Try in Splunk Security Cloud


This search detects when a user has performed an Ediscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content

  • Type: TTP
  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-12-16
  • Author: Rod Soto, Splunk
  • ID: 5f694cc4-a678-4a60-9410-bffca1b647dc


ID Technique Tactic
T1114 Email Collection Collection
`o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported" 
| stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name 
| `o365_pst_export_alert_filter`

Associated Analytic Story

How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Category
  • Name
  • Source
  • Severity
  • AlertEntityId
  • Operation

Kill Chain Phase

  • Actions on Objective

Known False Positives

PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.


Risk Score Impact Confidence Message
48.0 80 60 User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1