M365 Unusual eDiscovery Search
Detection overview
Triggers
- A user is creating or updating an eDiscovery search.
Possible Root Causes
- An adversary has gained access to eDiscovery capabilities and is using that access to perform reconnaissance across the environment.
- One of a small set of users authorized to perform eDiscovery has been observed doing so.
Business Impact
- eDiscovery capabilities provide an enticing target for adversaries to abuse and may result in the loss of sensitive information up to and including passwords, encryption keys, and even financial data or intellectual property.
- eDiscovery capabilities may include data traditionally inaccessible through other means but preserved as part of a litigation hold.
Steps to Verify
- eDiscovery search from unauthorized users should be immediately investigated.
- Users authorized for eDiscovery should be explicitly triaged in this system to avoid future detections.
M365 Unusual eDiscovery Search
Possible root causes
Malicious Detection
Benign Detection
M365 Unusual eDiscovery Search
Example scenarios
M365 Unusual eDiscovery Search
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
M365 Unusual eDiscovery Search
Steps to investigate
M365 Unusual eDiscovery Search
MITRE ATT&CK techniques covered
M365 Unusual eDiscovery Search
Related detections
No items found.