Detectionmediumtest

Bitbucket User Details Export Attempt Detected

Detects user data export activity.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Muhammad FaisalCreated Sun Feb 255259cbf2-0a75-48bf-b57a-c54d6fabaef3application

Log Source

bitbucketaudit

Productbitbucket← raw: bitbucket

Serviceaudit← raw: audit

Definition

Requirements: "Advance" log level is required to receive these audit events.

Detection Logic

detection:
    selection:
        auditType.category: 'Users and groups'
        auditType.action:
            - 'User permissions export failed'
            - 'User permissions export started'
            - 'User permissions exported'
    condition: selection

False Positives

Legitimate user activity.

References

Resolving title…

confluence.atlassian.com

Resolving title…

support.atlassian.com

MITRE ATT&CK

Tactics

TA0009 · Collection TA0043 · Reconnaissance TA0007 · Discovery

Techniques

T1213 · Data from Information Repositories T1082 · System Information Discovery