Versions Compared

Version Old Version 2 New Version 3
Changes made by

Marlon Morales

Marlon Morales

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Description

Events related to the MailItemsAccessed mailbox auditing action.

Log Structure

Expand
titleSample Office365ExchangeItemAggregated log
[
{
"CreationTime": "2020-04-07T23:47:30",
"Id": "f5493f9a-57ce-4859-94bd-fd2ad38d5680",
"Operation": "MailItemsAccessed",
"OrganizationId": "b662313f-14fc-43a2-9a7a-d2e27f4f3478",
"RecordType": 50,
"ResultStatus": "Succeeded",
"UserKey": "1003BFFD805C87B0",
"UserType": 0,
"Version": 1,
"Workload": "Exchange",
"UserId": "Tony.Hawks@sample.com",
"ClientIPAddress": "2001:bb6:5f4f:f058:4163:e14a:1332:27c7",
"ClientInfoString": "Client=OutlookService;Outlook-iOS/2.0;",
"ExternalAccess ": false,
"InternalLogonType": 0,
"LogonType": 0,
"LogonUserSid": "S-1-5-21-458367025-2064581115-2950179075-392557",
"MailboxGuid": "0370f354-2752-4437-878d-cf0e5310a8d4",
"MailboxOwnerSid": "S-1-5-21-458367025-2064581115-2950179075-392557",
"MailboxOwnerUPN": "Tony.Hawks@sample.com",
"OperationProperties": [
{
"Name": "MailAccessType",
"Value": "Bind"
},
{
"Name": "IsThrottled",
"Value": "False"
}
],
"OrganizationName": "office365itpros.onmicrosoft.com",
"OriginatingServer": "DB7PR04MB4346 (15.20.2878.014)\r\n",
"SessionId": "1f99e672-8141-4a22-9aa0-96357297e843",
"Folders": [
{
"FolderItems": [
{
"InternetMessageId": "71ceaeec-6dc3-4452-839f-6db34dd95f95@DB5EUR01BG102.eop-EUR01.prod.protection.outlook.com"
}
],
"Id": "LgAAAAB+7ILpFNx8TrktaK8VYWerAQBe9CuwLc2fTK7W46L1SAp9AAAA2lHHAAAB",
"Path": "\Inbox"
}
],
"OperationCount": 1
}
]

Table Fields

Field

Description

TABLE

Office365ExchangeItemAggregated

RECORDTYPE

RecordType is “50”, more details about RecordType here.

APPID

AppId - No available documentation for this field.

CLIENTAPPDID

ClientAppId - No available documentation for this field.

LOGONTYPE

LogonType - Indicates the type of user who accessed the mailbox and performed the operation that was logged.

INTERNALLOGONTYPE

InternalLogonType - Reserved for internal use.

MAILBOXGUID

MailboxGuid - The Exchange GUID of the mailbox that was accessed.

MAILBOXOWNERUPN

MailboxOwnerUPN - The email address of the person who owns the mailbox that was accessed.

MAILBOXOWNERSID

MailboxOwnerSid - The SID of the mailbox owner.

MAILBOXOWNERMASTERSID

MailboxOwnerMasterAccountSid - Mailbox owner account's master account SID.

LOGONUSERSID

LogonUserSid - The SID of the user who performed the operation.

LOGONUSERNAME

LogonUserDisplayName - The user-friendly name of the user who performed the operation.

EXTERNALACCESS

ExternalAccess - This is true if the logon user's domain is different from the mailbox owner's domain.

ORIGINATINGSERVER

OriginatingServer - This is from where the operation originated.

ORGNAME

OrganizationName - The name of the tenant.

CLIENTINFO

ClientInfoString - Information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information.

CLIENTADDR

ClientIPAddress - The IP address of the device that was used when the operation was logged.
The IP address is displayed in either an IPv4 or IPv6 address format.

CLIENTMACHINE

ClientMachineName - The machine name that hosts the Outlook client.

CLIENTPROCESS

ClientProcessName - The email client that was used to access the mailbox.

CLIENTVERSION

ClientVersion - The version of the email client.

CLIENTREQID

ClientRequestId - No available documentation for this field.

SESSIONID

SessionId - No available documentation for this field.

OPERATIONPROP

OperationProperties - Contains information such as MailAccessType done in the audit record.

FOLDERS

Folders - List of directories involved in the operation, contains fields:

  • FolderItems

  • Id

  • Path

OPERATIONCOUNT

OperationCount - The number of bind operations that were aggregated in the record.

SNAREDATAMAP

All unclassified field/s in the log will be pushed into the SNAREDATAMAP.

Notes

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema?view=o365-worldwide#exchange-mailbox-schema

...