PST Export Alert Using eDiscovery Alert
Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
Sigma rule (View on GitHub)
1title: PST Export Alert Using eDiscovery Alert
2id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
3related:
4 - id: 6897cd82-6664-11ed-9022-0242ac120002
5 type: similar
6status: test
7description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
8references:
9 - https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide
10author: Sorina Ionescu
11date: 2022-02-08
12modified: 2022-11-17
13tags:
14 - attack.collection
15 - attack.t1114
16logsource:
17 service: threat_management
18 product: m365
19 definition: Requires the 'eDiscovery search or exported' alert to be enabled
20detection:
21 selection:
22 eventSource: SecurityComplianceCenter
23 eventName: 'eDiscovery search started or exported'
24 status: success
25 condition: selection
26falsepositives:
27 - PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
28level: medium
References
-
Create alert policies in the Microsoft Purview compliance portal or the Microsoft Defender portal to monitor potential threats, data loss, and permissions issues.
Read More
Related rules
- Exchange PowerShell Snap-Ins Usage
- PST Export Alert Using New-ComplianceSearchAction
- Email Forwarding Rule - Suspicious Folders
- Email Forwarding Rule - Suspicious Forwarding Criteria
- Email Forwarding Rule - Suspicious Rule Names