Bitbucket User Login Failure
Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
Sigma rule (View on GitHub)
1title: Bitbucket User Login Failure
2id: 70ed1d26-0050-4b38-a599-92c53d57d45a
3status: test
4description: |
5 Detects user authentication failure events.
6 Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
7references:
8 - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
9author: Muhammad Faisal (@faisalusuf)
10date: 2024-02-25
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.initial-access
15 - attack.defense-evasion
16 - attack.credential-access
17 - attack.t1078.004
18 - attack.t1110
19logsource:
20 product: bitbucket
21 service: audit
22 definition: 'Requirements: "Advance" log level is required to receive these audit events.'
23detection:
24 selection:
25 auditType.category: 'Authentication'
26 auditType.action: 'User login failed'
27 condition: selection
28falsepositives:
29 - Legitimate user wrong password attempts.
30level: medium
References
Related rules
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Denied
- Multifactor Authentication Interrupted
- Potential MFA Bypass Using Legacy Client Authentication
- Sign-in Failure Due to Conditional Access Requirements Not Met