Description
Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages.
Log Structure
Table Fields
Field | Description |
|---|---|
TABLE | Office365ExchangeItemGroup |
RECORDTYPE | RecordType is “3” - details here. |
APPID | AppId - No available documentation for this field. |
CLIENTAPPDID | ClientAppId - No available documentation for this field. |
LOGONTYPE | LogonType - Indicates the type of user who accessed the mailbox and performed the operation that was logged. |
INTERNALLOGONTYPE | InternalLogonType - Reserved for internal use. |
MAILBOXGUID | MailboxGuid - The Exchange GUID of the mailbox that was accessed. |
MAILBOXOWNERUPN | MailboxOwnerUPN - The email address of the person who owns the mailbox that was accessed. |
MAILBOXOWNERSID | MailboxOwnerSid - The SID of the mailbox owner. |
MAILBOXOWNERMASTERSID | MailboxOwnerMasterAccountSid - Mailbox owner account's master account SID. |
LOGONUSERSID | LogonUserSid - The SID of the user who performed the operation. |
LOGONUSERNAME | LogonUserDisplayName - The user-friendly name of the user who performed the operation. |
EXTERNALACCESS | ExternalAccess - This is true if the logon user's domain is different from the mailbox owner's domain. |
ORIGINATINGSERVER | OriginatingServer - This is from where the operation originated. |
ORGNAME | OrganizationName - The name of the tenant. |
CLIENTINFO | ClientInfoString - Information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information. |
CLIENTADDR | ClientIPAddress - The IP address of the device that was used when the operation was logged. The IP address is displayed in either an IPv4 or IPv6 address format. |
CLIENTMACHINE | ClientMachineName - The machine name that hosts the Outlook client. |
CLIENTPROCESS | ClientProcessName - The email client that was used to access the mailbox. |
CLIENTVERSION | ClientVersion - The version of the email client . |
CLIENTREQID | ClientRequestId - No available documentation for this field. |
SESSIONID | SessionId - No available documentation for this field. |
DIR | Folder - The folder where a group of items is located. |
CROSSMBOPERATION | CrossMailboxOperation - Indicates if the operation involved more than one mailbox. |
DESTMBID | DestMailboxId - Set only if the CrossMailboxOperations parameter is True. Specifies the target mailbox GUID. |
DESTMBUPN | DestMailboxOwnerUPN - Set only if the CrossMailboxOperations parameter is True. Specifies the UPN of the owner of the target mailbox. |
DESTMBSID | DestMailboxOwnerSid - Set only if the CrossMailboxOperations parameter is True. Specifies the SID of the target mailbox. |
DESTMBMASTERSID | DestMailboxOwnerMasterAccountSid - Set only if the CrossMailboxOperations parameter is True. Specifies the SID for the master account SID of the target mailbox owner. |
DESTDIR | DestFolder - The destination folder, for operations such as Move. |
SRCDIRS | Folders - Information about the source folders involved in an operation; For example, if folders are selected and then deleted. |
AFFECTEDITEMS | AffectedItems - Information about each item in the group. |
SNAREDATAMAP | All unclassified field/s in the log will be pushed into the SNAREDATAMAP. |