Bitbucket User Login Failure

Feb 26, 2024 · attack.defense_evasion attack.credential_access attack.t1078.004 attack.t1110 ·

Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.

Sigma rule (View on GitHub)

 1title: Bitbucket User Login Failure
 2id: 70ed1d26-0050-4b38-a599-92c53d57d45a
 3status: experimental
 4description: |
 5    Detects user authentication failure events.
 6    Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.    
 7references:
 8    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
 9author: Muhammad Faisal (@faisalusuf)
10date: 2024/02/25
11tags:
12    - attack.defense_evasion
13    - attack.credential_access
14    - attack.t1078.004
15    - attack.t1110
16logsource:
17    product: bitbucket
18    service: audit
19    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
20detection:
21    selection:
22        auditType.category: 'Authentication'
23        auditType.action: 'User login failed'
24    condition: selection
25falsepositives:
26    - Legitimate user wrong password attempts.
27level: medium

References

Audit log events | Bitbucket Data Center 8.19 | Atlassian Documentation

Audit log events

Read More

Bitbucket User Login Failure

Sigma rule (View on GitHub)

References

Audit log events | Bitbucket Data Center 8.19 | Atlassian Documentation

Related rules