Which SIEM platforms have a T1114 detection rule?

df00tech provides T1114 (Email Collection) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Email Collection (T1114)?

Detecting Email Collection requires the following data sources: File: File Access, Application Log: Application Log Content, Microsoft Defender for Endpoint, Microsoft 365 Unified Audit Log.

What severity and confidence is the T1114 detection?

The T1114 detection is rated high severity with medium confidence.

What are common false positives for T1114?

Common false positives for T1114 include: Enterprise backup software (Veeam Agent, Backup Exec, Windows Server Backup) accessing PST/OST files during scheduled backup windows — exclude by known backup service account and initiating process path; Email migration tools (MigrationWiz, BitTitan, native PST import via New-MailboxImportRequest) performing authorized mailbox migrations — coordinate with IT to exclude migration service accounts during migration windows; Anti-virus and EDR scanning engines (MsMpEng.exe, SentinelAgent.exe) reading email files during on-demand or scheduled scans — already excluded by LegitEmailClients list, extend as needed.

T1114 CrowdStrike LogScale · LogScale

Detect Email Collection in CrowdStrike LogScale

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients. Sub-techniques cover local email file access (T1114.001), remote server collection via EWS/IMAP (T1114.002), and persistent inbox forwarding rules (T1114.003). Threat actors including Ember Bear, Silent Librarian, Magic Hound, Scattered Spider, and Emotet have all leveraged email collection as a high-value intelligence gathering technique.

MITRE ATT&CK

Tactic: Collection
Technique: T1114 Email Collection
Canonical reference: https://attack.mitre.org/techniques/T1114/

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

// T1114 Email Collection - Local email data store access by suspicious processes
// Targets Falcon WriteFile and FileOpenInfo events for email file extensions
#event_simpleName = /^(WriteFile|PeFileWritten|SyntheticProcessRollup2)$/
| TargetFileName = /(?i)\.(pst|ost|mbox|eml|msg|dbx|nsf)$/
| ImageFileName != /(?i)(\\outlook\.exe|\\OUTLOOK\.EXE|\\thunderbird\.exe|\\SearchIndexer\.exe|\\SearchProtocolHost\.exe|\\MsMpEng\.exe|\\MsSense\.exe|\\msedge\.exe)$/
| SuspiciousTool := ImageFileName = /(?i)(\\powershell\.exe|\\pwsh\.exe|\\cmd\.exe|\\python[23]?\.exe|\\wscript\.exe|\\cscript\.exe|\\mshta\.exe|\\robocopy\.exe|\\xcopy\.exe|\\7z\.exe|\\winrar\.exe|\\rar\.exe|\\curl\.exe|\\wget\.exe)$/
| EmailProfilePath := TargetFileName = /(?i)AppData.*(Outlook|Thunderbird|Windows.Mail)/
| where SuspiciousTool = true or EmailProfilePath = true
| EmailFileType := case(
    TargetFileName = /(?i)\.pst$/, "OutlookPST",
    TargetFileName = /(?i)\.ost$/, "OutlookOST",
    TargetFileName = /(?i)\.mbox$/, "MboxArchive",
    TargetFileName = /(?i)\.msg$/, "OutlookMessage",
    TargetFileName = /(?i)\.eml$/, "EmailFile",
    true, "OtherEmailFile")
| groupBy([ComputerName, UserName, ImageFileName, EmailFileType], function=[
    count(as=AccessCount),
    collect(TargetFileName, limit=10),
    collect(CommandLine, limit=5)
  ])
| sort(AccessCount, order=desc)

high severity medium confidence

CrowdStrike LogScale (Falcon) query detecting T1114 local email collection. Matches WriteFile and PeFileWritten events where suspicious processes (scripting engines, archival/copy tools) access email data store files. Excludes legitimate email client and security product processes. Groups results by host, user, and process for volume-based triage, with email file type classification.

Data Sources

CrowdStrike Falcon EDRFalcon Data Replicator (FDR)Falcon SIEM Connector

Required Tables

#event_simpleName=WriteFile#event_simpleName=PeFileWritten#event_simpleName=SyntheticProcessRollup2

False Positives & Tuning

PowerShell-based backup scripts sanctioned by IT that archive PST files to network shares or cloud storage on a scheduled basis
Python-based eDiscovery or compliance tooling that parses MSG/EML files for legal hold or data loss prevention classification
WinRAR or 7-Zip used legitimately by administrators to compress email archives for offboarding employees, which may appear identical to exfiltration staging

Download portable Sigma rule (.yml)

Other platforms for T1114

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Copy Outlook PST/OST Files via PowerShell to Staging Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ChildItem', 'Outlook', 'Copy-Item'. Sysmon Event ID 11: File creation events in %TEMP%\email_staging for each OST/PST copied. DeviceFileEvents (MDE): FileCopied action for .ost/.pst files with InitiatingProcessFileName=powershell.exe. DeviceProcessEvents: PowerShell process with command line referencing Outlook and Copy-Item.
Test 2Enumerate Outlook Inbox via COM Object (MAPI)
Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'Outlook.Application', 'MAPI', 'GetDefaultFolder'. Sysmon Event ID 7 (ImageLoad): Outlook interop DLLs (olmapi32.dll, MSPST32.dll) loaded into powershell.exe process. Sysmon Event ID 11: CSV file created at %TEMP%\email_harvest.csv. DeviceImageLoadEvents (MDE): non-Outlook process loading Outlook MAPI libraries.
Test 3Remote Exchange Mailbox Enumeration via EWS SOAP Request
Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to outlook.office365.com (40.99.x.x range) on destination port 443. DeviceNetworkEvents (MDE): OutboundConnectionAttempt or ConnectionSuccess from powershell.exe to Microsoft O365 EWS IP. PowerShell ScriptBlock Log (Event ID 4104): full SOAP request body including 'FindItem', 'inbox', 'EWS' strings. O365 Unified Audit Log: failed or successful MailItemsAccessed operation depending on authentication outcome.
Test 4Create Malicious Inbox Forwarding Rule via Exchange Online PowerShell
Expected signal: Sysmon Event ID 1: PowerShell process with CommandLine containing 'New-InboxRule', 'ForwardTo', and target email address. PowerShell ScriptBlock Log (Event ID 4104): full script with New-InboxRule command and ForwardTo parameter value. O365 Unified Audit Log (if connection succeeds): New-InboxRule operation with Parameters showing [email protected]. Sysmon Event ID 3: PowerShell connecting to O365 PowerShell endpoint (*.outlook.com port 443).

Last updated: 2026-04-18 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1114 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Email Collection in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1114

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Related Techniques

Same Tactic: Collection

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1114

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (3)

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox