Versions Compared

Version Old Version 2 New Version 3
Changes made by

Marlon Morales

Marlon Morales

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Description

Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.

Log Structure

Expand
titleSample Office365ExchangeItem log
[
{
"CreationTime": "2022-02-16T07:22:14",
"Id": "80c76bd2-9d81-4c57-a97a-accfc3443dca",
"Operation": "ModifyFolderPermissions",
"OrganizationId": "41463f53-8812-40f4-890f-865bf6e35190",
"RecordType": 2,
"ResultStatus": "Succeeded",
"UserKey": "1234522233C77A20",
"UserType": 0,
"Version": 1,
"Workload": "Exchange",
"ClientIP": "134.170.188.221",
"UserId": "admin@contoso.onmicrosoft.com",
"AppId": "00012343-1111-0ff1-ef22-000000000000",
"ClientIPAddress": "134.170.188.221",
"ClientInfoString": "Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36+Preload+Preload;",
"ExternalAccess": false,
"InternalLogonType": 0,
"LogonType": 0,
"LogonUserSid": "S-1-5-44-1234564413-1234536233-543218302-42844876",
"MailboxGuid": "a78873bc-8394-40d1-8e2f-a0b6c3334455",
"MailboxOwnerSid": "S-1-5-44-1234564413-1234536233-543218302-42844876",
"MailboxOwnerUPN": "admin@contoso.onmicrosoft.com",
"OrganizationName": "contoso.onmicrosoft.com",
"OriginatingServer": "DEFPR01MB5223 (15.16.5500.000)\r\n",
"SessionId": "9a8cf76d-d754-3e2e-b10d-9bb87654f3b2",
"Item": {
"Id": "LgCCCCBfilsyPsriQIl0rq9TWIlUARXgU5LBEA9rTKAxHEa3YAjjAAAY2qUXBBBC",
"ParentFolder": {
"Id": "LgCCCCBfilsyPsriQIl0rq9TWIlUARXgU5LBEA9rTKAxHEa3YAjjAAAY2qUXBBBC",
"MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, CreateSubfolder, Owner, Contact, Visible",
"MemberSid": "S-1-9-4",
"MemberUpn": "Everyone",
"Name": "test-dir",
"Path": "\test-dir"
}
}
}
]

Table Fields

Field

Description

TABLE

Office365ExchangeItem

RECORDTYPE

RecordType is “2”, more details about RecordType here.

APPID

AppId - No available documentation for this field.

CLIENTAPPDID

ClientAppId - No available documentation for this field.

LOGONTYPE

LogonType - Indicates the type of user who accessed the mailbox and performed the operation that was logged.

INTERNALLOGONTYPE

InternalLogonType - Reserved for internal use.

MAILBOXGUID

MailboxGuid - The Exchange GUID of the mailbox that was accessed.

MAILBOXOWNERUPN

MailboxOwnerUPN - The email address of the person who owns the mailbox that was accessed.

MAILBOXOWNERSID

MailboxOwnerSid - The SID of the mailbox owner.

MAILBOXOWNERMASTERSID

MailboxOwnerMasterAccountSid - Mailbox owner account's master account SID.

LOGONUSERSID

LogonUserSid - The SID of the user who performed the operation.

LOGONUSERNAME

LogonUserDisplayName - The user-friendly name of the user who performed the operation.

EXTERNALACCESS

ExternalAccess - This is true if the logon user's domain is different from the mailbox owner's domain.

ORIGINATINGSERVER

OriginatingServer - This is from where the operation originated.

ORGNAME

OrganizationName - The name of the tenant.

CLIENTINFO

ClientInfoString - Information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information.

CLIENTADDR

ClientIPAddress - The IP address of the device that was used when the operation was logged. The IP address is displayed in either an IPv4 or IPv6 address format.

CLIENTMACHINE

ClientMachineName - The machine name that hosts the Outlook client.

CLIENTPROCESS

ClientProcessName - The email client that was used to access the mailbox.

CLIENTVERSION

ClientVersion - The version of the email client .

CLIENTREQID

ClientRequestId - No available documentation for this field.

ITEM

Item - Represents the item upon which the operation was performed.
Contains the following fields:

  • Id - The store ID.

  • Subject - The subject line of the message that was accessed.

  • ParentFolder - The name of the folder where the item is located.

  • Attachments - A list of the names and file size of all items that are attached to the message.

MODIFIEDPROPERTIES

ModifiedProperties - The property is included for admin events, such as adding a user as a member of a site or a site collection admin group.

SENDADDR

SendAsUserSmtp - SMTP address of the user who is being impersonated.

SENDMBGUID

SendAsUserMailboxGuid - The Exchange GUID of the mailbox that was accessed to send email as.

SENDONADDR

SendOnBehalfOfUserSmtp - SMTP address of the user on whose behalf the email is sent.

SENDONMBGUID

SendOnBehalfOfUserMailboxGuid - The Exchange GUID of the mailbox that was accessed to send mail on behalf of.

SNAREDATAMAP

All unclassified field/s in the log will be pushed into the SNAREDATAMAP.

Notes

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema?view=o365-worldwide#exchange-mailbox-schema