Triggers
- A user is creating or updating an eDiscovery search.
Possible Root Causes
- An adversary has gained access to eDiscovery capabilities and is using that access to perform reconnaissance across the environment.
- One of a small set of users authorized to perform eDiscovery has been observed doing so.
Business Impact
- eDiscovery capabilities provide an enticing target for adversaries to abuse and may result in the loss of sensitive information up to and including passwords, encryption keys, and even financial data or intellectual property.
- eDiscovery capabilities may include data traditionally inaccessible through other means but preserved as part of a litigation hold.
Steps to Verify
- eDiscovery search from unauthorized users should be immediately investigated.
- Users authorized for eDiscovery should be explicitly triaged in this system to avoid future detections.