Versions Compared

Version Old Version 1 New Version Current
Changes made by

Svetlana Sheptiy

Svetlana Sheptiy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Description

Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages.

Log Structure

Expand
titleSample Office365ExchangeItemGroup logof Office365ExchangeItemGroup Event (in JSON format)
[
{
"CreationTime": "2022-03-15T10:56:33",
"Id": "80c76bd2-9d81-4c57-a97a-accfc3443dca",
"Operation": "SoftDelete",
"OrganizationId": "41463f53-8812-40f4-890f-865bf6e35190",
"RecordType": 3,
"ResultStatus": "Succeeded",
"UserKey": "1153977025279851686@contoso.onmicrosoft.com",
"UserType": 0,
"Version": 1,
"Workload": "Exchange",
"ClientIP": "134.170.188.221",
"UserId": "admin@contoso.onmicrosoft.com",
"AppId": "00012343-1111-0ff1-ef22-000000000000",
"ClientIPAddress": "134.170.188.221",
"ClientInfoString": "Client=OWA;Action=ViaProxy",
"ExternalAccess": false,
"InternalLogonType": 0,
"LogonType": 0,
"LogonUserSid": "S-1-5-44-1234564413-1234536233-543218302-42844876",
"MailboxGuid": "9a8cf76d-d754-3e2e-b10d-9bb87654f3b2",
"MailboxOwnerSid": "S-1-5-44-1234564413-1234536233-543218302-42844876",
"MailboxOwnerUPN": "admin@contoso.onmicrosoft.com",
"OrganizationName": "contoso.onmicrosoft.com",
"OriginatingServer": "DEFPR01MB5223 (15.16.5500.000)\r\n",
"SessionId": "9a8cf76d-d754-3e2e-b10d-9bb87654f3b2",
"AffectedItems": [
{
"Id": "RgXXXXBfilsyPsriQIl0rq3TWIlUBwBgU5LBEA0rTKAxHEa3YAjjBBBCCCEKDDBgU5LBEA5rTKAxHEa3YAjjAABk0FUNAAAJ",
"InternetMessageId": "b27f25405d1749f98679999cb1a2dccb-ABCDEFKQOJXWILKNK4YVA7CPGM3LMNOPONZWCZ3FINSW45DFOJ6E8Q2ENFTWK43UL4YDGMBWGIZHYU3SORRY====@microsoft.com",
"ParentFolder": {
"Id": "LgCCCCBfilsyPsriQIl0rq9TWIlUARXgU5LBEA9rTKAxHEa3YAjjAAAY2qUXBBBC",
"Path": "\Deleted Items"
},
"Subject": "Weekly digest: Microsoft service updates"
}
],
"CrossMailboxOperation": false,
"Folder": {
"Id": "LgCCCCBfilsyPsriQIl0rq9TWIlUARXgU5LBEA9rTKAxHEa3YAjjAAAY2qUXBBBC",
"Path": "\Deleted Items"
}
}
]

Table Fields

Field

Description

TABLE

Office365ExchangeItemGroup

RECORDTYPE

Based on RecordType

is “3” - details

, this field indicates the operation performed by the record.
For this log type its value is 3.
For available RecordType values, you can visit Microsoft’s documentation here.

APPID

AppId - No

Based on AppId, there’s no available documentation for this field.

CLIENTAPPDID

ClientAppId - No

Based on ClientAppId, there’s no available documentation for this field.

LOGONTYPE

LogonType - Indicates

Based on LogonType, this field indicates the type of user who accessed the mailbox and performed the operation that was logged.

INTERNALLOGONTYPE

InternalLogonType - Reserved

Based on InternalLogonType, this field indicates it is for internal use.

MAILBOXGUID

MailboxGuid - The

Based on MailboxGuid, this field contains the Exchange GUID of the mailbox that was accessed.

MAILBOXOWNERUPN

MailboxOwnerUPN - The

Based on MailboxOwnerUPN, this field contains the email address of the person who owns the mailbox that was accessed.

MAILBOXOWNERSID

MailboxOwnerSid - The

Based on MailboxOwnerSid, this field contains the SID of the mailbox owner.

MAILBOXOWNERMASTERSID

MailboxOwnerMasterAccountSid -

Based on MailboxOwnerMasterAccountSid, this field contains the Mailbox owner account's master account SID.

LOGONUSERSID

LogonUserSid - The

Based on LogonUserSid, this field contains the SID of the user who performed the operation.

LOGONUSERNAME

LogonUserDisplayName - The

Based on LogonUserDisplayName, this field contains the user-friendly name of the user who performed the operation.

EXTERNALACCESS

ExternalAccess - This is true if

Based on ExternalAccess, this field when set to true means that the logon user's domain is different from the mailbox owner's domain.

ORIGINATINGSERVER

OriginatingServer - This is from where

Based on OriginatingServer, this field contains the details the operation originated.

ORGNAME

OrganizationName - The

Based on OrganizationName, this field contains the name of the tenant.

CLIENTINFO

ClientInfoString - Information

Based on ClientInfoString, this field contains the information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information.

CLIENTADDR

ClientIPAddress - The

Based on ClientIPAddress, this field contains the IP address of the device that was used when the operation was logged.
The IP address is displayed in either an IPv4 or IPv6 address format.

CLIENTMACHINE

ClientMachineName - The

Based on ClientMachineName, this field contains the machine name that hosts the Outlook client.

CLIENTPROCESS

ClientProcessName - The

Based on ClientProcessName, this field contains the email client that was used to access the mailbox.

CLIENTVERSION

ClientVersion - The

Based on ClientVersion, this field contains the version of the email client.

CLIENTREQID

ClientRequestId - No

Based on ClientRequestId, there’s no available documentation for this field.

SESSIONID

SessionId - No

Based on SessionId, there’s no available documentation for this field.

DIR

Folder - The folder where

Based on Folder, this field contains the folder a group of items is located.

CROSSMBOPERATION

CrossMailboxOperation - Indicates Specifies the

Based on CrossMailboxOperation, this field indicates if the operation involved more than one mailbox.

DESTMBID

DestMailboxId - Set only if the CrossMailboxOperations parameter is True.

Specifies the

Based on DestMailboxId, this field specifies the target mailbox GUID.

DESTMBUPN

DestMailboxOwnerUPN - Set only if the CrossMailboxOperations parameter is True.

Specifies

Based on DestMailboxOwnerUPN, this field specifies the UPN of the owner of the target mailbox.

DESTMBSID

DestMailboxOwnerSid - Set only if the CrossMailboxOperations parameter is True.

Specifies

Based on DestMailboxOwnerSid, this field contains the specifies the SID of the target mailbox.

DESTMBMASTERSID

DestMailboxOwnerMasterAccountSid - Set only if the CrossMailboxOperations parameter is True.

Based on DestMailboxOwnerMasterAccountSid, this field contains the specifies the SID for the master account SID of the target mailbox owner.

DESTDIR

DestFolder - The

Based on DestFolder, this field contains the destination folder, for operations such as Move.

SRCDIRS

Folders - Information

Based on ClientProcessName, this field contains the information about the source folders involved in an operation

;For example, if folders are selected and then deleted.

AFFECTEDITEMS

AffectedItems - Information about each item

Based on AffectedItems, this field contains the information about affected item(s) in the group.

SNAREDATAMAP

All unclassified field

/s in the log

(s) parsed from this log type will be pushed into the SNAREDATAMAP.

Notes

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#exchange-mailbox-schema

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema?view=o365-worldwide#exchangemailboxauditgrouprecord-schema