Versions Compared

Version Old Version 2 New Version 3
Changes made by

Marlon Morales

Marlon Morales

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Description

Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages.

Log Structure

Expand
titleSample Office365ExchangeItemGroup log
[
{
"CreationTime": "2022-03-15T10:56:33",
"Id": "80c76bd2-9d81-4c57-a97a-accfc3443dca",
"Operation": "SoftDelete",
"OrganizationId": "41463f53-8812-40f4-890f-865bf6e35190",
"RecordType": 3,
"ResultStatus": "Succeeded",
"UserKey": "1153977025279851686@contoso.onmicrosoft.com",
"UserType": 0,
"Version": 1,
"Workload": "Exchange",
"ClientIP": "134.170.188.221",
"UserId": "admin@contoso.onmicrosoft.com",
"AppId": "00012343-1111-0ff1-ef22-000000000000",
"ClientIPAddress": "134.170.188.221",
"ClientInfoString": "Client=OWA;Action=ViaProxy",
"ExternalAccess": false,
"InternalLogonType": 0,
"LogonType": 0,
"LogonUserSid": "S-1-5-44-1234564413-1234536233-543218302-42844876",
"MailboxGuid": "9a8cf76d-d754-3e2e-b10d-9bb87654f3b2",
"MailboxOwnerSid": "S-1-5-44-1234564413-1234536233-543218302-42844876",
"MailboxOwnerUPN": "admin@contoso.onmicrosoft.com",
"OrganizationName": "contoso.onmicrosoft.com",
"OriginatingServer": "DEFPR01MB5223 (15.16.5500.000)\r\n",
"SessionId": "9a8cf76d-d754-3e2e-b10d-9bb87654f3b2",
"AffectedItems": [
{
"Id": "RgXXXXBfilsyPsriQIl0rq3TWIlUBwBgU5LBEA0rTKAxHEa3YAjjBBBCCCEKDDBgU5LBEA5rTKAxHEa3YAjjAABk0FUNAAAJ",
"InternetMessageId": "b27f25405d1749f98679999cb1a2dccb-ABCDEFKQOJXWILKNK4YVA7CPGM3LMNOPONZWCZ3FINSW45DFOJ6E8Q2ENFTWK43UL4YDGMBWGIZHYU3SORRY====@microsoft.com",
"ParentFolder": {
"Id": "LgCCCCBfilsyPsriQIl0rq9TWIlUARXgU5LBEA9rTKAxHEa3YAjjAAAY2qUXBBBC",
"Path": "\Deleted Items"
},
"Subject": "Weekly digest: Microsoft service updates"
}
],
"CrossMailboxOperation": false,
"Folder": {
"Id": "LgCCCCBfilsyPsriQIl0rq9TWIlUARXgU5LBEA9rTKAxHEa3YAjjAAAY2qUXBBBC",
"Path": "\Deleted Items"
}
}
]

Table Fields

Field

Description

TABLE

Office365ExchangeItemGroup

RECORDTYPE

RecordType is “3”, more details about RecordType here.

APPID

AppId - No available documentation for this field.

CLIENTAPPDID

ClientAppId - No available documentation for this field.

LOGONTYPE

LogonType - Indicates the type of user who accessed the mailbox and performed the operation that was logged.

INTERNALLOGONTYPE

InternalLogonType - Reserved for internal use.

MAILBOXGUID

MailboxGuid - The Exchange GUID of the mailbox that was accessed.

MAILBOXOWNERUPN

MailboxOwnerUPN - The email address of the person who owns the mailbox that was accessed.

MAILBOXOWNERSID

MailboxOwnerSid - The SID of the mailbox owner.

MAILBOXOWNERMASTERSID

MailboxOwnerMasterAccountSid - Mailbox owner account's master account SID.

LOGONUSERSID

LogonUserSid - The SID of the user who performed the operation.

LOGONUSERNAME

LogonUserDisplayName - The user-friendly name of the user who performed the operation.

EXTERNALACCESS

ExternalAccess - This is true if the logon user's domain is different from the mailbox owner's domain.

ORIGINATINGSERVER

OriginatingServer - This is from where the operation originated.

ORGNAME

OrganizationName - The name of the tenant.

CLIENTINFO

ClientInfoString - Information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information.

CLIENTADDR

ClientIPAddress - The IP address of the device that was used when the operation was logged.
The IP address is displayed in either an IPv4 or IPv6 address format.

CLIENTMACHINE

ClientMachineName - The machine name that hosts the Outlook client.

CLIENTPROCESS

ClientProcessName - The email client that was used to access the mailbox.

CLIENTVERSION

ClientVersion - The version of the email client .

CLIENTREQID

ClientRequestId - No available documentation for this field.

SESSIONID

SessionId - No available documentation for this field.

DIR

Folder - The folder where a group of items is located.

CROSSMBOPERATION

CrossMailboxOperation - Indicates if the operation involved more than one mailbox.

DESTMBID

DestMailboxId - Set only if the CrossMailboxOperations parameter is True.
Specifies the target mailbox GUID.

DESTMBUPN

DestMailboxOwnerUPN - Set only if the CrossMailboxOperations parameter is True.
Specifies the UPN of the owner of the target mailbox.

DESTMBSID

DestMailboxOwnerSid - Set only if the CrossMailboxOperations parameter is True.
Specifies the SID of the target mailbox.

DESTMBMASTERSID

DestMailboxOwnerMasterAccountSid - Set only if the CrossMailboxOperations parameter is True.
Specifies the SID for the master account SID of the target mailbox owner.

DESTDIR

DestFolder - The destination folder, for operations such as Move.

SRCDIRS

Folders - Information about the source folders involved in an operation;
For example, if folders are selected and then deleted.

AFFECTEDITEMS

AffectedItems - Information about each item in the group.

SNAREDATAMAP

All unclassified field/s in the log will be pushed into the SNAREDATAMAP.

Notes

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#exchange-mailbox-schema

...