GitHub Repo

Analytics Story: Confluence Data Center and Confluence Server Vulnerabilities

Updated Date: 2026-05-13 ID: 509387a5-ab53-4656-8bb5-4bc8c2c074d9 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

The following analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server.

Why it matters

The analytic story of Confluence Data Center and Confluence Server encompasses a comprehensive approach to safeguarding these platforms from a variety of threats. By leveraging the analytics created in the project, security teams are equipped to detect, investigate, and respond to potential attacks that target Confluence environments.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Confluence Unauthenticated Remote Code Execution CVE-2022-26134 External Remote Services, Exploit Public-Facing Application, Server Software Component TTP
Windows Metasploit Confluence Plugin Execution Exploit Public-Facing Application, Web Shell, Stage Capabilities TTP
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 Exploit Public-Facing Application TTP
Windows Unusual File Creation in Confluence Directory Exploit Public-Facing Application, Upload Malware, Upload Tool Anomaly
Confluence Data Center and Server Privilege Escalation Exploit Public-Facing Application TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Palo Alto Network Threat Network icon Network pan:threat not_applicable
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Suricata Other suricata not_applicable
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Nginx Access Other nginx:plus:kv /var/log/nginx/access.log

References

Source: GitHub | Version: 2