sigmamediumHunting

PST Export Alert Using New-ComplianceSearchAction

Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.

MITRE ATT&CK

T1114

collection

Detection Query

selection:
  eventSource: SecurityComplianceCenter
  Payload|contains|all:
    - New-ComplianceSearchAction
    - Export
    - pst
condition: selection

Author

Nikita Khalimonenkov

Created

2022-11-17

Data Sources

m365threat_management

Platforms

m365

References

https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps

Tags

attack.collectionattack.t1114

Raw Content

title: PST Export Alert Using New-ComplianceSearchAction
id: 6897cd82-6664-11ed-9022-0242ac120002
related:
    - id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
      type: similar
status: test
description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
references:
    - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
author: Nikita Khalimonenkov
date: 2022-11-17
tags:
    - attack.collection
    - attack.t1114
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        Payload|contains|all:
            - 'New-ComplianceSearchAction'
            - 'Export'
            - 'pst'
    condition: selection
falsepositives:
    - Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.
level: medium