Merge PR #4737 from @faisalusuf - Add New Bitbucket Related Rules

new: Bitbucket Full Data Export Triggered
new: Bitbucket Global Permission Changed
new: Bitbucket Global Secret Scanning Rule Deleted
new: Bitbucket Global SSH Settings Changed
new: Bitbucket Audit Log Configuration Updated
new: Bitbucket Project Secret Scanning Allowlist Added
new: Bitbucket Secret Scanning Exempt Repository Added
new: Bitbucket Secret Scanning Rule Deleted
new: Bitbucket Unauthorized Access To A Resource
new: Bitbucket Unauthorized Full Data Export Triggered
new: Bitbucket User Details Export Attempt Detected
new: Bitbucket User Login Failure
new: Bitbucket User Login Failure Via SSH
new: Bitbucket User Permissions Export Attempt 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>

rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml

@@ -0,0 +1,24 @@
+title: Bitbucket Full Data Export Triggered
+id: 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8
+status: experimental
+description: Detects when full data export is attempted.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
+    - https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.collection
+    - attack.t1213.003
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Data pipeline'
+        auditType.action: 'Full data export triggered'
+    condition: selection
+falsepositives:
+    - Legitimate user activity.
+level: high

rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml

@@ -0,0 +1,29 @@
+title: Bitbucket Global Permission Changed
+id: aac6c4f4-87c7-4961-96ac-c3fd3a42c310
+status: experimental
+description: Detects global permissions change activity.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
+    - https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1098
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Permissions'
+        auditType.action:
+            - 'Global permission remove request'
+            - 'Global permission removed'
+            - 'Global permission granted'
+            - 'Global permission requested'
+    condition: selection
+falsepositives:
+    - Legitimate user activity.
+level: medium

rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml

@@ -0,0 +1,24 @@
+title: Bitbucket Global Secret Scanning Rule Deleted
+id: e16cf0f0-ee88-4901-bd0b-4c8d13d9ee05
+status: experimental
+description: Detects Bitbucket global secret scanning rule deletion activity.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
+    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Basic" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Global administration'
+        auditType.action: 'Global secret scanning rule deleted'
+    condition: selection
+falsepositives:
+    - Legitimate user activity.
+level: medium

rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml

@@ -0,0 +1,26 @@
+title: Bitbucket Global SSH Settings Changed
+id: 16ab6143-510a-44e2-a615-bdb80b8317fc
+status: experimental
+description: Detects Bitbucket global SSH access configuration changes.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
+    - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.lateral_movement
+    - attack.defense_evasion
+    - attack.t1562.001
+    - attack.t1021.004
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Global administration'
+        auditType.action: 'SSH settings changed'
+    condition: selection
+falsepositives:
+    - Legitimate user activity.
+level: medium

rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml

@@ -0,0 +1,23 @@
+title: Bitbucket Audit Log Configuration Updated
+id: 6aa12161-235a-4dfb-9c74-fe08df8d8da1
+status: experimental
+description: Detects changes to the bitbucket audit log configuration.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Basic" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Auditing'
+        auditType.action: 'Audit log configuration updated'
+    condition: selection
+falsepositives:
+    - Legitimate user activity.
+level: medium

rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml

@@ -0,0 +1,24 @@
+title: Bitbucket Project Secret Scanning Allowlist Added
+id: 42ccce6d-7bd3-4930-95cd-e4d83fa94a30
+status: experimental
+description: Detects when a secret scanning allowlist rule is added for projects.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
+    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Basic" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Projects'
+        auditType.action: 'Project secret scanning allowlist rule added'
+    condition: selection
+falsepositives:
+    - Legitimate user activity.
+level: low

rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml

@@ -0,0 +1,24 @@
+title: Bitbucket Secret Scanning Exempt Repository Added
+id: b91e8d5e-0033-44fe-973f-b730316f23a1
+status: experimental
+description: Detects when a repository is exempted from secret scanning feature.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
+    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Basic" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Repositories'
+        auditType.action: 'Secret scanning exempt repository added'
+    condition: selection
+falsepositives:
+    - Legitimate user activity.
+level: high

rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml

@@ -0,0 +1,28 @@
+title: Bitbucket Secret Scanning Rule Deleted
+id: ff91e3f0-ad15-459f-9a85-1556390c138d
+status: experimental
+description: Detects when secret scanning rule is deleted for the project or repository.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
+    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Basic" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category:
+            - 'Projects'
+            - 'Repositories'
+        auditType.action:
+            - 'Project secret scanning rule deleted'
+            - 'Repository secret scanning rule deleted'
+    condition: selection
+falsepositives:
+    - Legitimate user activity.
+level: low

rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml

@@ -0,0 +1,23 @@
+title: Bitbucket Unauthorized Access To A Resource
+id: 7215374a-de4f-4b33-8ba5-70804c9251d3
+status: experimental
+description: Detects unauthorized access attempts to a resource.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.resource_development
+    - attack.t1586
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Security'
+        auditType.action: 'Unauthorized access to a resource'
+    condition: selection
+falsepositives:
+    - Access attempts to non-existent repositories or due to outdated plugins. Usually "Anonymous" user is reported in the "author.name" field in most cases.
+level: critical

rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml

@@ -0,0 +1,26 @@
+title: Bitbucket Unauthorized Full Data Export Triggered
+id: 34d81081-03c9-4a7f-91c9-5e46af625cde
+status: experimental
+description: Detects when full data export is attempted an unauthorized user.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
+    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.collection
+    - attack.resource_development
+    - attack.t1213.003
+    - attack.t1586
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Data pipeline'
+        auditType.action: 'Unauthorized full data export triggered'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical

rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml

@@ -0,0 +1,31 @@
+title: Bitbucket User Details Export Attempt Detected
+id: 5259cbf2-0a75-48bf-b57a-c54d6fabaef3
+status: experimental
+description: Detects user data export activity.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
+    - https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.collection
+    - attack.reconnaissance
+    - attack.discovery
+    - attack.t1213
+    - attack.t1082
+    - attack.t1591.004
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Users and groups'
+        auditType.action:
+            - 'User permissions export failed'
+            - 'User permissions export started'
+            - 'User permissions exported'
+    condition: selection
+falsepositives:
+    - Legitimate user activity.
+level: medium

rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml

@@ -0,0 +1,27 @@
+title: Bitbucket User Login Failure
+id: 70ed1d26-0050-4b38-a599-92c53d57d45a
+status: experimental
+description: |
+    Detects user authentication failure events.
+    Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.defense_evasion
+    - attack.credential_access
+    - attack.t1078.004
+    - attack.t1110
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Authentication'
+        auditType.action: 'User login failed'
+    condition: selection
+falsepositives:
+    - Legitimate user wrong password attempts.
+level: medium

rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml

@@ -0,0 +1,26 @@
+title: Bitbucket User Login Failure Via SSH
+id: d3f90469-fb05-42ce-b67d-0fded91bbef3
+status: experimental
+description: |
+    Detects SSH user login access failures.
+    Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
+    - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.t1021.004
+    - attack.t1110
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Authentication'
+        auditType.action: 'User login failed(SSH)'
+    condition: selection
+falsepositives:
+    - Legitimate user wrong password attempts.
+level: medium

rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml

@@ -0,0 +1,29 @@
+title: Bitbucket User Permissions Export Attempt
+id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2
+status: experimental
+description: Detects user permission data export attempt.
+references:
+    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
+    - https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/02/25
+tags:
+    - attack.reconnaissance
+    - attack.t1213
+    - attack.t1082
+    - attack.t1591.004
+logsource:
+    product: bitbucket
+    service: audit
+    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
+detection:
+    selection:
+        auditType.category: 'Users and groups'
+        auditType.action:
+            - 'User details export failed'
+            - 'User details export started'
+            - 'User details exported'
+    condition: selection
+falsepositives:
+    - Legitimate user activity.
+level: medium

tests/logsource.json

@@ -311,6 +311,14 @@
                 "audit":[]
             }
         },
+        "bitbucket":{
+            "commun": [],
+            "empty": [],
+            "category":{},
+            "service":{
+                "audit":[]
+            }
+        },
         "m365":{
             "commun": [],
             "empty": [],