This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 33%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hi- "S-1-5-18" is a well know operating system service account. On the exchange audit logs, i notice that this account is using SendAs permissions to send email on behalf of other mailboxes. Also, "Operation":"Create" kind of events are seen in very large numbers associated with several mailboxes. What is the rational behind these operations that are associated with "S-1-5-18" ? Is this expected behavior? What is the use of this account in Office 365 ? Trying to understand this because it helps me setup threat detection use cases on SIEM.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Do suggestions below help?
Any update so far? If the response is helpful, please click "Accept Answer" and upvote it.
Some detail. What you are seeing is expected:
https://office365itpros.com/2020/04/09/sendas-audit-exchange-online-mailboxes/
https://office365itpros.com/2019/02/19/teams-audit-records-compliance-items/
As Andy said, the behavior is expected. The links provided above are also very useful, they point out that
Audit records with S-1-5-18 captured in the UserId property record the generation of a welcome message for a new team.
Audit records are generated when Teams sends a welcome message.
Audit records are generated for the group mailbox when a member posts a message to a conversation in an Outlook group using OWA. Records are not generated when messages are posted with other clients or arrive from guest members.
Audit records are generated for the group mailbox when someone updates a task in Planner.
Below link discussed the related question as well for your reference: Why do I see User s-1-5-18 in Investigate?