DET0358 Programmatic and Excessive Access to Confluence Documentation

Item	Value
ID	DET0358
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1213.001 (Confluence)

Analytics

SaaS

AN1019

Detection of excessive or programmatic access to Confluence spaces or pages, particularly by privileged users, through a combination of access logs, API usage, and identity context. Correlates logon sessions, user roles, and abnormal document viewing or export behavior. Identifies burst access patterns and tools/scripts abusing the Confluence API for mass enumeration or data scraping.

Log Sources

Data Component	Name	Channel
Application Log Content (DC0038)	saas:confluence	access.content
Logon Session Creation (DC0067)	saas:confluence	logon
Network Traffic Content (DC0085)	saas:confluence	REST API access from non-browser agents

Mutable Elements

Field	Description
TimeWindow	Defines the time span (e.g., 5m, 1h) in which excessive access behavior becomes suspicious.
UserContext	Privileged user roles (e.g., domain admins) should be excluded or flagged if found accessing documentation repositories.
AccessThreshold	The number of pages viewed or exported by a single user before triggering detection logic.
AgentFilter	User agent strings that may indicate scripted, automated, or non-interactive access methods.