← Library
sigmaDRL-1.1from SigmaHQ/sigma

PST Export Alert Using New-ComplianceSearchAction

Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1114
Rule sourcerules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml
title: PST Export Alert Using New-ComplianceSearchAction
id: 6897cd82-6664-11ed-9022-0242ac120002
related:
    - id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
      type: similar
status: test
description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
references:
    - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
author: Nikita Khalimonenkov
date: 2022-11-17
tags:
    - attack.collection
    - attack.t1114
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        Payload|contains|all:
            - 'New-ComplianceSearchAction'
            - 'Export'
            - 'pst'
    condition: selection
falsepositives:
    - Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.
level: medium