This rule is designed to detect the use of Microsoft Exchange cmdlets that create export requests for email data into PST (Personal Storage Table) files. Adversaries may use the `New-MailboxExportRequest` command to exfiltrate sensitive information stored in Exchange mailboxes. The rule leverages PowerShell logging and specifically looks for events where the `EventCode` is either 4103 or 4104, indicating specific PowerShell actions. Additionally, it uses a regex pattern to confirm that the file path of the command ends with '.pst', which is indicative of email data being exported. Threat actors associated with this behavior include notable threat groups like APT29, APT31, and others linked with various malware such as ALPHV/BlackCat and Conti. The logic is implemented in Splunk, processing PowerShell and process command-line parameters to generate alerts for suspicious activities related to email collection via this export process.