ExchangeMailboxAuditGroupActivity

ExchangeMailboxAuditGroupActivity class

The ExchangeMailboxAuditGroupActivity type exposes the following members:

Constructors

NameDescription
ExchangeMailboxAuditGroupActivity()Initializes a new instance of the ExchangeMailboxAuditGroupActivity class

Properties

NameDescription
idUnique identifier of an audit record.
Mandatory: Yes
record_typeThe type of operation indicated by the record.
Mandatory: Yes
creation_timeThe date and time in Coordinated Universal Time (UTC) when the user performed the activity.
Mandatory: Yes
operationThe name of the user or admin activity.
For a description of the most common operations/activities, see Search the audit log in the Office 365 Protection Center.
For Exchange admin activity, this property identifies the name of the cmdlet that was run.
For Dlp events, this can be “DlpRuleMatch”, “DlpRuleUndo” or “DlpInfo”, which are described under “DLP schema” below.
Mandatory: Yes
organization_idThe GUID for your organization’s Office 365 tenant.
This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
Mandatory: Yes
user_typeThe type of user that performed the operation.
Mandatory: Yes
user_keyAn alternative ID for the user identified in the UserId property.
For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.
Mandatory: Yes
workloadThe Office 365 service where the activity occurred in the Workload string. The possible values for this property are:
Exchange
SharePoint
OneDrive
AzureActiveDirectory
SecurityComplianceCenter
Sway
ThreatIntelligence
Mandatory: No
result_statusIndicates whether the action (specified in the Operation property) was successful or not.
Possible values are Succeeded, PartiallySucceded, or Failed.
For Exchange admin activity, the value is either True or False.
Mandatory: No
object_idFor SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user.
For Exchange admin audit logging, the name of the object that was modified by the cmdlet.
Mandatory: No
user_idThe UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged;
for example, my_name@my_domain_name.
Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included.
Mandatory: Yes
client_ipThe IP address of the device that was used when the activity was logged.
The IP address is displayed in either an IPv4 or IPv6 address format.
Mandatory: Yes
scopeWas this event created by a hosted O365 service or an on-premises server?
Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to O365.
Mandatory: No
folderThe folder where a group of items is located.
cross_mailbox_operationsIndicates if the operation involved more than one mailbox.
dest_mailbox_idSet only if the CrossMailboxOperations parameter is True. Specifies the target mailbox GUID.
dest_mailbox_owner_upnSet only if the CrossMailboxOperations parameter is True. Specifies the UPN of the owner of the target mailbox.
dest_mailbox_owner_sidSet only if the CrossMailboxOperations parameter is True. Specifies the SID of the target mailbox.
dest_mailbox_owner_master_account_sidSet only if the CrossMailboxOperations parameter is True. Specifies the SID for the master account SID of the target mailbox owner.
dest_folderThe destination folder, for operations such as Move.
foldersInformation about the source folders involved in an operation; for example, if folders are selected and then deleted.
affected_itemsInformation about each item in the group.

See Also