Triggers

  • A user is previewing or downloading the results of an eDiscovery activity.

Possible Root Causes

  • An adversary has gained access to eDiscovery capabilities and is using that access to collect or exfiltrate data.
  • One of a small set of users authorized to perform eDiscovery has been observed doing so.

Business Impact

  • eDiscovery capabilities provide an enticing target for adversaries to abuse and may result in the loss of sensitive information up to and including passwords, encryption keys, and even financial data or intellectual property.
  • eDiscovery capabilities may include data traditionally inaccessible through other means but preserved as part of a litigation hold.

Steps to Verify

  • eDiscovery activities from unauthorized users should be immediately investigated.
  • Users authorized for eDiscovery should be explicitly triaged in this system to avoid future detections.