• AMSI Bypass Pattern Assembly GetType
• AWS CloudTrail Important Change
• AWS Config Disabling Channel/Recorder
• AWS GuardDuty Important Change
• Add SafeBoot Keys Via Reg Utility