Bitbucket User Login Failure Via SSH

 1title: Bitbucket User Login Failure Via SSH
 2id: d3f90469-fb05-42ce-b67d-0fded91bbef3
 3status: test
 4description: |
 5    Detects SSH user login access failures.
 6    Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.    
 7references:
 8    - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
 9    - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
10author: Muhammad Faisal (@faisalusuf)
11date: 2024-02-25
12tags:
13    - attack.lateral-movement
14    - attack.credential-access
15    - attack.t1021.004
16    - attack.t1110
17logsource:
18    product: bitbucket
19    service: audit
20    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
21detection:
22    selection:
23        auditType.category: 'Authentication'
24        auditType.action: 'User login failed(SSH)'
25    condition: selection
26falsepositives:
27    - Legitimate user wrong password attempts.
28level: medium

References

• View and configure the audit log | Bitbucket Data Center 10.0 | Atlassian Documentation

  View and configure the audit log

  
  Read More

• Enable SSH access to Git repositories | Bitbucket Data Center 10.0 | Atlassian Documentation

  Enable SSH access to Git repositories

  
  Read More

Related rules

• MSSQL Server Failed Logon From External Network
• Uncommon Outbound Kerberos Connection - Security
• MSSQL Server Failed Logon
• Bitbucket Global SSH Settings Changed
• Register new Logon Process by Rubeus