T1213.001

Confluence

Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation but may contain diverse categories of sensitive information including: policies and procedures, physical/logical network diagrams, system architecture diagrams, technical system documentation, testing/development credentials, work/project schedules, source code snippets, and links to internal resources. LAPSUS$ is documented to have specifically searched victim Confluence and JIRA instances to discover high-privilege account credentials as part of their data theft operations, making this a high-value target during the collection phase of an intrusion.

Microsoft Sentinel / Defender

kusto

let BulkAccessThreshold = 40;
let SensitiveSearchTerms = dynamic([
  "password", "passwd", "credential", "secret", "api key", "apikey",
  "token", "vpn", "ssh", "private key", "aws", "azure", "gcp",
  "database password", "db pass", "connection string", "bearer",
  "service account", "ldap", "kerberos", "access key"
]);
// Detect bulk Confluence access and credential hunting via Microsoft Defender for Cloud Apps
CloudAppEvents
| where Timestamp > ago(24h)
| where AppName has_any ("Confluence", "Atlassian")
| where ActionType in~ (
    "PageViewed", "ContentViewed", "SpaceViewed",
    "AttachmentDownloaded", "ContentExported", "SpaceExported",
    "PagePrinted", "SearchPerformed",
    "page_viewed", "space_viewed", "content_exported",
    "attachment_downloaded", "search_performed"
  )
| extend SearchQuery = tostring(RawEventData.searchQuery)
| extend SpaceKey = tostring(RawEventData.spaceKey)
| extend PageTitle = coalesce(tostring(ObjectName), tostring(RawEventData.pageTitle))
| extend IsSensitiveSearch = (SearchQuery has_any (SensitiveSearchTerms))
| summarize
    TotalActions = count(),
    UniquePages = dcount(PageTitle),
    UniqueSpaces = dcount(SpaceKey),
    SensitiveSearchCount = countif(IsSensitiveSearch == true),
    ExportCount = countif(ActionType in~ ("ContentExported", "SpaceExported", "PagePrinted", "content_exported", "space_exported")),
    DownloadCount = countif(ActionType in~ ("AttachmentDownloaded", "attachment_downloaded")),
    ActionTypes = make_set(ActionType, 8),
    SampleTitles = make_set(PageTitle, 10),
    SensitiveTermsFound = make_set(SearchQuery, 5),
    FirstActivity = min(Timestamp),
    LastActivity = max(Timestamp)
    by AccountObjectId, AccountDisplayName, IPAddress, UserAgent
| where TotalActions > BulkAccessThreshold
    or SensitiveSearchCount > 0
    or ExportCount > 5
    or (UniqueSpaces > 5 and TotalActions > 20)
| extend DurationMinutes = max_of(datetime_diff('minute', LastActivity, FirstActivity), 1)
| extend AccessRatePerMinute = round(toreal(TotalActions) / DurationMinutes, 2)
| extend ThreatIndicator = case(
    AccessRatePerMinute > 10, "Automated scraping detected — exceeds 10 pages/min",
    SensitiveSearchCount > 0, "Credential/secret hunting via search queries",
    ExportCount > 5, "Bulk content export activity",
    UniqueSpaces > 10, "Multi-space enumeration pattern",
    TotalActions > 100, "High-volume bulk access",
    "Elevated Confluence access above threshold")
| project
    Timestamp = FirstActivity,
    AccountDisplayName,
    AccountObjectId,
    IPAddress,
    UserAgent,
    TotalActions,
    UniquePages,
    UniqueSpaces,
    SensitiveSearchCount,
    SensitiveTermsFound,
    ExportCount,
    DownloadCount,
    AccessRatePerMinute,
    ThreatIndicator,
    ActionTypes,
    SampleTitles,
    LastActivity
| sort by TotalActions desc

medium severity medium confidence

Data Sources

Application Log: Application Log Content Microsoft Defender for Cloud Apps Atlassian Confluence Audit Log

