Atlassian

This rule detects unusual child process executions originating from web server processes on Linux systems, which attackers may use to maintain persistence on a compromised system by exploiting web server vulnerabilities.

Identifies suspicious command executions via a web server on Linux systems, which may suggest a vulnerability and remote shell access.

This rule detects Linux process executions that access high-value Kubernetes service-account material, kubeconfig or node PKI paths, or common cloud files, potentially indicating credential theft within in-cluster and hybrid environments.

Multiple vulnerabilities exist in Atlassian products including Bamboo, Bitbucket, Confluence, Crucible, Fisheye, and Jira which could lead to arbitrary code execution, denial of service, information disclosure, cross-site scripting, and security bypass.

Atlassian released a security advisory on May 19, 2026, addressing vulnerabilities in multiple products including Bamboo, Bitbucket, Confluence, Fisheye/Crucible, Jira, and Jira Service Management Data Center and Server.

Multiple vulnerabilities in Atlassian Jira could allow an attacker to execute arbitrary code, manipulate and disclose data, conduct cross-site scripting attacks, or cause a denial-of-service condition.

CVE-2026-41103 describes an incorrect implementation of the authentication algorithm in Microsoft SSO Plugin for Jira & Confluence, allowing an unauthorized attacker to elevate privileges over a network.

Atlassian released a security advisory addressing multiple critical vulnerabilities in Bamboo, Bitbucket, Confluence, Jira, and Jira Service Management Data Center and Server products.

Multiple vulnerabilities in Atlassian Bamboo, Bitbucket, Confluence, Jira, and Jira Service Management allow attackers to execute arbitrary code, bypass security measures, manipulate data, disclose information, or perform cross-site scripting attacks.

Attackers may delete secret scanning rules in Bitbucket to impair defenses and introduce secrets into the code repository undetected, potentially leading to unauthorized access or data breaches.

An attacker modifies Bitbucket global SSH settings to potentially enable unauthorized access and lateral movement.

An attacker may modify the Bitbucket audit log configuration to impair security monitoring and evade detection.

This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.

An adversary with administrative privileges may delete global secret scanning rules in Bitbucket to impair defenses and exfiltrate sensitive data without detection.

An attacker may attempt to disable or bypass secret scanning on a Bitbucket repository to avoid detection of committed secrets, potentially leading to credential compromise and subsequent unauthorized access.

An adversary may impair defenses by adding a secret scanning allowlist rule for Bitbucket projects, potentially allowing secrets to be committed and exposed.

Detection of Bitbucket user login failures, potentially indicating credential access attempts, initial access attempts, or other malicious activity.

The Lazarus Group is distributing a new variant of the Dacls RAT targeting macOS systems via a trojanized application, installing a hidden executable and attempting persistence.

A Metasploit module exploits Atlassian Confluence servers by deploying a malicious Java plugin that downloads Meterpreter, granting the attacker full control over the compromised system.

FireFighter versions before 0.0.54 are vulnerable to an unauthenticated server-side request forgery (SSRF) vulnerability in the `/api/v2/firefighter/raid/jira_bot` endpoint, allowing attackers to potentially steal IAM credentials in cloud environments.