O365 PST export alert
Description
This search detects when a user has performed an Ediscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-12-16
- Author: Rod Soto, Splunk
- ID: 5f694cc4-a678-4a60-9410-bffca1b647dc
Annotations
ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1114 | Email Collection | Collection |
Kill Chain Phase
- Exploitation
NIST
CIS20
CVE
Search
1
2
3
4
5
`o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported"
| stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name
|`security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `o365_pst_export_alert_filter`
Macros
The SPL above uses the following Macros:
Note that o365_pst_export_alert_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required field
- _time
- Category
- Name
- Source
- Severity
- AlertEntityId
- Operation
How To Implement
You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity
Known False Positives
PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
Associated Analytic story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 48.0 | 80 | 60 | User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1