
Summary
This detection rule is designed to identify attempts to export user data from Bitbucket. It focuses on capturing specific audit events logged under the 'Users and groups' category. The key audit actions monitored include unsuccessful attempts at exporting user permissions, initiation of export actions, and successful exports of user permissions. The rule requires Bitbucket to be configured with the 'Advance' log level to capture the relevant audit events necessary for monitoring user data export activities. The detection can help organizations recognize potential malicious activity, such as unauthorized access or data exfiltration attempts related to user account information. The inclusion of legitimate user activities as false positives necessitates careful analysis to minimize alert fatigue.
Categories
- Cloud
- Application
Data Sources
- Application Log
- User Account
Created: 2024-02-25