Hi,
how would I detect and monitor processes and command-line arguments for actions that could be taken to gather local email files. For example, I want to be alerted if an adversary gathers or moves email files. Most email files have .eml, .pst, .ost extension. I thought about doing regex search for all the files ending with that extension. What do you think?
What data / events are you planning on searching for this information? Is it already in splunk in some form? Or is it a question more about how you would gather this information in the first place, e.g. keystroke trace on your adversary's device? 🙂