Rule Info
Name
PST Export Alert Using New-ComplianceSearchAction
Author
Nikita Khalimonenkov
Description
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
Date
2022-11-17 00:00:00
Modified
None
Id
6897cd82-6664-11ed-9022-0242ac120002
Tags
attack.collection attack.t1114 DEMO
Type
Community Rule
Link to Public Repo
Rule History
Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4476 from @nasbench - re-organize cloud folder and other things
2023-10-12
nikitah4x
Add new rule to detect PST export when eDiscovery alert policy is disabled (M365)
2022-11-18