Bitbucket User Login Failure
Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
Sigma rule (View on GitHub)
1title: Bitbucket User Login Failure
2id: 70ed1d26-0050-4b38-a599-92c53d57d45a
3status: experimental
4description: |
5 Detects user authentication failure events.
6 Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
7references:
8 - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
9author: Muhammad Faisal (@faisalusuf)
10date: 2024/02/25
11tags:
12 - attack.defense_evasion
13 - attack.credential_access
14 - attack.t1078.004
15 - attack.t1110
16logsource:
17 product: bitbucket
18 service: audit
19 definition: 'Requirements: "Advance" log level is required to receive these audit events.'
20detection:
21 selection:
22 auditType.category: 'Authentication'
23 auditType.action: 'User login failed'
24 condition: selection
25falsepositives:
26 - Legitimate user wrong password attempts.
27level: medium
References
Related rules
- Potential MFA Bypass Using Legacy Client Authentication
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Huawei BGP Authentication Failures
- Juniper BGP Missing MD5