Query Details
Office365 Customer Lockbox
Query
# Office 365 - Customer Lockbox activities in Exchange Online, SharePoint, OneDrive, Teams and Windows 365 ## Query Information ### Description The below query will show customer lockbox request related events in Exchange Online, SharePoint, OneDrive, Teams and Windows 365 | Audit record property | Description | | ----------------------| ------------| | Date | The date and time when the Customer Lockbox request was approved or denied.| | IP address | The IP address of the machine the approver used to approve or deny a request.| | User | The service account BOXServiceAccount@[customerforest].prod.outlook.com. | | Activity | Set-AccessToCustomerDataRequest; this is the auditing activity that is logged when you approve or deny a Customer Lockbox request.| | Item | The Guid of the Customer Lockbox request | #### References - [Microsoft Purview Customer Lockbox](https://learn.microsoft.com/en-us/purview/customer-lockbox-requests) ### Microsoft 365 Defender / Microsoft Sentinel ```kql OfficeActivity | where Operation contains 'Set-AccessToCustomerDataRequest' | extend UserKey startswith 'BOXServiceAccount@' | extend RequestID = tostring(parse_json(Parameters)[2].Value) | extend ApprovalDecision = tostring(parse_json(Parameters)[1].Value) | project TimeGenerated,ClientIP,UserKey,ExternalAccess,Operation, RequestID,ApprovalDecision ```
Explanation
This query is designed to retrieve and display information about Customer Lockbox request activities in various Office 365 services such as Exchange Online, SharePoint, OneDrive, Teams, and Windows 365. Customer Lockbox is a feature that requires Microsoft support engineers to obtain explicit approval from a customer before accessing their data.
Here's a simple breakdown of what the query does:
- Source of Data: It looks at the
OfficeActivitytable, which logs various activities within Office 365 services. - Filter: It filters the records to only include those where the operation involves setting access to customer data requests (
Set-AccessToCustomerDataRequest). - User Identification: It further filters to include only those activities performed by the service account
BOXServiceAccount@[customerforest].prod.outlook.com. - Extract Information: It extracts specific details from the activity parameters:
RequestID: The unique identifier for the Customer Lockbox request.ApprovalDecision: Whether the request was approved or denied.
- Select Columns: It selects and displays the following columns:
TimeGenerated: The date and time when the activity occurred.ClientIP: The IP address of the machine used to approve or deny the request.UserKey: The service account involved.ExternalAccess: Indicates if external access was involved.Operation: The type of operation performed.RequestID: The unique identifier for the request.ApprovalDecision: The decision made (approved or denied).
In summary, this query helps you monitor and audit Customer Lockbox requests by showing when and how these requests were handled, including who approved or denied them and from which IP address.
Details
Alex Verboon
Released: September 12, 2024
Tables
OfficeActivity
Keywords
OfficeActivity
Operators
containsextendstartswithtostringparse_jsonproject