Detect Confluence in Elastic Security
Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation but may contain diverse categories of sensitive information including: policies and procedures, physical/logical network diagrams, system architecture diagrams, technical system documentation, testing/development credentials, work/project schedules, source code snippets, and links to internal resources. LAPSUS$ is documented to have specifically searched victim Confluence and JIRA instances to discover high-privilege account credentials as part of their data theft operations, making this a high-value target during the collection phase of an intrusion.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.001 Confluence
- Canonical reference
- https://attack.mitre.org/techniques/T1213/001/
Elastic Detection Query
sequence by user.name, source.ip with maxspan=1h
[any where event.dataset == "atlassian.confluence" and
event.action in ("page_viewed", "content_viewed", "space_viewed",
"attachment_downloaded", "content_exported", "space_exported",
"search_performed", "page_printed")] with runs=40
// Alternative aggregate-based approach for the same technique:
// metric where event.dataset == "atlassian.confluence"
// and event.action in ("page_viewed", "content_viewed", "space_viewed",
// "attachment_downloaded", "content_exported",
// "search_performed", "page_printed")
// Sensitive search hunting query (run as separate detection):
// any where event.dataset == "atlassian.confluence"
// and event.action == "search_performed"
// and (
// process.args like~ "*password*" or process.args like~ "*credential*"
// or message like~ "*password*" or message like~ "*api key*"
// or message like~ "*secret*" or message like~ "*token*"
// or message like~ "*ssh*" or message like~ "*vpn*"
// or message like~ "*private key*" or message like~ "*aws*"
// or message like~ "*azure*" or message like~ "*gcp*"
// or message like~ "*bearer*" or message like~ "*ldap*"
// or message like~ "*kerberos*" or message like~ "*access key*"
// or message like~ "*connection string*"
// )Detects bulk Confluence data mining consistent with T1213.001 using Elastic EQL sequence detection. Identifies users who generate 40+ Confluence events within a 1-hour window from the same source IP, as well as sensitive search queries containing credential and secret-related terms. The sequence-based approach catches automated scraping patterns while the supplementary search hunting query identifies targeted credential hunting via search queries.
Data Sources
Required Tables
False Positives & Tuning
- Documentation team members or technical writers performing legitimate bulk page reviews during documentation sprints or wiki reorganization projects
- Automated CI/CD pipelines or bots (e.g., Confluence space exporters, backup scripts, documentation generators) that access many pages in rapid succession
- New employee onboarding where users are given broad Confluence access and explore large portions of the wiki in their first days
- Search terms like 'aws' or 'azure' in legitimate engineering searches about cloud architecture without credential-hunting intent
Other platforms for T1213.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Confluence Space Enumeration via REST API
Expected signal: GET request to /rest/api/space visible in proxy logs with source host, user agent, and response bytes. Atlassian audit log records an API access event for the authenticated user. CloudAppEvents (if MCAS integrated) captures SpaceViewed or API access events per space returned.
- Test 2Confluence Credential Hunting via Search API (CQL)
Expected signal: Multiple GET requests to /rest/api/content/search with credential-related CQL query parameters visible in proxy logs and URL paths. Atlassian audit log records each SearchPerformed event with the query text. CloudAppEvents captures SearchPerformed events; the SensitiveSearchCount metric in the primary KQL query increments for each sensitive term.
- Test 3Bulk Page Content Extraction with Body Storage Expansion
Expected signal: GET request to /rest/api/content with expand=body.storage parameter in proxy logs. Significantly higher bytes-transferred value than a standard metadata-only request due to full page bodies. Atlassian audit log records content access events. File created in /tmp on attacker system.
- Test 4Confluence Space XML Export via Web Interface
Expected signal: POST to /dologin.action followed by GET to /spaces/exportspacezipxml.action visible in proxy logs. Large file download (ZIP archive) with high bytes-transferred. Atlassian audit log records a space export event under the authenticated user. CASB/MCAS captures SpaceExported or ContentExported event.
References (8)
- https://attack.mitre.org/techniques/T1213/001/
- https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://developer.atlassian.com/cloud/confluence/rest/v1/intro/
- https://confluence.atlassian.com/doc/confluence-audit-log-1017226528.html
- https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-shadow-it
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudappevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213.001/T1213.001.md
Unlock Pro Content
Get the full detection package for T1213.001 including response playbook, investigation guide, and atomic red team tests.