PST Export Alert Using New-ComplianceSearchAction
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
Sigma rule (View on GitHub)
1title: PST Export Alert Using New-ComplianceSearchAction
2id: 6897cd82-6664-11ed-9022-0242ac120002
3related:
4 - id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
5 type: similar
6status: test
7description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
8references:
9 - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
10author: Nikita Khalimonenkov
11date: 2022/11/17
12tags:
13 - attack.collection
14 - attack.t1114
15logsource:
16 service: threat_management
17 product: m365
18detection:
19 selection:
20 eventSource: SecurityComplianceCenter
21 Payload|contains|all:
22 - 'New-ComplianceSearchAction'
23 - 'Export'
24 - 'pst'
25 condition: selection
26falsepositives:
27 - Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.
28level: medium
References
Related rules
- PST Export Alert Using eDiscovery Alert
- AWS EC2 VM Export Failure
- Clipboard Collection with Xclip Tool
- Powershell Keylogging
- WinDivert Driver Load