Bitbucket User Login Failure Via SSH

Feb 26, 2024 · attack.t1021.004 attack.t1110 ·

Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.

Sigma rule (View on GitHub)

 1title: Bitbucket User Login Failure Via SSH
 2id: d3f90469-fb05-42ce-b67d-0fded91bbef3
 3status: experimental
 4description: |
 5    Detects SSH user login access failures.
 6    Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.    
 7references:
 8    - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
 9    - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
10author: Muhammad Faisal (@faisalusuf)
11date: 2024/02/25
12tags:
13    - attack.t1021.004
14    - attack.t1110
15logsource:
16    product: bitbucket
17    service: audit
18    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
19detection:
20    selection:
21        auditType.category: 'Authentication'
22        auditType.action: 'User login failed(SSH)'
23    condition: selection
24falsepositives:
25    - Legitimate user wrong password attempts.
26level: medium

References

View and configure the audit log | Bitbucket Data Center 8.19 | Atlassian Documentation

View and configure the audit log

Read More
Enable SSH access to Git repositories | Bitbucket Data Center 8.19 | Atlassian Documentation

Enable SSH access to Git repositories

Read More

Bitbucket User Login Failure Via SSH

Sigma rule (View on GitHub)

References

View and configure the audit log | Bitbucket Data Center 8.19 | Atlassian Documentation

Enable SSH access to Git repositories | Bitbucket Data Center 8.19 | Atlassian Documentation

Related rules