Document toolboxDocument toolbox

mail.exchange

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Last updated: Sept 08, 2023
2 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with mail.exchange identify events generated by Microsoft Exchange.

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as mail.exchange. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Microsoft Exchange Server

mail.exchange.messagetracking

mail.exchange.messagetracking

mail.exchange.ncsa

mail.exchange.ncsa

mail.exchange.w3c

mail.exchange.w3c

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

mail.exchange.messagetracking

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

host

str

 

vhost

 

date_time

timestamp

 

 

 

client_ip

str

 

 

 

client_ip4

ip4

 

ifthenelse(not isnull(client_ip), ip4(client_ip), null)

 

client_ip

 

client_hostname

str

 

 

 

server_ip

str

 

 

 

server_ip4

ip4

 

ifthenelse(not isnull(server_ip), ip4(server_ip), null)

 

server_ip

 

server_hostname

str

 

 

 

source_context

str

 

 

 

connector_id

str

 

 

 

source

str

 

 

 

event_id

str

 

 

 

internal_message_id

str

 

 

 

message_id

str

 

 

 

network_message_id

str

 

 

 

recipient_address

str

 

 

 

recipient_status

str

 

 

 

total_bytes

int8

 

 

 

recipient_count

int4

 

 

 

related_recipient_address

str

 

 

 

reference

str

 

 

 

message_subject

str

 

 

 

sender_address

str

 

 

 

return_path

str

 

 

 

message_info

str

 

 

 

directionality

str

 

 

 

tenant_id

str

 

 

 

original_client_ip

str

 

 

 

original_client_ip4

ip4

 

ifthenelse(not isnull(original_client_ip), ip4(original_client_ip), null)

 

original_client_ip

 

original_server_ip

str

 

 

 

original_server_ip4

ip4

 

 

original_server_ip

 

custom_data

str

 

 

 

transport_traffic_type

str

 

 

 

log_id

str

 

 

 

schema_version

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

mail.exchange.ncsa

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

Orighost

str

vhost

 

host

ip4

 

 

rfc931

str

 

 

username

ip4

 

 

date

str

 

 

time

str

 

 

request

str

 

 

statusCode

str

 

 

bytes

int8

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

 

✓

mail.exchange.w3c

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

host

str

vhost

 

date

str

 

 

time

str

 

 

cIp

ip4

 

 

csUsername

str

 

 

sSitename

str

 

 

sComputername

str

 

 

sIp

ip4

 

 

sPort

str

 

 

csMethod

str

 

 

csUriStem

str

 

 

csUriQuery

str

 

 

scStatus

str

 

 

scWind32Status

str

 

 

scBytes

int8

 

 

csBytes

int8

 

 

timeTaken

int8

 

 

csVersion

str

 

 

csHost

str

 

 

csUserAgent

str

 

 

csCookie

str

 

 

csReferer

str

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

 

✓