Required Tables

CloudAppEvents

False Positives

Content migration projects or Confluence-to-Confluence migrations where automation accesses all pages systematically with high volume and speed
Documentation teams or technical writers conducting content audits, broken link validation, or space-wide inventories across multiple spaces
Enterprise search indexing crawlers (Elasticsearch, Algolia connectors) that periodically ingest Confluence content for full-text search
New employees or contractors onboarding who rapidly read many documentation pages in their first week
Automated backup and archival tools performing scheduled full-space exports on a recurring basis
Developer tooling integrations (IDE plugins, CI/CD pipeline documentation steps) that programmatically read Confluence pages

Splunk

spl

index=atlassian sourcetype="atlassian:confluence:audit"
| eval event_type=lower(coalesce(type, eventType, action, "unknown"))
| eval username=coalesce(author, 'author.publicName', username, user, "unknown")
| eval remote_ip=coalesce(remoteAddress, remote_address, src_ip, "-")
| eval page_title=coalesce('content.title', pageTitle, title, "-")
| eval space_key=coalesce('space.key', spaceKey, space, "-")
| eval search_query=lower(coalesce(searchQuery, query, "-"))
| eval is_view=if(match(event_type, "(view|viewed|read)"), 1, 0)
| eval is_search=if(match(event_type, "search"), 1, 0)
| eval is_export=if(match(event_type, "(export|print|pdf|download)"), 1, 0)
| eval is_sensitive_search=if(
    is_search=1 AND match(search_query,
    "(password|passwd|credential|secret|api.?key|token|vpn|ssh|private.?key|aws|azure|gcp|bearer|ldap|kerberos|connection.?string|access.?key)"),
    1, 0)
| bucket _time span=1h
| stats
    count as TotalActions,
    sum(is_view) as PageViews,
    sum(is_search) as Searches,
    sum(is_export) as Exports,
    sum(is_sensitive_search) as SensitiveSearches,
    dc(space_key) as UniqueSpaces,
    dc(page_title) as UniquePages,
    values(eval(if(is_sensitive_search=1, search_query, null()))) as SensitiveTermsSearched,
    earliest(_time) as FirstActivity,
    latest(_time) as LastActivity
    by username, remote_ip, _time
| eval DurationMinutes=max(round((LastActivity - FirstActivity) / 60, 1), 1)
| eval AccessRatePerMin=round(TotalActions / DurationMinutes, 2)
| eval BulkAccess=if(TotalActions > 40, 1, 0)
| eval AutomatedScraping=if(AccessRatePerMin > 10, 1, 0)
| eval MultiSpaceEnum=if(UniqueSpaces > 5, 1, 0)
| eval CredentialHunting=if(SensitiveSearches > 0, 1, 0)
| eval BulkExport=if(Exports > 5, 1, 0)
| eval RiskScore=BulkAccess + AutomatedScraping + MultiSpaceEnum + CredentialHunting + BulkExport
| where RiskScore > 0
| eval ThreatIndicator=case(
    AutomatedScraping=1, "Automated scraping ("+tostring(AccessRatePerMin)+" pages/min)",
    CredentialHunting=1, "Credential hunting — "+tostring(SensitiveSearches)+" sensitive searches",
    BulkExport=1, "Bulk export activity — "+tostring(Exports)+" exports",
    MultiSpaceEnum=1, "Multi-space enumeration — "+tostring(UniqueSpaces)+" spaces accessed",
    BulkAccess=1, "High-volume bulk access — "+tostring(TotalActions)+" actions",
    1=1, "Elevated Confluence activity")
| table _time, username, remote_ip, TotalActions, UniquePages, UniqueSpaces,
        Searches, SensitiveSearches, SensitiveTermsSearched, Exports,
        AccessRatePerMin, ThreatIndicator, RiskScore
| sort - RiskScore, - TotalActions

medium severity medium confidence

Data Sources

Application Log: Application Log Content Atlassian Confluence Audit Log Atlassian REST Audit API

