PST Export Alert Using New-ComplianceSearchAction

Rule Info

Id
6897cd82-6664-11ed-9022-0242ac120002
Author
Nikita Khalimonenkov
Name
PST Export Alert Using New-ComplianceSearchAction
Tags
attack.collection DEMO attack.t1114
Date
2022-11-17 00:00:00
Modified
None
Description
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
Type
Community Rule

Rule History

Author
Date
Commit
Title
nikitah4x
2022-11-18
Add new rule to detect PST export when eDiscovery alert policy is disabled (M365)