Bitbucket User Permissions Export Attempt

Feb 26, 2024 · attack.reconnaissance attack.t1213 attack.t1082 attack.t1591.004 ·

Detects user permission data export attempt.

Sigma rule (View on GitHub)

 1title: Bitbucket User Permissions Export Attempt
 2id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2
 3status: experimental
 4description: Detects user permission data export attempt.
 5references:
 6    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
 7    - https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html
 8author: Muhammad Faisal (@faisalusuf)
 9date: 2024/02/25
10tags:
11    - attack.reconnaissance
12    - attack.t1213
13    - attack.t1082
14    - attack.t1591.004
15logsource:
16    product: bitbucket
17    service: audit
18    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
19detection:
20    selection:
21        auditType.category: 'Users and groups'
22        auditType.action:
23            - 'User details export failed'
24            - 'User details export started'
25            - 'User details exported'
26    condition: selection
27falsepositives:
28    - Legitimate user activity.
29level: medium

References

Audit log events | Bitbucket Data Center 8.19 | Atlassian Documentation

Audit log events

Read More
Users and groups | Bitbucket Data Center 8.19 | Atlassian Documentation

Users and groups

Read More

Bitbucket User Permissions Export Attempt

Sigma rule (View on GitHub)

References

Audit log events | Bitbucket Data Center 8.19 | Atlassian Documentation

Users and groups | Bitbucket Data Center 8.19 | Atlassian Documentation

Related rules