Name:O365 PST export alert id:5f694cc4-a678-4a60-9410-bffca1b647dc version:4 date:2024-09-30 author:Rod Soto, Splunk status:production type:TTP Description:The following analytic detects instances where a user has initiated an eDiscovery search or exported a PST file in an Office 365 environment. It leverages Office 365 management activity logs, specifically filtering for events under ThreatManagement with the name "eDiscovery search started or exported." This activity is significant as it may indicate data exfiltration attempts or unauthorized access to sensitive information. If confirmed malicious, it suggests an attacker or insider threat is attempting to gather or exfiltrate data, potentially leading to data breaches, loss of intellectual property, or unauthorized access to confidential communications. Immediate investigation is required. Data_source:
-O365
search:`o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`
how_to_implement:You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity known_false_positives:PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored. References: -https://attack.mitre.org/techniques/T1114/ drilldown_searches: name:'View the detection results for - "$Source$"' search:'%original_detection_search% | search Source = "$Source$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$Source$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Source$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Office 365 Collection Techniques' - 'Data Exfiltration' asset_type:O365 Tenant confidence:60 impact:80 message:User $Source$ has exported a PST file from the search using this operation- $Operation$ with a severity of $Severity$ mitre_attack_id: - 'T1114' observable: name:'Source' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Category' - 'Name' - 'Source' - 'Severity' - 'AlertEntityId' - 'Operation' risk_score:48 security_domain:threat
