Bitbucket User Login Failure Via SSH
Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
Sigma rule (View on GitHub)
1title: Bitbucket User Login Failure Via SSH
2id: d3f90469-fb05-42ce-b67d-0fded91bbef3
3status: test
4description: |
5 Detects SSH user login access failures.
6 Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
7references:
8 - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
9 - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
10author: Muhammad Faisal (@faisalusuf)
11date: 2024-02-25
12tags:
13 - attack.lateral-movement
14 - attack.credential-access
15 - attack.t1021.004
16 - attack.t1110
17logsource:
18 product: bitbucket
19 service: audit
20 definition: 'Requirements: "Advance" log level is required to receive these audit events.'
21detection:
22 selection:
23 auditType.category: 'Authentication'
24 auditType.action: 'User login failed(SSH)'
25 condition: selection
26falsepositives:
27 - Legitimate user wrong password attempts.
28level: medium
References
Related rules
- MSSQL Server Failed Logon From External Network
- Uncommon Outbound Kerberos Connection - Security
- MSSQL Server Failed Logon
- Bitbucket Global SSH Settings Changed
- Bitbucket User Login Failure