O365 PST export alert

name: O365 PST export alert
id: 5f694cc4-a678-4a60-9410-bffca1b647dc
version: 9
date: '2026-03-10'
author: Rod Soto, Splunk
status: production
type: TTP
description: The following analytic detects instances where a user has initiated an eDiscovery search or exported a PST file in an Office 365 environment. It leverages Office 365 management activity logs, specifically filtering for events under ThreatManagement with the name "eDiscovery search started or exported." This activity is significant as it may indicate data exfiltration attempts or unauthorized access to sensitive information. If confirmed malicious, it suggests an attacker or insider threat is attempting to gather or exfiltrate data, potentially leading to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required.
data_source:
    - O365
search: |-
    `o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported"
      | fillnull
      | stats count earliest(_time) as firstTime latest(_time) as lastTime
        BY Source Severity AlertEntityId
           Name user src
           vendor_account vendor_product dest
           signature
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `o365_pst_export_alert_filter`
how_to_implement: You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity
known_false_positives: PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
references:
    - https://attack.mitre.org/techniques/T1114/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: User $user$ has exported a PST file from the search using this operation- $signature$ with a severity of $Severity$
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Office 365 Collection Techniques
        - Data Exfiltration
    asset_type: O365 Tenant
    mitre_attack_id:
        - T1114
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json
          sourcetype: o365:management:activity
          source: o365