Detectionmediumtest

Bitbucket Global Permission Changed

Detects global permissions change activity.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Muhammad FaisalCreated Sun Feb 25aac6c4f4-87c7-4961-96ac-c3fd3a42c310application

Log Source

bitbucketaudit

Productbitbucket← raw: bitbucket

Serviceaudit← raw: audit

Definition

Requirements: "Advance" log level is required to receive these audit events.

Detection Logic

detection:
    selection:
        auditType.category: 'Permissions'
        auditType.action:
            - 'Global permission remove request'
            - 'Global permission removed'
            - 'Global permission granted'
            - 'Global permission requested'
    condition: selection

False Positives

Legitimate user activity.

References

Resolving title…

confluence.atlassian.com

Resolving title…

confluence.atlassian.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Techniques

T1098 · Account Manipulation