Detectionmediumtest
Bitbucket User Permissions Export Attempt
Detects user permission data export attempt.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
bitbucketaudit
Productbitbucket← raw: bitbucket
Serviceaudit← raw: audit
Definition
Requirements: "Advance" log level is required to receive these audit events.
Detection Logic
Detection Logic1 selector
detection:
selection:
auditType.category: 'Users and groups'
auditType.action:
- 'User details export failed'
- 'User details export started'
- 'User details exported'
condition: selectionFalse Positives
Legitimate user activity.
MITRE ATT&CK
Rule Metadata
Rule ID
87cc6698-3e07-4ba2-9b43-a85a73e151e2
Status
test
Level
medium
Type
Detection
Created
Sun Feb 25
Author
Path
rules/application/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml
Raw Tags
attack.reconnaissanceattack.collectionattack.discoveryattack.t1213attack.t1082attack.t1591.004