Required Sourcetypes

atlassian:confluence:audit

False Positives

Content migration projects or Confluence-to-Confluence migrations running automated page transfers at high volume
Documentation teams conducting content audits, broken link detection, or space-wide reviews
Enterprise search indexing crawlers periodically ingesting Confluence content
New employees or contractors onboarding with rapid documentation review in first week
Scheduled backup or archival tools performing automated space exports
Developer tooling and IDE integrations reading Confluence pages programmatically

Elastic Security (EQL)

eql

sequence by user.name, source.ip with maxspan=1h
  [any where event.dataset == "atlassian.confluence" and
   event.action in ("page_viewed", "content_viewed", "space_viewed",
                    "attachment_downloaded", "content_exported", "space_exported",
                    "search_performed", "page_printed")] with runs=40

// Alternative aggregate-based approach for the same technique:
// metric where event.dataset == "atlassian.confluence"
//   and event.action in ("page_viewed", "content_viewed", "space_viewed",
//                        "attachment_downloaded", "content_exported",
//                        "search_performed", "page_printed")

// Sensitive search hunting query (run as separate detection):
// any where event.dataset == "atlassian.confluence"
//   and event.action == "search_performed"
//   and (
//     process.args like~ "*password*" or process.args like~ "*credential*"
//     or message like~ "*password*" or message like~ "*api key*"
//     or message like~ "*secret*" or message like~ "*token*"
//     or message like~ "*ssh*" or message like~ "*vpn*"
//     or message like~ "*private key*" or message like~ "*aws*"
//     or message like~ "*azure*" or message like~ "*gcp*"
//     or message like~ "*bearer*" or message like~ "*ldap*"
//     or message like~ "*kerberos*" or message like~ "*access key*"
//     or message like~ "*connection string*"
//   )

high severity medium confidence

Data Sources

Atlassian Confluence audit logs via Elastic Agent or Filebeat Atlassian module Confluence Data Center/Cloud audit log export to Elasticsearch SIEM integration forwarding Confluence audit events to ECS-normalized indices

Required Tables

logs-atlassian.confluence-* atlassian-confluence-audit filebeat-*

False Positives

Documentation team members or technical writers performing legitimate bulk page reviews during documentation sprints or wiki reorganization projects
Automated CI/CD pipelines or bots (e.g., Confluence space exporters, backup scripts, documentation generators) that access many pages in rapid succession
New employee onboarding where users are given broad Confluence access and explore large portions of the wiki in their first days
Search terms like 'aws' or 'azure' in legitimate engineering searches about cloud architecture without credential-hunting intent

