Detect Confluence in CrowdStrike LogScale
Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation but may contain diverse categories of sensitive information including: policies and procedures, physical/logical network diagrams, system architecture diagrams, technical system documentation, testing/development credentials, work/project schedules, source code snippets, and links to internal resources. LAPSUS$ is documented to have specifically searched victim Confluence and JIRA instances to discover high-privilege account credentials as part of their data theft operations, making this a high-value target during the collection phase of an intrusion.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.001 Confluence
- Canonical reference
- https://attack.mitre.org/techniques/T1213/001/
LogScale Detection Query
// T1213.001 — Confluence Data Mining Detection
// Requires Confluence audit logs forwarded to CrowdStrike Falcon LogScale
// via the Atlassian Confluence connector or syslog/HTTP event collector
#event_simpleName=AtlassianConfluenceAudit OR #product=confluence OR #vendor=atlassian
| eff_event_type := lower(coalesce(event_type, eventType, action, "unknown"))
| eff_user := coalesce(author_publicName, author, username, user, "unknown")
| eff_ip := coalesce(remoteAddress, remote_address, src_ip, "")
| eff_space := coalesce(space_key, spaceKey, space, "")
| eff_query := lower(coalesce(searchQuery, query, ""))
| is_view := if(eff_event_type = /view|viewed|read/, "1", "0")
| is_search := if(eff_event_type = /search/, "1", "0")
| is_export := if(eff_event_type = /export|print|pdf|download/, "1", "0")
| is_sensitive := if(
is_search = "1" and eff_query = /password|passwd|credential|secret|api.?key|apikey|token|vpn|ssh|private.?key|aws|azure|gcp|bearer|ldap|kerberos|connection.?string|access.?key|service.?account/,
"1", "0"
)
| groupBy(
[eff_user, eff_ip],
function=[
count() as TotalActions,
sum("is_view") as PageViews,
sum("is_search") as Searches,
sum("is_export") as Exports,
sum("is_sensitive") as SensitiveSearches,
count(eff_space, distinct=true) as UniqueSpaces,
min(@timestamp) as FirstActivity,
max(@timestamp) as LastActivity
],
timeWindow=1h
)
| DurationMs := LastActivity - FirstActivity
| DurationMinutes := if(DurationMs < 60000, 1, DurationMs / 60000)
| AccessRatePerMin := round(TotalActions / DurationMinutes, 2)
| BulkAccess := if(TotalActions > 40, 1, 0)
| AutomatedScraping := if(AccessRatePerMin > 10, 1, 0)
| MultiSpaceEnum := if(UniqueSpaces > 5, 1, 0)
| CredentialHunting := if(SensitiveSearches > 0, 1, 0)
| BulkExport := if(Exports > 5, 1, 0)
| RiskScore := BulkAccess + AutomatedScraping + MultiSpaceEnum + CredentialHunting + BulkExport
| RiskScore > 0
| ThreatIndicator := case(
AutomatedScraping = 1, format("Automated scraping — %s pages/min", [AccessRatePerMin]),
CredentialHunting = 1, format("Credential hunting — %s sensitive searches", [SensitiveSearches]),
BulkExport = 1, format("Bulk export activity — %s exports", [Exports]),
MultiSpaceEnum = 1, format("Multi-space enumeration — %s spaces", [UniqueSpaces]),
BulkAccess = 1, format("High-volume bulk access — %s actions", [TotalActions]),
"Elevated Confluence activity"
)
| table([eff_user, eff_ip, TotalActions, UniqueSpaces, Searches, SensitiveSearches, Exports, AccessRatePerMin, ThreatIndicator, RiskScore])
| sort(RiskScore, order=desc)CrowdStrike Falcon LogScale (CQL) detection for T1213.001 Confluence data mining. Parses Atlassian Confluence audit log events forwarded to LogScale and aggregates activity per user and IP in 1-hour windows. Computes a risk score across five indicators — bulk access volume, automated scraping rate, multi-space enumeration, sensitive credential-hunting search queries, and bulk export activity — producing a prioritized output table for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Power users such as architects, team leads, or project managers who use Confluence extensively and legitimately access many spaces and pages during planning or documentation review cycles
- Atlassian Companion app or Confluence mobile sync processes that generate high access rates when syncing offline content or cached pages on behalf of legitimate users
- Incident response or legal hold processes where authorized personnel are tasked with collecting evidence from Confluence, creating legitimate bulk access and export patterns that match detection thresholds
Other platforms for T1213.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Confluence Space Enumeration via REST API
Expected signal: GET request to /rest/api/space visible in proxy logs with source host, user agent, and response bytes. Atlassian audit log records an API access event for the authenticated user. CloudAppEvents (if MCAS integrated) captures SpaceViewed or API access events per space returned.
- Test 2Confluence Credential Hunting via Search API (CQL)
Expected signal: Multiple GET requests to /rest/api/content/search with credential-related CQL query parameters visible in proxy logs and URL paths. Atlassian audit log records each SearchPerformed event with the query text. CloudAppEvents captures SearchPerformed events; the SensitiveSearchCount metric in the primary KQL query increments for each sensitive term.
- Test 3Bulk Page Content Extraction with Body Storage Expansion
Expected signal: GET request to /rest/api/content with expand=body.storage parameter in proxy logs. Significantly higher bytes-transferred value than a standard metadata-only request due to full page bodies. Atlassian audit log records content access events. File created in /tmp on attacker system.
- Test 4Confluence Space XML Export via Web Interface
Expected signal: POST to /dologin.action followed by GET to /spaces/exportspacezipxml.action visible in proxy logs. Large file download (ZIP archive) with high bytes-transferred. Atlassian audit log records a space export event under the authenticated user. CASB/MCAS captures SpaceExported or ContentExported event.
References (8)
- https://attack.mitre.org/techniques/T1213/001/
- https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://developer.atlassian.com/cloud/confluence/rest/v1/intro/
- https://confluence.atlassian.com/doc/confluence-audit-log-1017226528.html
- https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-shadow-it
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudappevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213.001/T1213.001.md
Unlock Pro Content
Get the full detection package for T1213.001 including response playbook, investigation guide, and atomic red team tests.