sigmamediumHunting

Bitbucket User Login Failure

Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.

MITRE ATT&CK

T1078.004 T1110

privilege-escalationpersistenceinitial-accessdefense-evasioncredential-access

Detection Query

selection:
  auditType.category: Authentication
  auditType.action: User login failed
condition: selection

Author

Muhammad Faisal (@faisalusuf)

Created

2024-02-25

Data Sources

bitbucketaudit

Platforms

bitbucket

References

https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

Tags

attack.privilege-escalationattack.persistenceattack.initial-accessattack.defense-evasionattack.credential-accessattack.t1078.004attack.t1110

Raw Content

title: Bitbucket User Login Failure
id: 70ed1d26-0050-4b38-a599-92c53d57d45a
status: test
description: |
    Detects user authentication failure events.
    Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
references:
    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.defense-evasion
    - attack.credential-access
    - attack.t1078.004
    - attack.t1110
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Authentication'
        auditType.action: 'User login failed'
    condition: selection
falsepositives:
    - Legitimate user wrong password attempts.
level: medium