Exchange Mailbox Audit Log Event ID 25002

SourceExchange (LOGbinder EX)
LogMailbox Audit
Windows Security Log
 • Subcategory
Object Access
 • Application Generated
Type Success

25002: Operation Create - Create item in Exchange mailbox

This is an event from Exchange audit event from LOGbinder EX generated by Log  Mailbox Audit.

On this page

Exchange Create action.

An item is created for example by sending or receiving a message. Creating folders is not audited.

Free Security Log Resources by Randy

Description Fields in 25002

Field Description
Occurred Date and time when Exchange registered the cmdlet.
Operation Operation performed on the mailbox.
Result Result of the operation:
  • Failed
  • PartiallySucceeded
  • Succeeded
Originating server The host name of the server.
Mailbox GUID Destination of move or copy (if applicable) - Mailbox's Globally Unique Identifier.
Mailbox owner Mailbox user resolved name in the format DOMAIN\SamAccountName.
Mailbox owner UPN Destination of move or copy (if applicable) - Mailbox owner's User Principal Name.
Mailbox owner SID Destination of move or copy (if applicable) - Mailbox owner's SID (Security Identifier).
Folder ID ID of affected folder (if applicable).
Folder name Name of affected folder (if applicable).
Performed user name Display name of the user who performed the operation.
Performed user SID SID of the user who performed the operation.
Performed logon type Logon type of the user who performed the operation. Logon types include:
  • Owner
  • Delegate
  • Admin
Client info Details that identify which client or Exchange component performed the operation.
Client IP address IP address of the client (e.g. Outlook).
Client process name Process name of the client application as reported by the client
Client version Version of the client application as reported by the client.
Item ID ID of affected item (if applicable).
Item subject Subject of affected item (if applicable).
Additional information Additional information, if any (otherwise "n/a").

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.



Where Does This Event Come From?

This Event Is Produced By

Which Integrates with Your SIEM

Examples of 25002

Create item in Exchange mailbox
Occurred: 1/16/2013 10:57:25 AM
Operation: Create
Result: Succeeded
Originating server: SP2010-EX1 (14.02.0328.009)
  GUID: d74d840c-4dff-4d73-bd8c-5b7a6ce254fd
  Owner: n/a
  Owner UPN:
  Owner SID: S-1-5-21-2141518605-3280587107-2299868870-1113
  Folder: \Drafts
Performed By
  User name: Administrator
  User SID: S-1-5-21-2141518605-3280587107-2299868870-500
  Logon type: Owner
  Info: Client=OWA
  IP address: fe80::c005:56c7:e881:f29eAdministrator
  Process name: n/a
  Version: n/a
  Subject: Send as Jack
Additional information: Owner= [Jack Striker]; LastAccessed= [2013-01-16T10:57:25.9308033-05:00]; LogonType= [Delegate]

For more information, see

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources