
Documentation
Public API > Events API.
Events API
This page explains how to get your events. Note that the example array of events further down shows only a few entries. You can use query parameters to filter your search.
Resources
Note that the prefix of urls above depend on which data center you belong to. Please log in to see the full url.
Headers
apikey | Your apikey listed in your settings to retrieve the data | int |
Filters
Filters can be supplied either as URL parameters or headers.
startid | The starting ID you wish to receive. Can be used for incremental offload of data to your own system | int |
take | Maximum number of resources to return. Default is 50 to preserve bandwidth, maximum is 10000. For queries with more than 10000 records, pagination is mandatory | int |
last | Entries are retrieved in ascending order by default. Last returns the latest X number of entries in descending order. Maximum is 10000. | int |
code | Only return entries with a certain event code; see list further down. | int |
days | By default, entries up to 30 days are returned, unless specied otherwise. If startdate is specified, days is not used. | int |
startdate | Only return entries after the specified start date (format: yyyy-mm-dd). | date |
enddate | Only return entries before and including the specified end date (format: yyyy-mm-dd). | date |
- Example filtered url to get 10 install events (code 40): /events?startid=4050334&take=10&code=40
- Pagination works by using the last id in the list and feeding it as startid in the next query
- To copy new data to your own system, we recommend to store the highest id (last entry in list) you have retrieved from a previous call and pass this number plus 1 as “startid”
- Do NOT consistently use a high “take” number or flood the api. We will automatically throttle your account
Fields
id | The unique ID of this entry. This ID can be used to query updated information on this entry by appending it to the url to request this resource only | int |
eventCode | The event code to uniquely identify this type of event; see list further down. The code can be used as filter. | int |
eventLevel | The severity level; 0 = Informational, 1 = Warning, 2 = Alert | int |
eventText | Description of the event | string |
eventTime | Time of the event | datetime |
eventTimeUTC | Event time in Coordinated Universal Time (UTC). Will default to eventTime if not available. | datetime |
computerName | The computer name of the event | string |
userAccount | The user’s account name | int |
userName | The full name of the user | int |
alertAccount | A secondary account. For example the account added to the local administrators account by the “userAccount” user | int |
auditLogURL | URL to the auditlog entry (if any) | int |
rollback | Inidicating if the event was rolled back. An example is a user adding a user to the local administrators group that was rolled back | bit |
additionalData | Additional data can for example be the version of the Admin By Request install/uninstall event or the tampered registry key | string |
application.file | The file name of the application (if any) | string |
application.path | The file path of the application | string |
application.name | The name of the application (description property of file) | string |
application.vendor | The vendor of the application | string |
application.version | The version of the file | string |
application.sha256 | The checksum of the file | string |
Event Codes
|
Example successful request
[
{
“id”: 49287606,
“eventCode”: 40,
“eventLevel”: 0,
“eventText”: “Admin By Request Workstation installed”,
“eventTime”: “2022-01-23T15:49:20.597”,
“eventTimeUTC”: “2022-01-23T15:49:20.597”,
“computerName”: “FTWIN11”,
“userAccount”: null,
“userName”: null,
“alertAccount”: null,
“auditLogURL”: null,
“rollback”: false,
“additionalData”: “7.3.0”,
“application”: {
“file”: null,
“path”: null,
“name”: null,
“vendor”: null,
“version”: null,
“sha256”: null
}
},
{
“id”: 53820480,
“eventCode”: 92,
“eventLevel”: 0,
“eventText”: “Execution of file blocked by policy”,
“eventTime”: “2022-01-27T12:16:38.817”,
“eventTimeUTC”: “2022-01-27T12:16:38.817”,
“computerName”: “FTWIN11”,
“userAccount”: “TEST”,
“userName”: “FastTrack Support”,
“alertAccount”: null,
“auditLogURL”: null,
“rollback”: false,
“additionalData”: null,
“application”: {
“file”: “msedge.exe”,
“path”: “C:\\Program Files (x86)\\Microsoft\\Edge\\Application”,
“name”: “Microsoft Edge”,
“vendor”: “Microsoft Corporation”,
“version”: “msedge.exe”,
“sha256”: “3BC499B8B30FE66A91FABC2FF5AE6E6A9452C116AEDCAC7DBC5AEEEAEED2EB9C”
}
},
{
“id”: 53821158,
“eventCode”: 5,
“eventLevel”: 0,
“eventText”: “Audited administrator logged on”,
“eventTime”: “2022-01-27T12:30:13.357”,
“eventTimeUTC”: “2022-01-27T12:30:13.357”,
“computerName”: “FTWIN11”,
“userAccount”: “ADMINISTRATOR”,
“userName”: “Administrator”,
“alertAccount”: null,
“auditLogURL”: null,
“rollback”: false,
“additionalData”: null,
“application”: {
“file”: null,
“path”: null,
“name”: null,
“vendor”: null,
“version”: null,
“sha256”: null
}
}
]
{
“id”: 49287606,
“eventCode”: 40,
“eventLevel”: 0,
“eventText”: “Admin By Request Workstation installed”,
“eventTime”: “2022-01-23T15:49:20.597”,
“eventTimeUTC”: “2022-01-23T15:49:20.597”,
“computerName”: “FTWIN11”,
“userAccount”: null,
“userName”: null,
“alertAccount”: null,
“auditLogURL”: null,
“rollback”: false,
“additionalData”: “7.3.0”,
“application”: {
“file”: null,
“path”: null,
“name”: null,
“vendor”: null,
“version”: null,
“sha256”: null
}
},
{
“id”: 53820480,
“eventCode”: 92,
“eventLevel”: 0,
“eventText”: “Execution of file blocked by policy”,
“eventTime”: “2022-01-27T12:16:38.817”,
“eventTimeUTC”: “2022-01-27T12:16:38.817”,
“computerName”: “FTWIN11”,
“userAccount”: “TEST”,
“userName”: “FastTrack Support”,
“alertAccount”: null,
“auditLogURL”: null,
“rollback”: false,
“additionalData”: null,
“application”: {
“file”: “msedge.exe”,
“path”: “C:\\Program Files (x86)\\Microsoft\\Edge\\Application”,
“name”: “Microsoft Edge”,
“vendor”: “Microsoft Corporation”,
“version”: “msedge.exe”,
“sha256”: “3BC499B8B30FE66A91FABC2FF5AE6E6A9452C116AEDCAC7DBC5AEEEAEED2EB9C”
}
},
{
“id”: 53821158,
“eventCode”: 5,
“eventLevel”: 0,
“eventText”: “Audited administrator logged on”,
“eventTime”: “2022-01-27T12:30:13.357”,
“eventTimeUTC”: “2022-01-27T12:30:13.357”,
“computerName”: “FTWIN11”,
“userAccount”: “ADMINISTRATOR”,
“userName”: “Administrator”,
“alertAccount”: null,
“auditLogURL”: null,
“rollback”: false,
“additionalData”: null,
“application”: {
“file”: null,
“path”: null,
“name”: null,
“vendor”: null,
“version”: null,
“sha256”: null
}
}
]