PST Export Alert Using New-ComplianceSearchAction

calendar Aug 12, 2024 · attack.collection attack.t1114  ·
Share on: linkedin copy

Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.

Sigma rule (View on GitHub)

 1title: PST Export Alert Using New-ComplianceSearchAction
 2id: 6897cd82-6664-11ed-9022-0242ac120002
 3related:
 4    - id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
 5      type: similar
 6status: test
 7description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
 8references:
 9    - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
10author: Nikita Khalimonenkov
11date: 2022-11-17
12tags:
13    - attack.collection
14    - attack.t1114
15logsource:
16    service: threat_management
17    product: m365
18detection:
19    selection:
20        eventSource: SecurityComplianceCenter
21        Payload|contains|all:
22            - 'New-ComplianceSearchAction'
23            - 'Export'
24            - 'pst'
25    condition: selection
26falsepositives:
27    - Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.
28level: medium

References

  • New-ComplianceSearchAction (ExchangePowerShell)

    After you create a content search using the New-ComplianceSearch cmdlet and run it using the Start-ComplianceSearch cmdlet, you assign a search action to the search using the New-ComplianceSearchAction cmdlet. In on-premises Exchange, this cmdlet is available in the Mailbox Search role. By default, this role is assigned only to the Discovery Management role group. You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet. In Microsoft 365, the account that you use to run this cmdlet must have a valid Microsoft 365 license assigned. To use this cmdlet in Security & Compliance PowerShell, you need to be assigned permissions. For more information, see Permissions in the Microsoft Purview compliance portal.


    Read More

Related rules

to-top