Versions Compared

Version Old Version 1 New Version 2
Changes made by

Svetlana Sheptiy

Marlon Morales

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

...

Expand
titleSample Office365ExchangeItemGroup log
[
{
"CreationTime": "2022-03-15T10:56:33",
"Id": "80c76bd2-9d81-4c57-a97a-accfc3443dca",
"Operation": "SoftDelete",
"OrganizationId": "41463f53-8812-40f4-890f-865bf6e35190",
"RecordType": 3,
"ResultStatus": "Succeeded",
"UserKey": "1153977025279851686@contoso.onmicrosoft.com",
"UserType": 0,
"Version": 1,
"Workload": "Exchange",
"ClientIP": "134.170.188.221",
"UserId": "admin@contoso.onmicrosoft.com",
"AppId": "00012343-1111-0ff1-ef22-000000000000",
"ClientIPAddress": "134.170.188.221",
"ClientInfoString": "Client=OWA;Action=ViaProxy",
"ExternalAccess": false,
"InternalLogonType": 0,
"LogonType": 0,
"LogonUserSid": "S-1-5-44-1234564413-1234536233-543218302-42844876",
"MailboxGuid": "9a8cf76d-d754-3e2e-b10d-9bb87654f3b2",
"MailboxOwnerSid": "S-1-5-44-1234564413-1234536233-543218302-42844876",
"MailboxOwnerUPN": "admin@contoso.onmicrosoft.com",
"OrganizationName": "contoso.onmicrosoft.com",
"OriginatingServer": "DEFPR01MB5223 (15.16.5500.000)\r\n",
"SessionId": "9a8cf76d-d754-3e2e-b10d-9bb87654f3b2",
"AffectedItems": [
{
"Id": "RgXXXXBfilsyPsriQIl0rq3TWIlUBwBgU5LBEA0rTKAxHEa3YAjjBBBCCCEKDDBgU5LBEA5rTKAxHEa3YAjjAABk0FUNAAAJ",
"InternetMessageId": "b27f25405d1749f98679999cb1a2dccb-ABCDEFKQOJXWILKNK4YVA7CPGM3LMNOPONZWCZ3FINSW45DFOJ6E8Q2ENFTWK43UL4YDGMBWGIZHYU3SORRY====@microsoft.com",
"ParentFolder": {
"Id": "LgCCCCBfilsyPsriQIl0rq9TWIlUARXgU5LBEA9rTKAxHEa3YAjjAAAY2qUXBBBC",
"Path": "\Deleted Items"
},
"Subject": "Weekly digest: Microsoft service updates"
}
],
"CrossMailboxOperation": false,
"Folder": {
"Id": "LgCCCCBfilsyPsriQIl0rq9TWIlUARXgU5LBEA9rTKAxHEa3YAjjAAAY2qUXBBBC",
"Path": "\Deleted Items"
}
}
]

Table Fields

Field

Description

TABLE

Office365ExchangeItemGroup

RECORDTYPE

RecordType is “3”

-

, more details about RecordType here.

APPID

AppId - No available documentation for this field.

CLIENTAPPDID

ClientAppId - No available documentation for this field.

LOGONTYPE

LogonType - Indicates the type of user who accessed the mailbox and performed the operation that was logged.

INTERNALLOGONTYPE

InternalLogonType - Reserved for internal use.

MAILBOXGUID

MailboxGuid - The Exchange GUID of the mailbox that was accessed.

MAILBOXOWNERUPN

MailboxOwnerUPN - The email address of the person who owns the mailbox that was accessed.

MAILBOXOWNERSID

MailboxOwnerSid - The SID of the mailbox owner.

MAILBOXOWNERMASTERSID

MailboxOwnerMasterAccountSid - Mailbox owner account's master account SID.

LOGONUSERSID

LogonUserSid - The SID of the user who performed the operation.

LOGONUSERNAME

LogonUserDisplayName - The user-friendly name of the user who performed the operation.

EXTERNALACCESS

ExternalAccess - This is true if the logon user's domain is different from the mailbox owner's domain.

ORIGINATINGSERVER

OriginatingServer - This is from where the operation originated.

ORGNAME

OrganizationName - The name of the tenant.

CLIENTINFO

ClientInfoString - Information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information.

CLIENTADDR

ClientIPAddress - The IP address of the device that was used when the operation was logged.
The IP address is displayed in either an IPv4 or IPv6 address format.

CLIENTMACHINE

ClientMachineName - The machine name that hosts the Outlook client.

CLIENTPROCESS

ClientProcessName - The email client that was used to access the mailbox.

CLIENTVERSION

ClientVersion - The version of the email client .

CLIENTREQID

ClientRequestId - No available documentation for this field.

SESSIONID

SessionId - No available documentation for this field.

DIR

Folder - The folder where a group of items is located.

CROSSMBOPERATION

CrossMailboxOperation - Indicates if the operation involved more than one mailbox.

DESTMBID

DestMailboxId - Set only if the CrossMailboxOperations parameter is True.
Specifies the target mailbox GUID.

DESTMBUPN

DestMailboxOwnerUPN - Set only if the CrossMailboxOperations parameter is True.
Specifies the UPN of the owner of the target mailbox.

DESTMBSID

DestMailboxOwnerSid - Set only if the CrossMailboxOperations parameter is True.
Specifies the SID of the target mailbox.

DESTMBMASTERSID

DestMailboxOwnerMasterAccountSid - Set only if the CrossMailboxOperations parameter is True.
Specifies the SID for the master account SID of the target mailbox owner.

DESTDIR

DestFolder - The destination folder, for operations such as Move.

SRCDIRS

Folders - Information about the source folders involved in an operation;
For example, if folders are selected and then deleted.

AFFECTEDITEMS

AffectedItems - Information about each item in the group.

SNAREDATAMAP

All unclassified field/s in the log will be pushed into the SNAREDATAMAP.

Notes

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#exchange-mailbox-schema

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema?view=o365-worldwide#exchangemailboxauditgrouprecord-schema