Detect Confluence in Google Chronicle
Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation but may contain diverse categories of sensitive information including: policies and procedures, physical/logical network diagrams, system architecture diagrams, technical system documentation, testing/development credentials, work/project schedules, source code snippets, and links to internal resources. LAPSUS$ is documented to have specifically searched victim Confluence and JIRA instances to discover high-privilege account credentials as part of their data theft operations, making this a high-value target during the collection phase of an intrusion.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.001 Confluence
- Canonical reference
- https://attack.mitre.org/techniques/T1213/001/
YARA-L Detection Query
rule t1213_001_confluence_data_mining {
meta:
author = "Argus Detection Engineering"
description = "Detects bulk Confluence data mining (T1213.001) including credential hunting via search, bulk content export, and automated scraping patterns"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Collection"
mitre_attack_technique = "T1213.001"
mitre_attack_url = "https://attack.mitre.org/techniques/T1213/001/"
reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-181a"
version = "1.0"
created = "2026-04-19"
events:
$e.metadata.product_name = /(?i)confluence|atlassian/
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
(
$e.metadata.product_event_type = /(?i)page_viewed|content_viewed|space_viewed|attachment_downloaded|content_exported|space_exported|page_printed|search_performed|pageviewed|contentviewed|spaceviewed|searchperformed/
or $e.network.http.method = "GET"
)
$e.principal.user.userid = $user
$e.principal.ip = $src_ip
match:
$user, $src_ip over 1h
outcome:
$total_events = count_distinct($e.metadata.id)
$unique_spaces = count_distinct($e.target.resource.attribute.labels["space_key"])
$export_count = count_distinct(
if($e.metadata.product_event_type = /(?i)content_exported|space_exported|page_printed|attachment_downloaded/, $e.metadata.id, null)
)
$sensitive_search_count = count_distinct(
if(
$e.metadata.product_event_type = /(?i)search_performed|searchperformed/
and (
$e.security_result.description = /(?i)password|passwd|credential|secret|api.?key|apikey|token|vpn|ssh|private.?key|aws|azure|gcp|bearer|ldap|kerberos|connection.?string|access.?key|service.?account/
or $e.target.resource.name = /(?i)password|passwd|credential|secret|api.?key|apikey|token|vpn|ssh|private.?key|aws|azure|gcp|bearer|ldap|kerberos|connection.?string|access.?key/
),
$e.metadata.id,
null
)
)
$risk_score = (
if($total_events > 40, 1, 0)
+ if($unique_spaces > 5 and $total_events > 20, 1, 0)
+ if($export_count > 5, 1, 0)
+ if($sensitive_search_count > 0, 1, 0)
)
$display_user = array_distinct($e.principal.user.email_addresses)
$user_agent = $e.network.http.user_agent
$threat_indicator = if(
$sensitive_search_count > 0, "Credential/secret hunting via search queries",
if($export_count > 5, "Bulk content export activity",
if($unique_spaces > 5, "Multi-space enumeration pattern",
if($total_events > 40, "High-volume bulk Confluence access",
"Elevated Confluence activity above threshold"
)
)
)
)
condition:
$e and (
$total_events > 40
or $sensitive_search_count > 0
or $export_count > 5
or ($unique_spaces > 5 and $total_events > 20)
)
}Google Chronicle YARA-L 2.0 rule detecting T1213.001 Confluence data mining. Matches Confluence USER_RESOURCE_ACCESS events and aggregates over 1-hour windows per user and source IP. Triggers on bulk access (>40 actions), sensitive search term queries containing credential/secret-related terms, excessive exports (>5), or multi-space enumeration. Outcome variables compute a composite risk score and human-readable threat indicator for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Confluence space owners or documentation leads who regularly export spaces for offline review, creating high export counts within detection thresholds
- Automated documentation pipelines (ReadTheDocs integrations, static site generators pulling from Confluence) that authenticate as a service account and traverse many pages rapidly
- Enterprise search indexers or intranet search tools that crawl Confluence content to build search indexes, generating both bulk access and search events simultaneously
Other platforms for T1213.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Confluence Space Enumeration via REST API
Expected signal: GET request to /rest/api/space visible in proxy logs with source host, user agent, and response bytes. Atlassian audit log records an API access event for the authenticated user. CloudAppEvents (if MCAS integrated) captures SpaceViewed or API access events per space returned.
- Test 2Confluence Credential Hunting via Search API (CQL)
Expected signal: Multiple GET requests to /rest/api/content/search with credential-related CQL query parameters visible in proxy logs and URL paths. Atlassian audit log records each SearchPerformed event with the query text. CloudAppEvents captures SearchPerformed events; the SensitiveSearchCount metric in the primary KQL query increments for each sensitive term.
- Test 3Bulk Page Content Extraction with Body Storage Expansion
Expected signal: GET request to /rest/api/content with expand=body.storage parameter in proxy logs. Significantly higher bytes-transferred value than a standard metadata-only request due to full page bodies. Atlassian audit log records content access events. File created in /tmp on attacker system.
- Test 4Confluence Space XML Export via Web Interface
Expected signal: POST to /dologin.action followed by GET to /spaces/exportspacezipxml.action visible in proxy logs. Large file download (ZIP archive) with high bytes-transferred. Atlassian audit log records a space export event under the authenticated user. CASB/MCAS captures SpaceExported or ContentExported event.
References (8)
- https://attack.mitre.org/techniques/T1213/001/
- https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://developer.atlassian.com/cloud/confluence/rest/v1/intro/
- https://confluence.atlassian.com/doc/confluence-audit-log-1017226528.html
- https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-shadow-it
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudappevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213.001/T1213.001.md
Unlock Pro Content
Get the full detection package for T1213.001 including response playbook, investigation guide, and atomic red team tests.