Techniques
Sample rules
O365 Compliance Content Search Exported
- source: splunk
- technicques:
- T1114
- T1114.002
Description
This detection targets activities where the results of a content search within the Office 365 Security and Compliance Center are exported, a crucial phase in the compliance and investigative workflows. By focusing on the SearchExported operation logged under the SecurityComplianceCenter workload in the o365_management_activity, this analytic flags instances that potentially move sensitive or critical organizational data outside its original storage locations.
Detection logic
`o365_management_activity` Workload=SecurityComplianceCenter Operation="SearchExported"
| rename user_id as user
| stats count earliest(_time) as firstTime latest(_time) as lastTime by Operation, ObjectId, ExchangeLocations, user, Query
|`security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `o365_compliance_content_search_exported_filter`