LoFP / legitimate user activity.

Techniques

• t1021
• t1021.004
• t1082
• t1098
• t1213
• t1213.003
• t1562
• t1562.001
• t1591
• t1591.004

Sample rules

Bitbucket Global SSH Settings Changed

• source: sigma
• technicques:
  • t1021
  • t1021.004
  • t1562
  • t1562.001

Description

Detects Bitbucket global SSH access configuration changes.

Detection logic

condition: selection
selection:
  auditType.action: SSH settings changed
  auditType.category: Global administration

Bitbucket Full Data Export Triggered

• source: sigma
• technicques:
  • t1213
  • t1213.003

Description

Detects when full data export is attempted.

Detection logic

condition: selection
selection:
  auditType.action: Full data export triggered
  auditType.category: Data pipeline

Bitbucket User Details Export Attempt Detected

• source: sigma
• technicques:
  • t1082
  • t1213
  • t1591
  • t1591.004

Description

Detects user data export activity.

Detection logic

condition: selection
selection:
  auditType.action:
  - User permissions export failed
  - User permissions export started
  - User permissions exported
  auditType.category: Users and groups

Bitbucket Global Secret Scanning Rule Deleted

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects Bitbucket global secret scanning rule deletion activity.

Detection logic

condition: selection
selection:
  auditType.action: Global secret scanning rule deleted
  auditType.category: Global administration

Bitbucket Audit Log Configuration Updated

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects changes to the bitbucket audit log configuration.

Detection logic

condition: selection
selection:
  auditType.action: Audit log configuration updated
  auditType.category: Auditing

Bitbucket Secret Scanning Rule Deleted

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects when secret scanning rule is deleted for the project or repository.

Detection logic

condition: selection
selection:
  auditType.action:
  - Project secret scanning rule deleted
  - Repository secret scanning rule deleted
  auditType.category:
  - Projects
  - Repositories

Bitbucket Secret Scanning Exempt Repository Added

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects when a repository is exempted from secret scanning feature.

Detection logic

condition: selection
selection:
  auditType.action: Secret scanning exempt repository added
  auditType.category: Repositories

Bitbucket User Permissions Export Attempt

• source: sigma
• technicques:
  • t1082
  • t1213
  • t1591
  • t1591.004

Description

Detects user permission data export attempt.

Detection logic

condition: selection
selection:
  auditType.action:
  - User details export failed
  - User details export started
  - User details exported
  auditType.category: Users and groups

Bitbucket Global Permission Changed

• source: sigma
• technicques:
  • t1098

Description

Detects global permissions change activity.

Detection logic

condition: selection
selection:
  auditType.action:
  - Global permission remove request
  - Global permission removed
  - Global permission granted
  - Global permission requested
  auditType.category: Permissions

Bitbucket Project Secret Scanning Allowlist Added

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects when a secret scanning allowlist rule is added for projects.

Detection logic

condition: selection
selection:
  auditType.action: Project secret scanning allowlist rule added
  auditType.category: Projects