Office365ExchangeItemAggregated log type
- Svetlana Sheptiy
- Marlon Morales
Description
Events related to the MailItemsAccessed mailbox auditing action.
Log Structure
Table Fields
Field | Description |
|---|---|
TABLE | Office365ExchangeItemAggregated |
RECORDTYPE | Based on RecordType, this field indicates the operation performed by the record. |
APPID | Based on AppId, there’s no available documentation for this field. |
CLIENTAPPDID | Based on ClientAppId, there’s no available documentation for this field. |
LOGONTYPE | Based on LogonType, this field indicates the type of user who accessed the mailbox and performed the operation that was logged. |
INTERNALLOGONTYPE | Based on InternalLogonType, this field indicates it is for internal use. |
MAILBOXGUID | Based on MailboxGuid, this field contains the Exchange GUID of the mailbox that was accessed. |
MAILBOXOWNERUPN | Based on MailboxOwnerUPN, this field contains the email address of the person who owns the mailbox that was accessed. |
MAILBOXOWNERSID | Based on MailboxOwnerSid, this field contains the SID of the mailbox owner. |
MAILBOXOWNERMASTERSID | Based on MailboxOwnerMasterAccountSid, this field contains the Mailbox owner account's master account SID. |
LOGONUSERSID | Based on LogonUserSid, this field contains the SID of the user who performed the operation. |
LOGONUSERNAME | Based on LogonUserDisplayName, this field contains the user-friendly name of the user who performed the operation. |
EXTERNALACCESS | Based on ExternalAccess, this field when set to true means that the logon user's domain is different from the mailbox owner's domain. |
ORIGINATINGSERVER | Based on OriginatingServer, this field contains the details the operation originated. |
ORGNAME | Based on OrganizationName, this field contains the name of the tenant. |
CLIENTINFO | Based on ClientInfoString, this field contains the information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information. |
CLIENTADDR | Based on ClientIPAddress, this field contains the IP address of the device that was used when the operation was logged. |
CLIENTMACHINE | Based on ClientMachineName, this field contains the machine name that hosts the Outlook client. |
CLIENTPROCESS | Based on ClientProcessName, this field contains the email client that was used to access the mailbox. |
CLIENTVERSION | Based on ClientVersion, this field contains the version of the email client. |
CLIENTREQID | Based on ClientRequestId, there’s no available documentation for this field. |
SESSIONID | Based on SessionId, there’s no available documentation for this field. |
OPERATIONPROP | Based on OperationProperties, this field contains the information such as MailAccessType done in the audit record. |
FOLDERS | Based on Folders, this field contains the list of directories involved in the operation. Also contains fields: FolderItems, Id and Path. |
OPERATIONCOUNT | Based on OperationCount, this field contains the number of bind operations that were aggregated in the record. |
SNAREDATAMAP | All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP. |