Interpreting the Office 365 MailItemsAccessed Audit Event

%3CLINGO-SUB%20id%3D%22lingo-sub-1343976%22%20slang%3D%22en-US%22%3EInterpreting%20the%20Office%20365%20MailItemsAccessed%20Audit%20Event%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1343976%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20Office%20365%20E5%20licenses%2C%20your%20mailboxes%20generate%20MailItemsAccessed%20events.%20These%20events%20are%20stored%20in%20the%20Office%20365%20audit%20log%20and%20can%20be%20used%20for%20investigating%20potentially%20compromised%20mailboxes.%20Useful%20information%20is%20in%20the%20audit%20events%2C%20but%20some%20processing%20is%20needed%20to%20extract%20the%20full%20benefit.%20Here's%20how%20to%20do%20it%20with%20PowerShell.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.petri.com%2Finterpreting-the-office-365-mailitemsaccessed-audit-event%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.petri.com%2Finterpreting-the-office-365-mailitemsaccessed-audit-event%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1343976%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1344471%22%20slang%3D%22en-US%22%3ERe%3A%20Interpreting%20the%20Office%20365%20MailItemsAccessed%20Audit%20Event%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1344471%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20did%20you%20get%20it%20to%20work%20though%3F%20Still%20zero%20events%20captured%20here%2C%20still%20not%20able%20to%20add%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EMailItemsAccessed%3C%2FFONT%3E%20to%20the%20Audit%20properties%2C%20still%20throws%20a%20license%20error.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1344657%22%20slang%3D%22en-US%22%3ERe%3A%20Interpreting%20the%20Office%20365%20MailItemsAccessed%20Audit%20Event%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1344657%22%20slang%3D%22en-US%22%3EOf%20course.%20Or%20do%20you%20think%20I%20compose%20these%20articles%20under%20the%20influence%20of%20magic%20mushrooms%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1346389%22%20slang%3D%22en-US%22%3ERe%3A%20Interpreting%20the%20Office%20365%20MailItemsAccessed%20Audit%20Event%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1346389%22%20slang%3D%22en-US%22%3E%3CP%3EUm%2C%20the%20question%20was%20%22how%22%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1346502%22%20slang%3D%22en-US%22%3ERe%3A%20Interpreting%20the%20Office%20365%20MailItemsAccessed%20Audit%20Event%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1346502%22%20slang%3D%22en-US%22%3EI%20did%20absolutely%20nothing.%20The%20events%20appear%20for%20accounts%20with%20E5%20licenses.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1347038%22%20slang%3D%22en-US%22%3ERe%3A%20Interpreting%20the%20Office%20365%20MailItemsAccessed%20Audit%20Event%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1347038%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20still%20no%20luck%20in%20my%20tenant%2C%20with%20E5.%20The%20wait%20game%20continues...%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
MVP

 

If you have Office 365 E5 licenses, your mailboxes generate MailItemsAccessed events. These events are stored in the Office 365 audit log and can be used for investigating potentially compromised mailboxes. Useful information is in the audit events, but some processing is needed to extract the full benefit. Here's how to do it with PowerShell.

 

https://www.petri.com/interpreting-the-office-365-mailitemsaccessed-audit-event

5 Replies
Highlighted

How did you get it to work though? Still zero events captured here, still not able to add MailItemsAccessed to the Audit properties, still throws a license error.

Highlighted
Of course. Or do you think I compose these articles under the influence of magic mushrooms?
Highlighted

Um, the question was "how" :)

Highlighted
I did absolutely nothing. The events appear for accounts with E5 licenses.
Highlighted

Well, still no luck in my tenant, with E5. The wait game continues...