MailBox Search

Vendor Documentation

Rule Name	Rule Type	Common Event	Classification
MailBox Search	Base Rule	General MS Exchange Mailbox Store Information	Information
Set - Admin Audit Log Config	Sub Rule	General Audit	Other Audit Success
Remove - Mailbox Permission	Sub Rule	User Account Attribute Modified	Account Modified
Admin Added Mailbox Permission	Sub Rule	File Monitoring Event - Permissions	Access Success
New - Migration Batch	Sub Rule	Key Migration Operation	Other Audit Success
Set - Mailbox Search	Sub Rule	General MS Exchange Information	Information
Admin Add Recipient Permission	Sub Rule	General CLOUD Message	Information
Set - CAS Mailbox	Sub Rule	General MS Exchange Warning	Warning

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
TS	N/A	N/A	N/A
SESSID	<session>	Text/String	Session information
COMMAND	<command> <tag1>	Text/String	Command name
USERTYPE	<tag2>	Text/String	Type of user
USERKEY	<sender>	Text/String	User key informations hexadecimal value
WORKLOAD	<process> <vendorinfo>	Text/String	Audit log record type
RESULTCODE	<result>	Text/String	Results
OBJECT	<object>	Text/String	Object name
USER	<login>	Text/String	Source user name
SIP	<sip> <sport>	IP Address Number	Source IP address
OBJECTNAME	N/A	N/A	N/A
PARAMETERS	<sessiontype>	Text/String	N/A
MODIFIEDPROPERTIES	N/A	N/A	N/A
EXTERNALACCESS	N/A	N/A	N/A
ORIGINATINGSERVER	<sname>	Text/String	N/A
ORGANIZATIONNAME	<domain>	Text/String	N/A
LOGONTYPE	N/A	N/A	N/A
MAILBOXOWNER	N/A	N/A	N/A
MAILBOXMASTER	N/A	N/A	N/A
LOGONUSERSID	N/A	N/A	N/A
LOGONUSERDISPLAYNAME	N/A	N/A	N/A
USERAGENT	N/A	N/A	N/A
CLIENTIPADDRESS	N/A	N/A	N/A
CLIENTPROCESSNAME	N/A	N/A	N/A
CLIENTVERSION	N/A	N/A	N/A
FOLDER	N/A	N/A	N/A
CROSSMAILBOXOPERATIONS	N/A	N/A	N/A
DESTMAILBOX	N/A	N/A	N/A
DESTMAILBOXOWNER	N/A	N/A	N/A
DESTMAILBOXMASTER	N/A	N/A	N/A
DESTFOLDER	N/A	N/A	N/A
FOLDERS	N/A	N/A	N/A
AFFECTEDITEMS	N/A	N/A	N/A
ITEM	N/A	N/A	N/A
SENDASUSER	N/A	N/A	N/A
SENDONBEHALFOFUSER	N/A	N/A	N/A