Versions Compared

Version Old Version 3 New Version 4
Changes made by

Marlon Morales

Marlon Morales

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

...

Log Structure

Expand
titleSample Office365ExchangeItem logof Office365ExchangeItem Event (in JSON format)
[
{
"CreationTime": "2022-02-16T07:22:14",
"Id": "80c76bd2-9d81-4c57-a97a-accfc3443dca",
"Operation": "ModifyFolderPermissions",
"OrganizationId": "41463f53-8812-40f4-890f-865bf6e35190",
"RecordType": 2,
"ResultStatus": "Succeeded",
"UserKey": "1234522233C77A20",
"UserType": 0,
"Version": 1,
"Workload": "Exchange",
"ClientIP": "134.170.188.221",
"UserId": "admin@contoso.onmicrosoft.com",
"AppId": "00012343-1111-0ff1-ef22-000000000000",
"ClientIPAddress": "134.170.188.221",
"ClientInfoString": "Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36+Preload+Preload;",
"ExternalAccess": false,
"InternalLogonType": 0,
"LogonType": 0,
"LogonUserSid": "S-1-5-44-1234564413-1234536233-543218302-42844876",
"MailboxGuid": "a78873bc-8394-40d1-8e2f-a0b6c3334455",
"MailboxOwnerSid": "S-1-5-44-1234564413-1234536233-543218302-42844876",
"MailboxOwnerUPN": "admin@contoso.onmicrosoft.com",
"OrganizationName": "contoso.onmicrosoft.com",
"OriginatingServer": "DEFPR01MB5223 (15.16.5500.000)\r\n",
"SessionId": "9a8cf76d-d754-3e2e-b10d-9bb87654f3b2",
"Item": {
"Id": "LgCCCCBfilsyPsriQIl0rq9TWIlUARXgU5LBEA9rTKAxHEa3YAjjAAAY2qUXBBBC",
"ParentFolder": {
"Id": "LgCCCCBfilsyPsriQIl0rq9TWIlUARXgU5LBEA9rTKAxHEa3YAjjAAAY2qUXBBBC",
"MemberRights": "ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, CreateSubfolder, Owner, Contact, Visible",
"MemberSid": "S-1-9-4",
"MemberUpn": "Everyone",
"Name": "test-dir",
"Path": "\test-dir"
}
}
}
]

Table Fields

Field

Description

TABLE

Office365ExchangeItem

RECORDTYPE

Based on RecordType

is “2”,

, where this field indicates the operation performed by the record.
For this log type its value is 2.
See more details about RecordType here.

APPID

AppId - No

Based on AppId, there’s no available documentation for this field.

CLIENTAPPDID

ClientAppId - No

Based on ClientAppId, there’s no available documentation for this field.

LOGONTYPE

LogonType - Indicates

Based on LogonType, where this field indicates the type of user who accessed the mailbox and performed the operation that was logged.

INTERNALLOGONTYPE

InternalLogonType - Reserved

Based on InternalLogonType, where this field indicates where it is for internal use.

MAILBOXGUID

MailboxGuid - The

Based on MailboxGuid, where this field contains the Exchange GUID of the mailbox that was accessed.

MAILBOXOWNERUPN

MailboxOwnerUPN - The

Based on MailboxOwnerUPN, where this field contains the email address of the person who owns the mailbox that was accessed.

MAILBOXOWNERSID

MailboxOwnerSid - The

Based on MailboxOwnerSid, where this field contains the SID of the mailbox owner.

MAILBOXOWNERMASTERSID

MailboxOwnerMasterAccountSid -

Based on MailboxOwnerMasterAccountSid, where this field contains the Mailbox owner account's master account SID.

LOGONUSERSID

LogonUserSid - The

Based on LogonUserSid, where this field contains the SID of the user who performed the operation.

LOGONUSERNAME

LogonUserDisplayName - The

Based on LogonUserDisplayName, where this field contains the user-friendly name of the user who performed the operation.

EXTERNALACCESS

ExternalAccess - This is true if

Based on ExternalAccess, where this field when set to true means that the logon user's domain is different from the mailbox owner's domain.

ORIGINATINGSERVER

OriginatingServer - This is from

Based on OriginatingServer, where this field contains the details where the operation originated.

ORGNAME

OrganizationName - The

Based on OrganizationName, where this field contains the name of the tenant.

CLIENTINFO

ClientInfoString - Information

Based on ClientInfoString, where this field contains the information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information.

CLIENTADDR

ClientIPAddress - The

Based on ClientIPAddress, where this field contains the IP address of the device that was used when the operation was logged.
The IP address is displayed in either an IPv4 or IPv6 address format.

CLIENTMACHINE

ClientMachineName - The

Based on ClientMachineName, where this field contains the machine name that hosts the Outlook client.

CLIENTPROCESS

ClientProcessName - The

Based on ClientProcessName, where this field contains the email client that was used to access the mailbox.

CLIENTVERSION

ClientVersion - The

Based on ClientVersion, where this field contains the version of the email client.

CLIENTREQID

ClientRequestId - No

Based on ClientRequestId, there’s no available documentation for this field.

ITEM

Item - Represents the item upon which

Based on Item, where this field contains the information about the operation was performed.


Contains the following fields:

  • Id - The store ID.

  • Subject - The subject line of the message that was accessed.

  • ParentFolder - The name of the folder where the item is located.

    • Attachments - A list of the names and file size of all items that are attached to the message

    Including details about store id, subject, parent folder and attachment(s).

    MODIFIEDPROPERTIES

    ModifiedProperties - The

    Based on ModifiedProperties, where this field contains the property is included for admin events, such as adding a user as a member of a site or a site collection admin group.

    SENDADDR

    SendAsUserSmtp -

    Based on SendAsUserSmtp, where this field contains the SMTP address of the user who is being impersonated.

    SENDMBGUID

    SendAsUserMailboxGuid - The

    Based on SendAsUserMailboxGuid, where this field contains the Exchange GUID of the mailbox that was accessed to send email as.

    SENDONADDR

    SendOnBehalfOfUserSmtp -

    Based on SendOnBehalfOfUserSmtp , where this field contains the SMTP address of the user on whose behalf the email is sent.

    SENDONMBGUID

    SendOnBehalfOfUserMailboxGuid - The

    Based on SendOnBehalfOfUserMailboxGuid, where this field contains the Exchange GUID of the mailbox that was accessed to send mail on behalf of.

    SNAREDATAMAP

    All unclassified field

    /s in the log

    (s) parsed from this log type will be pushed into the SNAREDATAMAP.

    Notes

    https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema?view=o365-worldwide#exchange-mailbox-schema