Nasreddine Bencherchali
29 lines
1.0 KiB
YAML
29 lines
1.0 KiB
YAML
title: PST Export Alert Using eDiscovery Alert
|
|
id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
|
|
related:
|
|
- id: 6897cd82-6664-11ed-9022-0242ac120002
|
|
type: similar
|
|
status: experimental
|
|
description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
|
|
references:
|
|
- https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide
|
|
author: Sorina Ionescu
|
|
date: 2022/02/08
|
|
modified: 2022/11/17
|
|
tags:
|
|
- attack.collection
|
|
- attack.t1114
|
|
logsource:
|
|
service: threat_management
|
|
product: m365
|
|
definition: Requires the 'eDiscovery search or exported' alert to be enabled
|
|
detection:
|
|
selection:
|
|
eventSource: SecurityComplianceCenter
|
|
eventName: 'eDiscovery search started or exported'
|
|
status: success
|
|
condition: selection
|
|
falsepositives:
|
|
- PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
|
|
level: medium
|