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstActivity,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastActivity,
  username,
  sourceip AS RemoteIP,
  COUNT(*) AS TotalActions,
  COUNT(DISTINCT QIDNAME(qid)) AS UniqueActionTypes,
  SUM(CASE WHEN LOWER("action") IN ('page_viewed','content_viewed','space_viewed','pageviewed','contentviewed','spaceviewed') THEN 1 ELSE 0 END) AS PageViews,
  SUM(CASE WHEN LOWER("action") IN ('search_performed','searchperformed') THEN 1 ELSE 0 END) AS Searches,
  SUM(CASE WHEN LOWER("action") IN ('content_exported','space_exported','attachment_downloaded','page_printed','contentexported','spaceexported','attachmentdownloaded') THEN 1 ELSE 0 END) AS ExportsAndDownloads,
  SUM(CASE WHEN LOWER("action") IN ('search_performed','searchperformed')
       AND (
         LOWER("searchQuery") LIKE '%password%' OR LOWER("searchQuery") LIKE '%passwd%'
         OR LOWER("searchQuery") LIKE '%credential%' OR LOWER("searchQuery") LIKE '%secret%'
         OR LOWER("searchQuery") LIKE '%api key%' OR LOWER("searchQuery") LIKE '%apikey%'
         OR LOWER("searchQuery") LIKE '%token%' OR LOWER("searchQuery") LIKE '%vpn%'
         OR LOWER("searchQuery") LIKE '%ssh%' OR LOWER("searchQuery") LIKE '%private key%'
         OR LOWER("searchQuery") LIKE '% aws %' OR LOWER("searchQuery") LIKE '%azure%'
         OR LOWER("searchQuery") LIKE '%gcp%' OR LOWER("searchQuery") LIKE '%bearer%'
         OR LOWER("searchQuery") LIKE '%ldap%' OR LOWER("searchQuery") LIKE '%kerberos%'
         OR LOWER("searchQuery") LIKE '%connection string%' OR LOWER("searchQuery") LIKE '%access key%'
         OR LOWER("searchQuery") LIKE '%service account%'
       )
       THEN 1 ELSE 0 END) AS SensitiveSearchCount,
  ROUND((MAX(LONG(starttime)) - MIN(LONG(starttime))) / 60000.0, 2) AS DurationMinutes,
  CASE
    WHEN COUNT(*) / GREATEST(ROUND((MAX(LONG(starttime)) - MIN(LONG(starttime))) / 60000.0, 1), 1) > 10
         THEN 'Automated scraping — exceeds 10 actions/min'
    WHEN SUM(CASE WHEN LOWER("action") IN ('search_performed','searchperformed')
                   AND (LOWER("searchQuery") LIKE '%password%' OR LOWER("searchQuery") LIKE '%credential%'
                        OR LOWER("searchQuery") LIKE '%secret%' OR LOWER("searchQuery") LIKE '%api key%')
                   THEN 1 ELSE 0 END) > 0
         THEN 'Credential/secret hunting via search queries'
    WHEN SUM(CASE WHEN LOWER("action") IN ('content_exported','space_exported','page_printed') THEN 1 ELSE 0 END) > 5
         THEN 'Bulk content export activity'
    WHEN COUNT(*) > 40
         THEN 'High-volume bulk Confluence access'
    ELSE 'Elevated Confluence activity above threshold'
  END AS ThreatIndicator
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%confluence%'
  OR LOGSOURCETYPENAME(devicetype) ILIKE '%atlassian%'
  OR CATEGORYNAME(category) ILIKE '%confluence%'
GROUP BY
  username,
  sourceip,
  TRUNC(starttime, 'HOUR')
HAVING
  COUNT(*) > 40
  OR SUM(CASE WHEN LOWER("action") IN ('search_performed','searchperformed')
               AND (
                 LOWER("searchQuery") LIKE '%password%' OR LOWER("searchQuery") LIKE '%credential%'
                 OR LOWER("searchQuery") LIKE '%secret%' OR LOWER("searchQuery") LIKE '%api key%'
                 OR LOWER("searchQuery") LIKE '%token%' OR LOWER("searchQuery") LIKE '%vpn%'
                 OR LOWER("searchQuery") LIKE '%ssh%' OR LOWER("searchQuery") LIKE '%ldap%'
               )
               THEN 1 ELSE 0 END) > 0
  OR SUM(CASE WHEN LOWER("action") IN ('content_exported','space_exported','page_printed','attachmentdownloaded') THEN 1 ELSE 0 END) > 5
ORDER BY TotalActions DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar with Atlassian Confluence log source configured Confluence audit log integration via QRadar DSM for Atlassian Confluence Syslog or HTTP-forwarded Confluence audit events parsed by custom QRadar DSM

Required Tables

events (QRadar events store with Confluence log source)

False Positives

Space administrators performing bulk space exports for backup, migration, or compliance archiving purposes during scheduled maintenance windows
Security or compliance tools that crawl Confluence to enforce DLP policies or classify content — these may generate high-volume read access patterns
Developers or DevOps engineers searching for infrastructure documentation using legitimate terms like 'aws', 'azure', or 'connection string' that trigger sensitive search term matches

