Office365ExchangeItemGroup log type
- Svetlana Sheptiy
- Marlon Morales
Description
Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages.
Log Structure
Table Fields
Field | Description |
|---|---|
TABLE | Office365ExchangeItemGroup |
RECORDTYPE | Based on RecordType, this field indicates the operation performed by the record. |
APPID | Based on AppId, there’s no available documentation for this field. |
CLIENTAPPDID | Based on ClientAppId, there’s no available documentation for this field. |
LOGONTYPE | Based on LogonType, this field indicates the type of user who accessed the mailbox and performed the operation that was logged. |
INTERNALLOGONTYPE | Based on InternalLogonType, this field indicates it is for internal use. |
MAILBOXGUID | Based on MailboxGuid, this field contains the Exchange GUID of the mailbox that was accessed. |
MAILBOXOWNERUPN | Based on MailboxOwnerUPN, this field contains the email address of the person who owns the mailbox that was accessed. |
MAILBOXOWNERSID | Based on MailboxOwnerSid, this field contains the SID of the mailbox owner. |
MAILBOXOWNERMASTERSID | Based on MailboxOwnerMasterAccountSid, this field contains the Mailbox owner account's master account SID. |
LOGONUSERSID | Based on LogonUserSid, this field contains the SID of the user who performed the operation. |
LOGONUSERNAME | Based on LogonUserDisplayName, this field contains the user-friendly name of the user who performed the operation. |
EXTERNALACCESS | Based on ExternalAccess, this field when set to true means that the logon user's domain is different from the mailbox owner's domain. |
ORIGINATINGSERVER | Based on OriginatingServer, this field contains the details the operation originated. |
ORGNAME | Based on OrganizationName, this field contains the name of the tenant. |
CLIENTINFO | Based on ClientInfoString, this field contains the information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information. |
CLIENTADDR | Based on ClientIPAddress, this field contains the IP address of the device that was used when the operation was logged. |
CLIENTMACHINE | Based on ClientMachineName, this field contains the machine name that hosts the Outlook client. |
CLIENTPROCESS | Based on ClientProcessName, this field contains the email client that was used to access the mailbox. |
CLIENTVERSION | Based on ClientVersion, this field contains the version of the email client. |
CLIENTREQID | Based on ClientRequestId, there’s no available documentation for this field. |
SESSIONID | Based on SessionId, there’s no available documentation for this field. |
DIR | Based on Folder, this field contains the folder a group of items is located. |
CROSSMBOPERATION | Based on CrossMailboxOperation, this field indicates if the operation involved more than one mailbox. |
DESTMBID | Based on DestMailboxId, this field specifies the target mailbox GUID. |
DESTMBUPN | Based on DestMailboxOwnerUPN, this field specifies the UPN of the owner of the target mailbox. |
DESTMBSID | Based on DestMailboxOwnerSid, this field contains the specifies the SID of the target mailbox. |
DESTMBMASTERSID | Based on DestMailboxOwnerMasterAccountSid, this field contains the specifies the SID for the master account SID of the target mailbox owner. |
DESTDIR | Based on DestFolder, this field contains the destination folder, for operations such as Move. |
SRCDIRS | Based on ClientProcessName, this field contains the information about the source folders involved in an operation |
AFFECTEDITEMS | Based on AffectedItems, this field contains the information about affected item(s) in the group. |
SNAREDATAMAP | All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP. |
Notes
Office 365 Management Activity API schema
Office 365 Management Activity API schema