Atlassian Confluence site export
Goal
Detect when a Confluence site export occurs.
Strategy
This rule monitors Confluence audit logs for when a site export occurs. A site export includes the following data:
- Each space’s default classification level when applicable.
- Pages, including their classification level when applicable.
- Users and their group settings.
- Attachments (if selected).
Due to the sensitive nature of data documented on confluence, an attacker may export this data in order to mine for valuable information.
Triage and response
- Determine if the user
{{@usr.name}}
intended make to enable the public link:- Is
{{@usr.name}}
aware of this activity?
- If the results of the triage indicate that
{{@usr.name}}
was not aware of this activity or it did not originate from a known network, begin your company’s incident response process, and start an investigation.