Sumo Logic CSE

sql

_sourceCategory=atlassian/confluence OR _sourceCategory=atlassian/audit
| json field=_raw "type" as event_type nodrop
| json field=_raw "eventType" as event_type2 nodrop
| json field=_raw "action" as action nodrop
| json field=_raw "author.publicName" as author_name nodrop
| json field=_raw "author" as author2 nodrop
| json field=_raw "username" as username nodrop
| json field=_raw "remoteAddress" as remote_ip nodrop
| json field=_raw "remote_address" as remote_ip2 nodrop
| json field=_raw "content.title" as page_title nodrop
| json field=_raw "pageTitle" as page_title2 nodrop
| json field=_raw "space.key" as space_key nodrop
| json field=_raw "spaceKey" as space_key2 nodrop
| json field=_raw "searchQuery" as search_query nodrop
| json field=_raw "query" as search_query2 nodrop
| where !(isNull(event_type) && isNull(event_type2) && isNull(action))
| if (!isNull(event_type), event_type, if (!isNull(event_type2), event_type2, action)) as eff_event_type
| if (!isNull(author_name), author_name, if (!isNull(author2), author2, username)) as eff_user
| if (!isNull(remote_ip), remote_ip, remote_ip2) as eff_ip
| if (!isNull(page_title), page_title, page_title2) as eff_title
| if (!isNull(space_key), space_key, space_key2) as eff_space
| if (!isNull(search_query), search_query, search_query2) as eff_query
| toLowerCase(eff_event_type) as eff_event_type
| toLowerCase(eff_query) as eff_query
| if (eff_event_type matches ".*(?:view|viewed|read).*", 1, 0) as is_view
| if (eff_event_type matches ".*search.*", 1, 0) as is_search
| if (eff_event_type matches ".*(?:export|print|pdf|download).*", 1, 0) as is_export
| if (is_search = 1 AND (eff_query matches ".*(?:password|passwd|credential|secret|api.?key|apikey|token|vpn|ssh|private.?key|aws|azure|gcp|bearer|ldap|kerberos|connection.?string|access.?key|service.?account).*"), 1, 0) as is_sensitive_search
| timeslice 1h
| stats
    count as TotalActions,
    sum(is_view) as PageViews,
    sum(is_search) as Searches,
    sum(is_export) as Exports,
    sum(is_sensitive_search) as SensitiveSearches,
    countDistinct(eff_space) as UniqueSpaces,
    countDistinct(eff_title) as UniquePages,
    first(_messageTime) as FirstActivity,
    last(_messageTime) as LastActivity
    by eff_user, eff_ip, _timeslice
| (LastActivity - FirstActivity) / 60000 as DurationMs
| if (DurationMs < 60000, 1, DurationMs / 60000) as DurationMinutes
| TotalActions / DurationMinutes as AccessRatePerMin
| round(AccessRatePerMin, 2) as AccessRatePerMin
| if (TotalActions > 40, 1, 0) as BulkAccess
| if (AccessRatePerMin > 10, 1, 0) as AutomatedScraping
| if (UniqueSpaces > 5, 1, 0) as MultiSpaceEnum
| if (SensitiveSearches > 0, 1, 0) as CredentialHunting
| if (Exports > 5, 1, 0) as BulkExport
| BulkAccess + AutomatedScraping + MultiSpaceEnum + CredentialHunting + BulkExport as RiskScore
| where RiskScore > 0
| if (AutomatedScraping = 1,
    concat("Automated scraping — ", toString(AccessRatePerMin), " pages/min"),
    if (CredentialHunting = 1,
      concat("Credential hunting — ", toString(SensitiveSearches), " sensitive searches"),
      if (BulkExport = 1,
        concat("Bulk export — ", toString(Exports), " exports"),
        if (MultiSpaceEnum = 1,
          concat("Multi-space enumeration — ", toString(UniqueSpaces), " spaces"),
          concat("High-volume bulk access — ", toString(TotalActions), " actions")
        )
      )
    )
  ) as ThreatIndicator
| fields _timeslice, eff_user, eff_ip, TotalActions, UniquePages, UniqueSpaces, Searches, SensitiveSearches, Exports, AccessRatePerMin, ThreatIndicator, RiskScore
| sort by RiskScore desc, TotalActions desc

high severity medium confidence

Data Sources

Atlassian Confluence audit logs collected via Sumo Logic Hosted Collector or HTTP Source Confluence Cloud audit log API export ingested into Sumo Logic Sumo Logic App for Atlassian Confluence

