Detectioncriticaltest

Bitbucket Unauthorized Full Data Export Triggered

Detects when full data export is attempted an unauthorized user.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Muhammad FaisalCreated Sun Feb 2534d81081-03c9-4a7f-91c9-5e46af625cdeapplication

Log Source

bitbucketaudit

Productbitbucket← raw: bitbucket

Serviceaudit← raw: audit

Definition

Requirements: "Advance" log level is required to receive these audit events.

Detection Logic

detection:
    selection:
        auditType.category: 'Data pipeline'
        auditType.action: 'Unauthorized full data export triggered'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

confluence.atlassian.com

Resolving title…

confluence.atlassian.com

MITRE ATT&CK

Tactics

TA0009 · Collection TA0042 · Resource Development

Techniques

T1586 · Compromise Accounts

Sub-techniques

T1213.003 · Code Repositories

Rule Metadata

Rule ID

34d81081-03c9-4a7f-91c9-5e46af625cde

Status

test

Level

critical

Type

Detection

Created

Sun Feb 25

Author

Muhammad Faisal

Path

rules/application/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml

Raw Tags

attack.collectionattack.resource-developmentattack.t1213.003attack.t1586

View on GitHub