Detectionmediumtest

PST Export Alert Using New-ComplianceSearchAction

Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nikita KhalimonenkovCreated Thu Nov 176897cd82-6664-11ed-9022-0242ac120002cloud

Log Source

Microsoft 365threat_management

ProductMicrosoft 365← raw: m365

Servicethreat_management← raw: threat_management

Detection Logic

detection:
    selection:
        eventSource: SecurityComplianceCenter
        Payload|contains|all:
            - 'New-ComplianceSearchAction'
            - 'Export'
            - 'pst'
    condition: selection

False Positives

Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0009 · Collection

Techniques

T1114 · Email Collection

Related Rules

SimilarDetectionmedium

PST Export Alert Using eDiscovery Alert

Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

6897cd82-6664-11ed-9022-0242ac120002

Status

test

Level

medium

Type

Detection

Created

Thu Nov 17

Author

Nikita Khalimonenkov

Path

rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml

Raw Tags

attack.collectionattack.t1114

View on GitHub