Матрица MITRE ATT&CK

Technique on mitre.org

T1213.001: Confluence

Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:

Policies, procedures, and standards
Physical / logical network diagrams
System architecture diagrams
Technical system documentation
Testing / development credentials
Work / project schedules
Source code snippets
Links to network shares and other internal resources

Positive Technologies products that cover the technique

Description of detection methods is not available yet

Detection

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor for third-party application logging, messaging, and/or other artifacts that may leverage Confluence repositories to mine valuable information. Watch for access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.

ID	DS0028	Data source and component	Logon Session: Logon Session Creation	Description	Monitor for newly constructed logon behavior across Atlassian's Confluence which can be configured to report access to certain pages and documents through AccessLogFilter. Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

ID	Data source and component	Description
DS0015	Application Log: Application Log Content	Monitor for third-party application logging, messaging, and/or other artifacts that may leverage Confluence repositories to mine valuable information. Watch for access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.
DS0028	Logon Session: Logon Session Creation	Monitor for newly constructed logon behavior across Atlassian's Confluence which can be configured to report access to certain pages and documents through AccessLogFilter. Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.

Mitigation

ID	M1017	Name	User Training	Description	Develop and publish policies that define acceptable information to be stored in Confluence repositories.

ID	M1047	Name	Audit	Description	Consider periodic review of accounts and privileges for critical and sensitive Confluence repositories.

ID	M1018	Name	User Account Management	Description	Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.

ID	Name	Description
M1017	User Training	Develop and publish policies that define acceptable information to be stored in Confluence repositories.
M1047	Audit	Consider periodic review of accounts and privileges for critical and sensitive Confluence repositories.
M1018	User Account Management	Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.