PST Export Alert Using New-ComplianceSearchAction

Rule Info

Name
PST Export Alert Using New-ComplianceSearchAction
Author
Nikita Khalimonenkov
Description
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
Date
2022-11-17 00:00:00
Modified
None
Id
6897cd82-6664-11ed-9022-0242ac120002
Tags
attack.collection attack.t1114 DEMO
Type
Community Rule

Rule History

Author
Title
Date
Commit
frack113
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17
Nasreddine Bencherchali
Merge PR #4476 from @nasbench - re-organize cloud folder and other things
2023-10-12
nikitah4x
Add new rule to detect PST export when eDiscovery alert policy is disabled (M365)
2022-11-18