Required Tables

_sourceCategory=atlassian/confluence _sourceCategory=atlassian/audit

False Positives

Atlassian Confluence administrators performing space exports for backup or migration generate high export counts that will exceed the threshold even in normal operations
Content audit or governance tools that enumerate Confluence spaces and pages to enforce content lifecycle policies, producing multi-space access patterns
Engineering teams performing disaster recovery drills or documentation audits where members simultaneously access many spaces and pages in a short window

Google Chronicle / SecOps

yaral

rule t1213_001_confluence_data_mining {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects bulk Confluence data mining (T1213.001) including credential hunting via search, bulk content export, and automated scraping patterns"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1213.001"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1213/001/"
    reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-181a"
    version = "1.0"
    created = "2026-04-19"

  events:
    $e.metadata.product_name = /(?i)confluence|atlassian/
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    (
      $e.metadata.product_event_type = /(?i)page_viewed|content_viewed|space_viewed|attachment_downloaded|content_exported|space_exported|page_printed|search_performed|pageviewed|contentviewed|spaceviewed|searchperformed/
      or $e.network.http.method = "GET"
    )
    $e.principal.user.userid = $user
    $e.principal.ip = $src_ip

  match:
    $user, $src_ip over 1h

  outcome:
    $total_events = count_distinct($e.metadata.id)
    $unique_spaces = count_distinct($e.target.resource.attribute.labels["space_key"])
    $export_count = count_distinct(
      if($e.metadata.product_event_type = /(?i)content_exported|space_exported|page_printed|attachment_downloaded/, $e.metadata.id, null)
    )
    $sensitive_search_count = count_distinct(
      if(
        $e.metadata.product_event_type = /(?i)search_performed|searchperformed/
        and (
          $e.security_result.description = /(?i)password|passwd|credential|secret|api.?key|apikey|token|vpn|ssh|private.?key|aws|azure|gcp|bearer|ldap|kerberos|connection.?string|access.?key|service.?account/
          or $e.target.resource.name = /(?i)password|passwd|credential|secret|api.?key|apikey|token|vpn|ssh|private.?key|aws|azure|gcp|bearer|ldap|kerberos|connection.?string|access.?key/
        ),
        $e.metadata.id,
        null
      )
    )
    $risk_score = (
      if($total_events > 40, 1, 0)
      + if($unique_spaces > 5 and $total_events > 20, 1, 0)
      + if($export_count > 5, 1, 0)
      + if($sensitive_search_count > 0, 1, 0)
    )
    $display_user = array_distinct($e.principal.user.email_addresses)
    $user_agent = $e.network.http.user_agent
    $threat_indicator = if(
      $sensitive_search_count > 0, "Credential/secret hunting via search queries",
      if($export_count > 5, "Bulk content export activity",
        if($unique_spaces > 5, "Multi-space enumeration pattern",
          if($total_events > 40, "High-volume bulk Confluence access",
            "Elevated Confluence activity above threshold"
          )
        )
      )
    )

  condition:
    $e and (
      $total_events > 40
      or $sensitive_search_count > 0
      or $export_count > 5
      or ($unique_spaces > 5 and $total_events > 20)
    )
}

high severity medium confidence

Data Sources

Google Chronicle with Atlassian Confluence log ingestion configured via Chronicle Forwarder or API ingestion Confluence Cloud audit logs forwarded to Chronicle via Pub/Sub or direct ingestion Atlassian Confluence UDM-mapped events in Chronicle SIEM

Required Tables

UDM events with metadata.product_name matching Confluence or Atlassian

False Positives

Confluence space owners or documentation leads who regularly export spaces for offline review, creating high export counts within detection thresholds
Automated documentation pipelines (ReadTheDocs integrations, static site generators pulling from Confluence) that authenticate as a service account and traverse many pages rapidly
Enterprise search indexers or intranet search tools that crawl Confluence content to build search indexes, generating both bulk access and search events simultaneously

CrowdStrike LogScale (CQL)

cql

// T1213.001 — Confluence Data Mining Detection
// Requires Confluence audit logs forwarded to CrowdStrike Falcon LogScale
// via the Atlassian Confluence connector or syslog/HTTP event collector

