Techniques
Sample rules
O365 Compliance Content Search Exported
- source: splunk
- technicques:
- T1114
- T1114.002
Description
The following analytic identifies when the results of a content search within the Office 365 Security and Compliance Center are exported. It uses the SearchExported operation from the SecurityComplianceCenter workload in the o365_management_activity data source. This activity is significant because exporting search results can involve sensitive or critical organizational data, potentially leading to data exfiltration. If confirmed malicious, an attacker could gain access to and exfiltrate sensitive information, posing a severe risk to the organization’s data security and compliance posture.
Detection logic
`o365_management_activity` Workload=SecurityComplianceCenter Operation="SearchExported"
| rename user_id as user
| stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query
|`security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `o365_compliance_content_search_exported_filter`