Office365ExchangeItem log type
- Svetlana Sheptiy
- Marlon Morales
Description
Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.
Log Structure
Table Fields
Field | Description |
|---|---|
TABLE | Office365ExchangeItem |
RECORDTYPE | Based on RecordType, this field indicates the operation performed by the record. |
APPID | Based on AppId, there’s no available documentation for this field. |
CLIENTAPPDID | Based on ClientAppId, there’s no available documentation for this field. |
LOGONTYPE | Based on LogonType, this field indicates the type of user who accessed the mailbox and performed the operation that was logged. |
INTERNALLOGONTYPE | Based on InternalLogonType, this field indicates where it is for internal use. |
MAILBOXGUID | Based on MailboxGuid, this field contains the Exchange GUID of the mailbox that was accessed. |
MAILBOXOWNERUPN | Based on MailboxOwnerUPN, this field contains the email address of the person who owns the mailbox that was accessed. |
MAILBOXOWNERSID | Based on MailboxOwnerSid, this field contains the SID of the mailbox owner. |
MAILBOXOWNERMASTERSID | Based on MailboxOwnerMasterAccountSid, this field contains the Mailbox owner account's master account SID. |
LOGONUSERSID | Based on LogonUserSid, this field contains the SID of the user who performed the operation. |
LOGONUSERNAME | Based on LogonUserDisplayName, this field contains the user-friendly name of the user who performed the operation. |
EXTERNALACCESS | Based on ExternalAccess, this field when set to true means that the logon user's domain is different from the mailbox owner's domain. |
ORIGINATINGSERVER | Based on OriginatingServer, this field contains the details where the operation originated. |
ORGNAME | Based on OrganizationName, this field contains the name of the tenant. |
CLIENTINFO | Based on ClientInfoString, this field contains the information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information. |
CLIENTADDR | Based on ClientIPAddress, this field contains the IP address of the device that was used when the operation was logged. |
CLIENTMACHINE | Based on ClientMachineName, this field contains the machine name that hosts the Outlook client. |
CLIENTPROCESS | Based on ClientProcessName, this field contains the email client that was used to access the mailbox. |
CLIENTVERSION | Based on ClientVersion, this field contains the version of the email client. |
CLIENTREQID | Based on ClientRequestId, there’s no available documentation for this field. |
ITEM | Based on Item, this field contains the information about the operation was performed. Including details about store id, subject, parent folder and attachment(s). |
MODIFIEDPROPERTIES | Based on ModifiedProperties, this field contains the property is included for admin events, such as adding a user as a member of a site or a site collection admin group. |
SENDADDR | Based on SendAsUserSmtp, this field contains the SMTP address of the user who is being impersonated. |
SENDMBGUID | Based on SendAsUserMailboxGuid, this field contains the Exchange GUID of the mailbox that was accessed to send email as. |
SENDONADDR | Based on SendOnBehalfOfUserSmtp , this field contains the SMTP address of the user on whose behalf the email is sent. |
SENDONMBGUID | Based on SendOnBehalfOfUserMailboxGuid, this field contains the Exchange GUID of the mailbox that was accessed to send mail on behalf of. |
SNAREDATAMAP | All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP. |