Change Auditor 7.0.1 - Office 365 and Azure Active Directory Event Reference Guide

Introduction

Change Auditor provides in-depth forensics and comprehensive auditing on all key configuration, user and administrator changes in your environments. Information for on-premises and cloud directories can be correlated to provide single pane-of-glass view of your synchronized Active Directory environment and Office 365 organization and making it easy to search events regardless of where they occurred.

To ensure compliance, you can automatically generate intelligent and in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications.

Change Auditor audits Exchange Online, SharePoint Online, and OneDrive for Business activities that correspond to the events in the Office 365 Security & Compliance Center audit log and Azure Active Directory activities that correspond to the events in the Azure Active Directory Audit logs, Sign-in activity report, and Risky sign-ins report.

This guide lists the Office 365 and Azure Active Directory events that can be captured when you have licensed Change Auditor for Exchange, Change Auditor for SharePoint, Change Auditor for Active Directory, and Change Auditor for Logon Activity User. Separate event reference guides are provided that list the core Change Auditor events (when any Change Auditor license is applied) and the events captured when the different auditing modules are licensed.

Events

This section lists the audited events specific to Office 365 Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory and each event’s corresponding severity setting.

Office 365 Exchange Online Administration

 

Office 365 Exchange Online administrative cmdlet executed

Created when an administrator runs a remote PowerShell command on an object in the Exchange Online mailbox. This can occur as a result of a remote PowerShell connection to the mailbox, or indirectly as a result of an action in the web administration portal for the Office 365 Exchange Online organization.

Medium

Office 365 Exchange Online administrative cmdlet executed by external user

Created when an external user (for example, a Microsoft datacenter personnel or a datacenter service account) runs a remote PowerShell command on an object in the Exchange Online mailbox.

Low

Office 365 Exchange Online Mailbox

 

Folder moved in online mailbox by non-owner

Created when a folder was moved in an online mailbox by a user other than the owner.

Medium

Folder moved in online mailbox by owner

Created when a folder was moved in an online mailbox by the owner. (Disabled by default.)

Low

Folder moved in online shared mailbox

Created when a folder was moved in an online shared mailbox.

Medium

Folder moved to Deleted Items in online mailbox by owner

Created when a folder was moved to the Deleted Items folder in an online mailbox by the owner. (Disabled by default.)

Low

Folder moved to Deleted Items in online shared mailbox

Created when a folder was moved to the Deleted Items folder in an online shared mailbox.

Medium

Folder moved to Deleted Items in online mailbox by non-owner

Created when a folder was moved to the Deleted Items folder in an online mailbox by a user other than the owner.

Medium

Folder opened in online mailbox by non-owner

Created when a folder is opened in a user’s mailbox by a user other than the owner.

Medium

Folder opened in online shared mailbox

Created when a folder is opened in an online shared mailbox.

Medium

Folder opened in online mailbox by owner

Created when a folder is opened in an online mailbox by owner. (Disabled by default.)

Low

Folder hard-deleted in online mailbox by non-owner

Created when a folder was hard-deleted from an online mailbox by a user other than the owner.

Medium

Folder hard-deleted in online mailbox by owner

Created when a folder was hard-deleted from an online mailbox by the owner. (Disabled by default.)

Low

Folder hard-deleted in online shared mailbox

Created when a folder was hard-deleted from a shared online mailbox.

Medium

Folder soft-deleted in online mailbox by owner

Created when a folder was soft-deleted from an online mailbox by the owner. (Disabled by default.)

Low

Folder soft-deleted in online mailbox by non-owner

Created when a folder was soft-deleted from an online mailbox by a user other than the owner.

Medium

Folder soft-deleted in online shared mailbox

Created when a folder is soft-deleted from a shared online mailbox.

Medium

Message copied in online mailbox by non-owner

Created when a message is copied from one folder to another in a user’s online mailbox by a user other than the owner.

Medium

Message copied in online shared mailbox

Created when a message is copied from one folder to another in an online shared mailbox.

Medium

Message created in online mailbox folder by non-owner

Created when a new message is created in a user’s mailbox by a user other than the owner.

Medium

Message created in online shared mailbox

Created when a new message is created in an online shared mailbox by a user other than the owner.

Medium

Message created in online mailbox by owner

Created when a message was created in a folder in an online mailbox by the mailbox owner. (Disabled by default.)

Low

Message hard-deleted in an online mailbox by non-owner

Created when a message is purged from a user’s Deleted Items list by a user other than the owner.

Medium

Message hard-deleted in online mailbox by owner

Created when a message was hard-deleted from an online mailbox by the mailbox owner. (Disabled by default.)

Low

Message hard-deleted in online shared mailbox

Created when a message is purged from an online shared mailbox.

Medium

Message moved in online mailbox by non-owner

Created when a message is moved from one folder to another in a user’s mailbox by a user other than the owner.

Medium

Message moved in online mailbox by owner

Created when a message was moved in an online mailbox by the mailbox owner. (Disabled by default.)

Low

Message moved in online shared mailbox

Created when a message is moved from one folder to another in an online shared mailbox.

Medium

Message moved to Deleted Items in online mailbox by non-owner

Created when a message is moved to the Deleted Items folder in a user’s online mailbox by a user other than the owner.

Medium

Message moved to Deleted Items in online shared mailbox

Created when a message is moved to the Deleted Items folder in an online shared mailbox.

Medium

Message moved to Deleted Items in online mailbox by owner

Created when a message was moved to the Deleted Items folder in an online mailbox by the mailbox owner. (Disabled by default.)

Low

Message opened in online mailbox by non-owner

Created when a message was opened in a folder in an online mailbox by a user other than the owner.

Medium

Message opened in online shared mailbox

Created when a message was opened in a folder in an online shared mailbox.

Low

Message sent as another user in online mailbox by owner

Created when a user sends a message as another user from their own online mailbox. (Disabled by default.)

Medium

Message sent as another user in online shared mailbox

Created when a user sends a message as another user from an online shared mailbox.

Medium

Message sent as another user in online mailbox by non-owner

Created when a user other than the owner sends a message as another user from an online mailbox.

Medium

Message sent on behalf of another user in online mailbox by owner

Created when a user sends a message on behalf of another user from their own online mailbox. (Disabled by default.)

Medium

Message sent on behalf of another user in online mailbox by non-owner

Created when a user other than the owner sends a message on behalf of another user from an online mailbox.

Medium

Message sent on behalf of another user in online shared mailbox

Created when a user sends a message as another user from an online shared mailbox.

Medium

Message soft-deleted in online mailbox by non-owner

Created when a message is deleted from an online mailbox using the Outlook shift-delete function by non-owner.

Medium

Message soft-deleted in online mailbox by owner

Created when a message is deleted from a user’s online mailbox using the Outlook shift-delete function. (Disabled by default.)

Low

Message soft-deleted in online shared mailbox

Created when a message is deleted from an online shared mailbox using the Outlook shift-delete function.

Medium

Message updated in online mailbox by non-owner

Created when certain message properties were changed in a user’s mailbox by a user other than the owner.

Medium

Message updated in online mailbox by owner

Created when message updated in online mailbox by owner. (Disabled by default.)

Low

Message updated in online shared mailbox

Created when certain message properties were changed in online shared mailbox.

Medium

Online Mailbox login by owner

Created when a mailbox owner logs in to an online mailbox.

Low

Office 365 Exchange Online Mailbox event

Generic Exchange Online Mailbox event with a dynamically constructed event description (What statement). The event is created when Exchange Online Mailbox activity is detected that does not have a corresponding event defined in Change Auditor.

Low

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents