Bitbucket User Permissions Export Attempt

 1title: Bitbucket User Permissions Export Attempt
 2id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2
 3status: test
 4description: Detects user permission data export attempt.
 5references:
 6    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
 7    - https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html
 8author: Muhammad Faisal (@faisalusuf)
 9date: 2024-02-25
10tags:
11    - attack.reconnaissance
12    - attack.collection
13    - attack.discovery
14    - attack.t1213
15    - attack.t1082
16    - attack.t1591.004
17logsource:
18    product: bitbucket
19    service: audit
20    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
21detection:
22    selection:
23        auditType.category: 'Users and groups'
24        auditType.action:
25            - 'User details export failed'
26            - 'User details export started'
27            - 'User details exported'
28    condition: selection
29falsepositives:
30    - Legitimate user activity.
31level: medium

References

• Audit log events | Bitbucket Data Center 9.6 | Atlassian Documentation

  Audit log events

  
  Read More

• Users and groups | Bitbucket Data Center 9.6 | Atlassian Documentation

  Users and groups

  
  Read More

Related rules

• Bitbucket User Details Export Attempt Detected
• HackTool - winPEAS Execution
• Potential Product Class Reconnaissance Via Wmic.EXE
• System Information Discovery Via Sysctl - MacOS
• Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock