Sample rules
O365 PST export alert
- source: splunk
- technicques:
- T1114
Description
The following analytic detects instances where a user has initiated an eDiscovery search or exported a PST file in an Office 365 environment. It leverages Office 365 management activity logs, specifically filtering for events under ThreatManagement with the name “eDiscovery search started or exported.” This activity is significant as it may indicate data exfiltration attempts or unauthorized access to sensitive information. If confirmed malicious, it suggests an attacker or insider threat is attempting to gather or exfiltrate data, potentially leading to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required.
Detection logic
`o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported"
| stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name
|`security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `o365_pst_export_alert_filter`
PST Export Alert Using eDiscovery Alert
- source: sigma
- technicques:
- t1114
Description
Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
Detection logic
condition: selection
selection:
eventName: eDiscovery search started or exported
eventSource: SecurityComplianceCenter
status: success