heroui logo

O365 New Export Request

Anvilogic Forge

View Source
Summary
The detection rule titled 'O365 New Export Request' monitors for the use of the 'New-MailboxExportRequest' Exchange cmdlet, which is traditionally utilized to export mailboxes into PST files. Adversaries often exploit this cmdlet to exfiltrate sensitive email data from Microsoft Office 365 environments. The logic is implemented in Splunk, using pre-existing cloud data functions such as `get_cloud_data` and `get_cloud_data_o365`. This rule is triggered when any instance of the 'New-MailboxExportRequest' command is detected in the Office 365 audit logs. The output encompasses various event attributes such as time, host, user, region, source IP, and request parameters, allowing for detailed analytics and investigations. The association with known threat actors, particularly under CL-STA-0043 and SEABORGIUM, highlights the importance of this detection in combating data exfiltration attempts by adversaries. This rule is aligned with the collection of email data and fits the MITRE ATT&CK technique T1114.
Categories
  • Cloud
  • Application
Data Sources
  • Cloud Service
  • Application Log
ATT&CK Techniques
  • T1114
Created: 2024-02-09