Bitbucket User Details Export Attempt Detected

Aug 12, 2024 · attack.collection attack.reconnaissance attack.discovery attack.t1213 attack.t1082 attack.t1591.004 ·

Detects user data export activity.

Sigma rule (View on GitHub)

 1title: Bitbucket User Details Export Attempt Detected
 2id: 5259cbf2-0a75-48bf-b57a-c54d6fabaef3
 3status: experimental
 4description: Detects user data export activity.
 5references:
 6    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
 7    - https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts
 8author: Muhammad Faisal (@faisalusuf)
 9date: 2024-02-25
10tags:
11    - attack.collection
12    - attack.reconnaissance
13    - attack.discovery
14    - attack.t1213
15    - attack.t1082
16    - attack.t1591.004
17logsource:
18    product: bitbucket
19    service: audit
20    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
21detection:
22    selection:
23        auditType.category: 'Users and groups'
24        auditType.action:
25            - 'User permissions export failed'
26            - 'User permissions export started'
27            - 'User permissions exported'
28    condition: selection
29falsepositives:
30    - Legitimate user activity.
31level: medium

References

Audit log events | Bitbucket Data Center 9.3 | Atlassian Documentation

Audit log events

Read More
Export user accounts | Atlassian Support

Get lists of your Atlassian Jira, Confluence, and Bitbucket site users and managed accounts by exporting a CSV file.

Read More

Bitbucket User Details Export Attempt Detected

Sigma rule (View on GitHub)

References

Audit log events | Bitbucket Data Center 9.3 | Atlassian Documentation

Export user accounts | Atlassian Support

Related rules