Detectionmediumtest

PST Export Alert Using eDiscovery Alert

Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Sorina IonescuCreated Tue Feb 08Updated Thu Nov 1718b88d08-d73e-4f21-bc25-4b9892a4fdd0cloud

Log Source

Microsoft 365threat_management

ProductMicrosoft 365← raw: m365

Servicethreat_management← raw: threat_management

Definition

Requires the 'eDiscovery search or exported' alert to be enabled

Detection Logic

detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'eDiscovery search started or exported'
        status: success
    condition: selection

False Positives

PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0009 · Collection

Techniques

T1114 · Email Collection

Related Rules

SimilarDetectionmedium

PST Export Alert Using New-ComplianceSearchAction

Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

18b88d08-d73e-4f21-bc25-4b9892a4fdd0

Status

test

Level

medium

Type

Detection

Created

Tue Feb 08

Modified

Thu Nov 17

Author

Sorina Ionescu

Path

rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml

Raw Tags

attack.collectionattack.t1114

View on GitHub