Detect Confluence in IBM QRadar
Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation but may contain diverse categories of sensitive information including: policies and procedures, physical/logical network diagrams, system architecture diagrams, technical system documentation, testing/development credentials, work/project schedules, source code snippets, and links to internal resources. LAPSUS$ is documented to have specifically searched victim Confluence and JIRA instances to discover high-privilege account credentials as part of their data theft operations, making this a high-value target during the collection phase of an intrusion.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.001 Confluence
- Canonical reference
- https://attack.mitre.org/techniques/T1213/001/
QRadar Detection Query
SELECT
DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstActivity,
DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastActivity,
username,
sourceip AS RemoteIP,
COUNT(*) AS TotalActions,
COUNT(DISTINCT QIDNAME(qid)) AS UniqueActionTypes,
SUM(CASE WHEN LOWER("action") IN ('page_viewed','content_viewed','space_viewed','pageviewed','contentviewed','spaceviewed') THEN 1 ELSE 0 END) AS PageViews,
SUM(CASE WHEN LOWER("action") IN ('search_performed','searchperformed') THEN 1 ELSE 0 END) AS Searches,
SUM(CASE WHEN LOWER("action") IN ('content_exported','space_exported','attachment_downloaded','page_printed','contentexported','spaceexported','attachmentdownloaded') THEN 1 ELSE 0 END) AS ExportsAndDownloads,
SUM(CASE WHEN LOWER("action") IN ('search_performed','searchperformed')
AND (
LOWER("searchQuery") LIKE '%password%' OR LOWER("searchQuery") LIKE '%passwd%'
OR LOWER("searchQuery") LIKE '%credential%' OR LOWER("searchQuery") LIKE '%secret%'
OR LOWER("searchQuery") LIKE '%api key%' OR LOWER("searchQuery") LIKE '%apikey%'
OR LOWER("searchQuery") LIKE '%token%' OR LOWER("searchQuery") LIKE '%vpn%'
OR LOWER("searchQuery") LIKE '%ssh%' OR LOWER("searchQuery") LIKE '%private key%'
OR LOWER("searchQuery") LIKE '% aws %' OR LOWER("searchQuery") LIKE '%azure%'
OR LOWER("searchQuery") LIKE '%gcp%' OR LOWER("searchQuery") LIKE '%bearer%'
OR LOWER("searchQuery") LIKE '%ldap%' OR LOWER("searchQuery") LIKE '%kerberos%'
OR LOWER("searchQuery") LIKE '%connection string%' OR LOWER("searchQuery") LIKE '%access key%'
OR LOWER("searchQuery") LIKE '%service account%'
)
THEN 1 ELSE 0 END) AS SensitiveSearchCount,
ROUND((MAX(LONG(starttime)) - MIN(LONG(starttime))) / 60000.0, 2) AS DurationMinutes,
CASE
WHEN COUNT(*) / GREATEST(ROUND((MAX(LONG(starttime)) - MIN(LONG(starttime))) / 60000.0, 1), 1) > 10
THEN 'Automated scraping — exceeds 10 actions/min'
WHEN SUM(CASE WHEN LOWER("action") IN ('search_performed','searchperformed')
AND (LOWER("searchQuery") LIKE '%password%' OR LOWER("searchQuery") LIKE '%credential%'
OR LOWER("searchQuery") LIKE '%secret%' OR LOWER("searchQuery") LIKE '%api key%')
THEN 1 ELSE 0 END) > 0
THEN 'Credential/secret hunting via search queries'
WHEN SUM(CASE WHEN LOWER("action") IN ('content_exported','space_exported','page_printed') THEN 1 ELSE 0 END) > 5
THEN 'Bulk content export activity'
WHEN COUNT(*) > 40
THEN 'High-volume bulk Confluence access'
ELSE 'Elevated Confluence activity above threshold'
END AS ThreatIndicator
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) ILIKE '%confluence%'
OR LOGSOURCETYPENAME(devicetype) ILIKE '%atlassian%'
OR CATEGORYNAME(category) ILIKE '%confluence%'
GROUP BY
username,
sourceip,
TRUNC(starttime, 'HOUR')
HAVING
COUNT(*) > 40
OR SUM(CASE WHEN LOWER("action") IN ('search_performed','searchperformed')
AND (
LOWER("searchQuery") LIKE '%password%' OR LOWER("searchQuery") LIKE '%credential%'
OR LOWER("searchQuery") LIKE '%secret%' OR LOWER("searchQuery") LIKE '%api key%'
OR LOWER("searchQuery") LIKE '%token%' OR LOWER("searchQuery") LIKE '%vpn%'
OR LOWER("searchQuery") LIKE '%ssh%' OR LOWER("searchQuery") LIKE '%ldap%'
)
THEN 1 ELSE 0 END) > 0
OR SUM(CASE WHEN LOWER("action") IN ('content_exported','space_exported','page_printed','attachmentdownloaded') THEN 1 ELSE 0 END) > 5
ORDER BY TotalActions DESC
LAST 24 HOURSDetects T1213.001 Confluence data mining via IBM QRadar AQL by aggregating Confluence audit log events per user per hour. Identifies bulk access exceeding 40 actions, sensitive credential-hunting search queries, and excessive content exports. Groups by username and source IP within hourly windows and applies multi-factor risk scoring consistent with the reference KQL/SPL detections.
Data Sources
Required Tables
False Positives & Tuning
- Space administrators performing bulk space exports for backup, migration, or compliance archiving purposes during scheduled maintenance windows
- Security or compliance tools that crawl Confluence to enforce DLP policies or classify content — these may generate high-volume read access patterns
- Developers or DevOps engineers searching for infrastructure documentation using legitimate terms like 'aws', 'azure', or 'connection string' that trigger sensitive search term matches
Other platforms for T1213.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Confluence Space Enumeration via REST API
Expected signal: GET request to /rest/api/space visible in proxy logs with source host, user agent, and response bytes. Atlassian audit log records an API access event for the authenticated user. CloudAppEvents (if MCAS integrated) captures SpaceViewed or API access events per space returned.
- Test 2Confluence Credential Hunting via Search API (CQL)
Expected signal: Multiple GET requests to /rest/api/content/search with credential-related CQL query parameters visible in proxy logs and URL paths. Atlassian audit log records each SearchPerformed event with the query text. CloudAppEvents captures SearchPerformed events; the SensitiveSearchCount metric in the primary KQL query increments for each sensitive term.
- Test 3Bulk Page Content Extraction with Body Storage Expansion
Expected signal: GET request to /rest/api/content with expand=body.storage parameter in proxy logs. Significantly higher bytes-transferred value than a standard metadata-only request due to full page bodies. Atlassian audit log records content access events. File created in /tmp on attacker system.
- Test 4Confluence Space XML Export via Web Interface
Expected signal: POST to /dologin.action followed by GET to /spaces/exportspacezipxml.action visible in proxy logs. Large file download (ZIP archive) with high bytes-transferred. Atlassian audit log records a space export event under the authenticated user. CASB/MCAS captures SpaceExported or ContentExported event.
References (8)
- https://attack.mitre.org/techniques/T1213/001/
- https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://developer.atlassian.com/cloud/confluence/rest/v1/intro/
- https://confluence.atlassian.com/doc/confluence-audit-log-1017226528.html
- https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-shadow-it
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-cloudappevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213.001/T1213.001.md
Unlock Pro Content
Get the full detection package for T1213.001 including response playbook, investigation guide, and atomic red team tests.