<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">AccessRights</span>
<span class="pill kill-chain">AppId</span>
<span class="pill kill-chain">ClientAppId</span>
<span class="pill kill-chain">ClientIP</span>
<span class="pill kill-chain">CreationTime</span>
<span class="pill kill-chain">ExternalAccess</span>
<span class="pill kill-chain">Id</span>
<span class="pill kill-chain">Identity</span>
<span class="pill kill-chain">InheritanceType</span>
<span class="pill kill-chain">ObjectId</span>
<span class="pill kill-chain">Operation</span>
<span class="pill kill-chain">OrganizationId</span>
<span class="pill kill-chain">OrganizationName</span>
<span class="pill kill-chain">OriginatingServer</span>
<span class="pill kill-chain">Parameters{}.Name</span>
<span class="pill kill-chain">Parameters{}.Value</span>
<span class="pill kill-chain">RecordType</span>
<span class="pill kill-chain">ResultStatus</span>
<span class="pill kill-chain">SessionId</span>
<span class="pill kill-chain">User</span>
<span class="pill kill-chain">UserId</span>
<span class="pill kill-chain">UserKey</span>
<span class="pill kill-chain">UserType</span>
<span class="pill kill-chain">Version</span>
<span class="pill kill-chain">Workload</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">authentication_service</span>
<span class="pill kill-chain">command</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_name</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">object</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">record_type</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_id</span>
<span class="pill kill-chain">user_type</span>
<span class="pill kill-chain">vendor_account</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: O365 Add-MailboxPermission
Description
Logs the addition of mailbox permissions in Microsoft 365, including details about the mailbox, granted permissions, and the user or administrator performing the action.
Details
| Property | Value |
|---|---|
| Source | o365 |
| Sourcetype | o365:management:activity |
| Separator | Operation |
Supported Apps
- Splunk Add-on for Microsoft Office 365 (version 4.8.0)
Event Fields
Fields
Example Log
1{"AppId": "", "ClientAppId": "", "ClientIP": "18.159.234.121:30395", "CreationTime": "2020-12-15T10:18:53", "ExternalAccess": false, "Id": "bb6e31a3-e98f-493d-bbff-08d8a0e2d2b0", "ObjectId": "jhernan", "Operation": "Add-MailboxPermission", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "OrganizationName": "rodsoto.onmicrosoft.com", "OriginatingServer": "PH0PR14MB4341 (15.20.3654.025)", "Parameters": [{"Name": "Identity", "Value": "jhernan"}, {"Name": "User", "Value": "Patrick Bareiss"}, {"Name": "AccessRights", "Value": "FullAccess"}, {"Name": "InheritanceType", "Value": "All"}], "RecordType": 1, "ResultStatus": "True", "SessionId": "2be46662-a743-4a05-8744-c2f75f886512", "UserId": "pbareiss@rodsoto.onmicrosoft.com", "UserKey": "10032001020A3408", "UserType": 2, "Version": 1, "Workload": "Exchange"}
Source: GitHub | Version: 2