T1213.001 Splunk · SPL

Detect Confluence in Splunk

Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation but may contain diverse categories of sensitive information including: policies and procedures, physical/logical network diagrams, system architecture diagrams, technical system documentation, testing/development credentials, work/project schedules, source code snippets, and links to internal resources. LAPSUS$ is documented to have specifically searched victim Confluence and JIRA instances to discover high-privilege account credentials as part of their data theft operations, making this a high-value target during the collection phase of an intrusion.

MITRE ATT&CK

Tactic
Collection
Technique
T1213 Data from Information Repositories
Sub-technique
T1213.001 Confluence
Canonical reference
https://attack.mitre.org/techniques/T1213/001/

SPL Detection Query

Splunk (SPL)
spl 
index=atlassian sourcetype="atlassian:confluence:audit"
| eval event_type=lower(coalesce(type, eventType, action, "unknown"))
| eval username=coalesce(author, 'author.publicName', username, user, "unknown")
| eval remote_ip=coalesce(remoteAddress, remote_address, src_ip, "-")
| eval page_title=coalesce('content.title', pageTitle, title, "-")
| eval space_key=coalesce('space.key', spaceKey, space, "-")
| eval search_query=lower(coalesce(searchQuery, query, "-"))
| eval is_view=if(match(event_type, "(view|viewed|read)"), 1, 0)
| eval is_search=if(match(event_type, "search"), 1, 0)
| eval is_export=if(match(event_type, "(export|print|pdf|download)"), 1, 0)
| eval is_sensitive_search=if(
    is_search=1 AND match(search_query,
    "(password|passwd|credential|secret|api.?key|token|vpn|ssh|private.?key|aws|azure|gcp|bearer|ldap|kerberos|connection.?string|access.?key)"),
    1, 0)
| bucket _time span=1h
| stats
    count as TotalActions,
    sum(is_view) as PageViews,
    sum(is_search) as Searches,
    sum(is_export) as Exports,
    sum(is_sensitive_search) as SensitiveSearches,
    dc(space_key) as UniqueSpaces,
    dc(page_title) as UniquePages,
    values(eval(if(is_sensitive_search=1, search_query, null()))) as SensitiveTermsSearched,
    earliest(_time) as FirstActivity,
    latest(_time) as LastActivity
    by username, remote_ip, _time
| eval DurationMinutes=max(round((LastActivity - FirstActivity) / 60, 1), 1)
| eval AccessRatePerMin=round(TotalActions / DurationMinutes, 2)
| eval BulkAccess=if(TotalActions > 40, 1, 0)
| eval AutomatedScraping=if(AccessRatePerMin > 10, 1, 0)
| eval MultiSpaceEnum=if(UniqueSpaces > 5, 1, 0)
| eval CredentialHunting=if(SensitiveSearches > 0, 1, 0)
| eval BulkExport=if(Exports > 5, 1, 0)
| eval RiskScore=BulkAccess + AutomatedScraping + MultiSpaceEnum + CredentialHunting + BulkExport
| where RiskScore > 0
| eval ThreatIndicator=case(
    AutomatedScraping=1, "Automated scraping ("+tostring(AccessRatePerMin)+" pages/min)",
    CredentialHunting=1, "Credential hunting — "+tostring(SensitiveSearches)+" sensitive searches",
    BulkExport=1, "Bulk export activity — "+tostring(Exports)+" exports",
    MultiSpaceEnum=1, "Multi-space enumeration — "+tostring(UniqueSpaces)+" spaces accessed",
    BulkAccess=1, "High-volume bulk access — "+tostring(TotalActions)+" actions",
    1=1, "Elevated Confluence activity")
| table _time, username, remote_ip, TotalActions, UniquePages, UniqueSpaces,
        Searches, SensitiveSearches, SensitiveTermsSearched, Exports,
        AccessRatePerMin, ThreatIndicator, RiskScore
| sort - RiskScore, - TotalActions
medium severity medium confidence

Detects Confluence data mining using Atlassian Confluence audit log data ingested via the Splunk Add-on for Atlassian. Classifies events into view, search, and export categories per hour per user, then evaluates five risk indicators: bulk access (>40 actions/hour), automated scraping pace (>10 actions/minute), multi-space enumeration (>5 spaces), credential hunting via sensitive search terms, and bulk exports (>5/hour). A composite RiskScore helps analysts triage alerts. Requires Confluence audit log ingestion via the Atlassian add-on or REST API collection to the atlassian index.

Data Sources

Application Log: Application Log ContentAtlassian Confluence Audit LogAtlassian REST Audit API

Required Sourcetypes

atlassian:confluence:audit

False Positives & Tuning

  • Content migration projects or Confluence-to-Confluence migrations running automated page transfers at high volume
  • Documentation teams conducting content audits, broken link detection, or space-wide reviews
  • Enterprise search indexing crawlers periodically ingesting Confluence content
  • New employees or contractors onboarding with rapid documentation review in first week
  • Scheduled backup or archival tools performing automated space exports
  • Developer tooling and IDE integrations reading Confluence pages programmatically
Download portable Sigma rule (.yml)

Other platforms for T1213.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Confluence Space Enumeration via REST API

    Expected signal: GET request to /rest/api/space visible in proxy logs with source host, user agent, and response bytes. Atlassian audit log records an API access event for the authenticated user. CloudAppEvents (if MCAS integrated) captures SpaceViewed or API access events per space returned.

  2. Test 2Confluence Credential Hunting via Search API (CQL)

    Expected signal: Multiple GET requests to /rest/api/content/search with credential-related CQL query parameters visible in proxy logs and URL paths. Atlassian audit log records each SearchPerformed event with the query text. CloudAppEvents captures SearchPerformed events; the SensitiveSearchCount metric in the primary KQL query increments for each sensitive term.

  3. Test 3Bulk Page Content Extraction with Body Storage Expansion

    Expected signal: GET request to /rest/api/content with expand=body.storage parameter in proxy logs. Significantly higher bytes-transferred value than a standard metadata-only request due to full page bodies. Atlassian audit log records content access events. File created in /tmp on attacker system.

  4. Test 4Confluence Space XML Export via Web Interface

    Expected signal: POST to /dologin.action followed by GET to /spaces/exportspacezipxml.action visible in proxy logs. Large file download (ZIP archive) with high bytes-transferred. Atlassian audit log records a space export event under the authenticated user. CASB/MCAS captures SpaceExported or ContentExported event.

Last updated: 2026-04-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1213.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1213Data from Information Repositories

Related Sub-techniques

T1213.002SharepointT1213.003Code RepositoriesT1213.004Customer Relationship Management SoftwareT1213.005Messaging ApplicationsT1213.006Databases

Related Techniques

T1213Data from Information RepositoriesT1213.002SharepointT1552Unsecured CredentialsT1552.001Credentials In FilesT1078Valid AccountsT1078.004Cloud AccountsT1530Data from Cloud StorageT1048Exfiltration Over Alternative ProtocolT1083File and Directory DiscoveryT1087Account DiscoveryT1114.002Remote Email Collection

Same Tactic: Collection

Popular Detections