Data Source: O365 Set-Mailbox

Date: 2025-01-23

ID: db798c5c-928c-4972-bb42-e5f90e35865f

Author: Patrick Bareiss, Splunk

Description

Logs changes to mailbox properties in Microsoft 365, including updates to permissions, storage quotas, and configuration settings.

Details

Property	Value
Source	`o365`
Sourcetype	`o365:management:activity`
Separator	Operation

Supported Apps

Splunk Add-on for Microsoft Office 365 (version 4.8.0)

Event Fields

+ Fields


            1
            _time
          
            3
            AppId
          
            5
            ClientAppId
          
            7
            ClientIP
          
            9
            CreationTime
          
            11
            ExternalAccess
          
            13
            Id
          
            15
            Identity
          
            17
            ObjectId
          
            19
            Operation
          
            21
            OrganizationId
          
            23
            OrganizationName
          
            25
            OriginatingServer
          
            27
            Parameters{}.Name
          
            29
            Parameters{}.Value
          
            31
            Params
          
            33
            RecordType
          
            35
            ResultStatus
          
            37
            SessionId
          
            39
            UserId
          
            41
            UserKey
          
            43
            UserType
          
            45
            Version
          
            47
            Workload
          
            49
            action
          
            51
            app
          
            53
            authentication_service
          
            55
            change_type
          
            57
            command
          
            59
            dataset_name
          
            61
            date_hour
          
            63
            date_mday
          
            65
            date_minute
          
            67
            date_month
          
            69
            date_second
          
            71
            date_wday
          
            73
            date_year
          
            75
            date_zone
          
            77
            dest
          
            79
            dest_name
          
            81
            dvc
          
            83
            eventtype
          
            85
            host
          
            87
            index
          
            89
            linecount
          
            91
            object
          
            93
            object_attrs
          
            95
            object_category
          
            97
            object_id
          
            99
            punct
          
            101
            record_type
          
            103
            result
          
            105
            signature
          
            107
            source
          
            109
            sourcetype
          
            111
            splunk_server
          
            113
            src
          
            115
            src_ip
          
            117
            src_user
          
            119
            src_user_type
          
            121
            status
          
            123
            tag
          
            125
            tag::eventtype
          
            127
            tenant_id
          
            129
            timeendpos
          
            131
            timestartpos
          
            133
            user
          
            135
            user_id
          
            137
            vendor_account
          
            139
            vendor_product
          
            141

...

not set

Example Log

1{"AppId": "", "ClientAppId": "", "ClientIP": "18.192.200.190:52816", "CreationTime": "2020-12-16T12:32:28", "ExternalAccess": false, "Id": "a6a52406-0912-448d-36eb-08d8a1bea6be", "ObjectId": "bpatel", "Operation": "Set-Mailbox", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "OrganizationName": "rodsoto.onmicrosoft.com", "OriginatingServer": "PH0PR14MB4341 (15.20.3654.025)", "Parameters": [{"Name": "ForwardingAddress", "Value": ""}, {"Name": "Identity", "Value": "bpatel@rodsoto.onmicrosoft.com"}], "RecordType": 1, "ResultStatus": "True", "SessionId": "86a7cd7c-3f42-4b68-b670-4024b5461a80", "UserId": "pbareiss@rodsoto.onmicrosoft.com", "UserKey": "10032001020A3408", "UserType": 2, "Version": 1, "Workload": "Exchange"}

Source: GitHub | Version: 2