Navigation :

O365 Pst Export Alert

Description

This search detects when a user has performed an Ediscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content

Help
O365 Pst Export Alert Help You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Help

O365 Pst Export Alert Help

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Search
`o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported" \| stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name \|`security_content_ctime(firstTime)` \|`security_content_ctime(lastTime)` \| `o365_pst_export_alert_filter` Open in Search

Search

`o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`

Open in Search