This search detects when a user has performed an Ediscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
Help
O365 Pst Export Alert Help
You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity
Search
`o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported" | statscountearliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`