Techniques
Sample rules
PST Export Alert Using New-ComplianceSearchAction
- source: sigma
- technicques:
- t1114
Description
Alert when a user has performed an export to a search using ‘New-ComplianceSearchAction’ with the ‘-Export’ flag. This detection will detect PST export even if the ’eDiscovery search or exported’ alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
Detection logic
condition: selection
selection:
Payload|contains|all:
- New-ComplianceSearchAction
- Export
- pst
eventSource: SecurityComplianceCenter