#event_simpleName=AtlassianConfluenceAudit OR #product=confluence OR #vendor=atlassian
| eff_event_type := lower(coalesce(event_type, eventType, action, "unknown"))
| eff_user := coalesce(author_publicName, author, username, user, "unknown")
| eff_ip := coalesce(remoteAddress, remote_address, src_ip, "")
| eff_space := coalesce(space_key, spaceKey, space, "")
| eff_query := lower(coalesce(searchQuery, query, ""))
| is_view := if(eff_event_type = /view|viewed|read/, "1", "0")
| is_search := if(eff_event_type = /search/, "1", "0")
| is_export := if(eff_event_type = /export|print|pdf|download/, "1", "0")
| is_sensitive := if(
    is_search = "1" and eff_query = /password|passwd|credential|secret|api.?key|apikey|token|vpn|ssh|private.?key|aws|azure|gcp|bearer|ldap|kerberos|connection.?string|access.?key|service.?account/,
    "1", "0"
  )
| groupBy(
    [eff_user, eff_ip],
    function=[
      count() as TotalActions,
      sum("is_view") as PageViews,
      sum("is_search") as Searches,
      sum("is_export") as Exports,
      sum("is_sensitive") as SensitiveSearches,
      count(eff_space, distinct=true) as UniqueSpaces,
      min(@timestamp) as FirstActivity,
      max(@timestamp) as LastActivity
    ],
    timeWindow=1h
  )
| DurationMs := LastActivity - FirstActivity
| DurationMinutes := if(DurationMs < 60000, 1, DurationMs / 60000)
| AccessRatePerMin := round(TotalActions / DurationMinutes, 2)
| BulkAccess := if(TotalActions > 40, 1, 0)
| AutomatedScraping := if(AccessRatePerMin > 10, 1, 0)
| MultiSpaceEnum := if(UniqueSpaces > 5, 1, 0)
| CredentialHunting := if(SensitiveSearches > 0, 1, 0)
| BulkExport := if(Exports > 5, 1, 0)
| RiskScore := BulkAccess + AutomatedScraping + MultiSpaceEnum + CredentialHunting + BulkExport
| RiskScore > 0
| ThreatIndicator := case(
    AutomatedScraping = 1, format("Automated scraping — %s pages/min", [AccessRatePerMin]),
    CredentialHunting = 1, format("Credential hunting — %s sensitive searches", [SensitiveSearches]),
    BulkExport = 1, format("Bulk export activity — %s exports", [Exports]),
    MultiSpaceEnum = 1, format("Multi-space enumeration — %s spaces", [UniqueSpaces]),
    BulkAccess = 1, format("High-volume bulk access — %s actions", [TotalActions]),
    "Elevated Confluence activity"
  )
| table([eff_user, eff_ip, TotalActions, UniqueSpaces, Searches, SensitiveSearches, Exports, AccessRatePerMin, ThreatIndicator, RiskScore])
| sort(RiskScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon LogScale with Atlassian Confluence audit log connector or HTTP Event Collector ingestion Confluence Cloud or Data Center audit logs forwarded to LogScale via syslog, Kafka, or direct API integration Custom LogScale parser for Atlassian Confluence JSON audit events

Required Tables

Repository/index containing Confluence audit events with #product=confluence or #vendor=atlassian tag

False Positives

Power users such as architects, team leads, or project managers who use Confluence extensively and legitimately access many spaces and pages during planning or documentation review cycles
Atlassian Companion app or Confluence mobile sync processes that generate high access rates when syncing offline content or cached pages on behalf of legitimate users
Incident response or legal hold processes where authorized personnel are tasked with collecting evidence from Confluence, creating legitimate bulk access and export patterns that match detection thresholds

Last updated: 2026-04-19 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1213.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1213Data from Information Repositories

Related Sub-techniques

T1213.002Sharepoint T1213.003Code Repositories T1213.004Customer Relationship Management Software T1213.005Messaging Applications T1213.006Databases

Confluence

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections