PST Export Alert Using New-ComplianceSearchAction (6897cd82-6664-11ed-9022-0242ac120002)
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) | Attack Pattern | PST Export Alert Using New-ComplianceSearchAction (6897cd82-6664-11ed-9022-0242ac120002) | Sigma-Rules | 1 |