Data Source: O365 MailItemsAccessed

Date: 2025-01-23

ID: 3d5188eb-341a-4b46-9caa-aade4047d027

Author: Patrick Bareiss, Splunk

Description

Logs access to mailbox items in Microsoft 365, including details about the user accessing the items, the accessed content, and the method of access.

Details

Property	Value
Source	`o365`
Sourcetype	`o365:management:activity`
Separator	Operation

Name ▲▼	Technique ▲▼	Type ▲▼
O365 Multiple Mailboxes Accessed via API	Remote Email Collection	TTP
O365 OAuth App Mailbox Access via EWS	Remote Email Collection	TTP
O365 OAuth App Mailbox Access via Graph API	Remote Email Collection	TTP

Supported Apps

Splunk Add-on for Microsoft Office 365 (version 5.1.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">AppId</span>
  
  <span class="pill kill-chain">ClientAppId</span>
  
  <span class="pill kill-chain">ClientIPAddress</span>
  
  <span class="pill kill-chain">ClientInfoString</span>
  
  <span class="pill kill-chain">CreationTime</span>
  
  <span class="pill kill-chain">ExternalAccess</span>
  
  <span class="pill kill-chain">Folders{}.FolderItems{}.InternetMessageId</span>
  
  <span class="pill kill-chain">Folders{}.FolderItems{}.SizeInBytes</span>
  
  <span class="pill kill-chain">Folders{}.Id</span>
  
  <span class="pill kill-chain">Folders{}.Path</span>
  
  <span class="pill kill-chain">Id</span>
  
  <span class="pill kill-chain">InternalLogonType</span>
  
  <span class="pill kill-chain">IsThrottled</span>
  
  <span class="pill kill-chain">LogonType</span>
  
  <span class="pill kill-chain">LogonUserSid</span>
  
  <span class="pill kill-chain">MailAccessType</span>
  
  <span class="pill kill-chain">MailboxGuid</span>
  
  <span class="pill kill-chain">MailboxOwnerSid</span>
  
  <span class="pill kill-chain">MailboxOwnerUPN</span>
  
  <span class="pill kill-chain">Operation</span>
  
  <span class="pill kill-chain">OperationCount</span>
  
  <span class="pill kill-chain">OperationProperties{}.Name</span>
  
  <span class="pill kill-chain">OperationProperties{}.Value</span>
  
  <span class="pill kill-chain">OrganizationId</span>
  
  <span class="pill kill-chain">OrganizationName</span>
  
  <span class="pill kill-chain">OriginatingServer</span>
  
  <span class="pill kill-chain">RecordType</span>
  
  <span class="pill kill-chain">ResultStatus</span>
  
  <span class="pill kill-chain">UserId</span>
  
  <span class="pill kill-chain">UserKey</span>
  
  <span class="pill kill-chain">UserType</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">Workload</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">authentication_service</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1{"CreationTime": "2024-02-01T16:07:34", "Id": "9cef02e9-4bfa-4c73-be7d-9dad68b9cea8", "Operation": "MailItemsAccessed", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 50, "ResultStatus": "Succeeded", "UserKey": "100320030DF47B14", "UserType": 0, "Version": 1, "Workload": "Exchange", "UserId": "user15@splunkresearch.onmicrosoft.com", "AppId": "47629505-c2b6-4a80-adb1-9b3a3d233b7b", "ClientAppId": "47629505-c2b6-4a80-adb1-9b3a3d233b7b", "ClientIPAddress": "120.1.121.35", "ClientInfoString": "Client=WebServices;ExchangeWebServicesProxy/CrossSite/EXCH/15.20.7249.024/python-requests/2.25.1[AppId=47629505-c2b6-4a80-adb1-9b3a3d233b7b];", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-1148582062-3132321681-773847816-49307764", "MailboxGuid": "7cfcc8fc-0d4a-4e1c-9592-dbb3de1e3859", "MailboxOwnerSid": "S-1-5-21-1148582062-3132321681-773847816-49307764", "MailboxOwnerUPN": "user15@splunkresearch.onmicrosoft.com", "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationName": "splunkresearch.onmicrosoft.com", "OriginatingServer": "CH0PR18MB5530 (15.20.4200.000)\r\n", "Folders": [{"FolderItems": [{"InternetMessageId": "<CAFpGju6Zzs6HoCNQsDh0=F=vS7KHikisdRrnC_avRsZhqK2iXQ@mail.mail.com>", "SizeInBytes": 44329}, {"InternetMessageId": "<CAFpGju6MHeSA5yKSaPK4w+p1uYWmZ_zew8kF8200_=DtqkvipA@mail.mail.com>", "SizeInBytes": 44304}, {"InternetMessageId": "<CAFpGju7uUnyyuZmuc9rm593BsA6yeB+86GCDg5KzSE48TaAb4Q@mail.mail.com>", "SizeInBytes": 44572}, {"InternetMessageId": "<CH0PR18MB5530506D1B68B05A99A1109FF185A@CH0PR18MB5530.namprd18.prod.outlook.com>", "SizeInBytes": 245068}], "Id": "LgAAAAC0AxwgOj/BRq9Bs1bhMPw/AQDh+UNSDzeHSLWfq+fr83BDAAAAAAEMAAAB", "Path": "\\Inbox"}], "OperationCount": 4}

Required Output Fields

dest
user
src
vendor_account
vendor_product

Source: GitHub | Version: 2