title: Confluence (T1213.001)
id: df00tech-t1213-001
status: experimental
description: "Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation but may contain diverse categories of sensitive information including: policies and procedures, physical/logical network diagrams, system architecture diagrams, technical system documentation, testing/development credentials, work/project schedules, source code snippets, and links to internal resources. LAPSUS$ is documented to have specifically searched victim Confluence and JIRA instances to discover high-privilege account credentials as part of their data theft operations, making this a high-value target during the collection phase of an intrusion."
references:
  - https://attack.mitre.org/techniques/T1213/001/
  - https://df00tech.com/detections/T1213.001
author: df00tech
date: 2026/04/19
tags:
  - attack.t1213.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Content migration projects or Confluence-to-Confluence migrations where automation accesses all pages systematically with high volume and speed
  - "Documentation teams or technical writers conducting content audits, broken link validation, or space-wide inventories across multiple spaces"
  - "Enterprise search indexing crawlers (Elasticsearch, Algolia connectors) that periodically ingest Confluence content for full-text search"
  - New employees or contractors onboarding who rapidly read many documentation pages in their first week
  - Automated backup and archival tools performing scheduled full-space exports on a recurring basis
  - "Developer tooling integrations (IDE plugins, CI/CD pipeline documentation steps) that programmatically read Confluence pages"
level: medium