Public API > Events API.

Documentation Menu

Events API

This page explains how to get your events. Note that the example array of events further down shows only a few entries. You can use query parameters to filter your search.


/eventsReturns an array of eventsGET
/events/{id}Returns one eventGET
/computers/{computername}/eventsReturns an array of events for a certain computerGET
/users/{user}/eventsReturns an array of events for a certain user (user account or full name)GET
Note that the prefix of urls above depend on which data center you belong to. Please log in to see the full url.


apikeyYour apikey listed in your settings to retrieve the dataint


Filters can be supplied either as URL parameters or headers.

startidThe starting ID you wish to receive. Can be used for incremental offload of data to your own systemint
takeMaximum number of resources to return. Default is 50 to preserve bandwidth, maximum is 10000. For queries with more than 10000 records, pagination is mandatoryint
lastEntries are retrieved in ascending order by default. Last returns the latest X number of entries in descending order. Maximum is
codeOnly return entries with a certain event code; see list further
daysBy default, entries up to 30 days are returned, unless specied otherwise. If startdate is specified, days is not
startdateOnly return entries after the specified start date (format: yyyy-mm-dd).date
enddateOnly return entries before and including the specified end date (format: yyyy-mm-dd).date
  • Example filtered url to get 10 install events (code 40): /events?startid=4050334&take=10&code=40
  • Pagination works by using the last id in the list and feeding it as startid in the next query
  • To copy new data to your own system, we recommend to store the highest id (last entry in list) you have retrieved from a previous call and pass this number plus 1 as “startid”
  • Do NOT consistently use a high “take” number or flood the api. We will automatically throttle your account


idThe unique ID of this entry. This ID can be used to query updated information on this entry by appending it to the url to request this resource onlyint
eventCodeThe event code to uniquely identify this type of event; see list further down. The code can be used as
eventLevelThe severity level; 0 = Informational, 1 = Warning, 2 = Alertint
eventTextDescription of the eventstring
eventTimeTime of the eventdatetime
eventTimeUTCEvent time in Coordinated Universal Time (UTC). Will default to eventTime if not available.datetime
computerNameThe computer name of the eventstring
userAccountThe user’s account nameint
userNameThe full name of the userint
alertAccountA secondary account. For example the account added to the local administrators account by the “userAccount” userint
auditLogURLURL to the auditlog entry (if any)int
rollbackInidicating if the event was rolled back. An example is a user adding a user to the local administrators group that was rolled backbit
additionalDataAdditional data can for example be the version of the Admin By Request install/uninstall event or the tampered registry keystring
application.fileThe file name of the application (if any)string
application.pathThe file path of the applicationstring
application.nameThe name of the application (description property of file)string
application.vendorThe vendor of the applicationstring
application.versionThe version of the filestring
application.sha256The checksum of the filestring

Event Codes

1User added to local admins group
2User downgraded from administrator to user
3Group removed from local adminstrators group
5Audited administrator logged on
6Unaudited administrator logged on
8Support assist initiated
10Password changed for local user
11Local user disabled
12Local user enabled
13Local user created
14Local user deleted
20Policy registry key changed
21Policy registry key added
30Uninstall attempted
31Uninstalled by PIN code
32PIN code uninstall attempted unsuccessfully
40Admin By Request Workstation installed
41Admin By Request Workstation uninstalled
42Admin By Request Server installed
43Admin By Request Server uninstalled
50Diagnostics submitted
60User restored to local administrators group
61Group restored to local administrators group
70Break Glass Account created
71Break Glass Account removed
72Break Glass Account logged on
73Clock tampering using Break Glass account
80Azure Device Administrator restored
81Azure Company Administrator restored
90Admin Session denied by policy
91Clock tampering during Admin Session
92Execution of file blocked by policy
93Execution of file blocked due to detected malware
94Execution of file blocked due to suspected malware
95Admin Session PIN code used
97Application block PIN code used
98Elevated application block PIN code used
100Application block PIN 2 issued
101Uninstall PIN issued
102Break Glass Account issued
103Admin Session PIN 2 issued
110Local administrator account revoke issued
111Local administrator group revoke issued
112Local administrator account revoke cancelled
113Local administrator group revoke cancelled
114Local administrator account restore issued
115Local administrator group restore issued
116Local administrator account restore cancelled
117Local administrator group restore cancelled
120Device owner set
121Device ownership released
122Device owner set by administrator
123Admin Session denied by lack of ownership
124Execution of file blocked by lack of ownership
130Admin Session denied by lack of Intune compliance
131Execution of file blocked by lack of Intune compliance
Down ArrowUp ArrowLeft ArrowRight ArrowHide

Example successful request

        “id”: 49287606,
        “eventCode”: 40,
        “eventLevel”: 0,
        “eventText”: “Admin By Request Workstation installed”,
        “eventTime”: “2022-01-23T15:49:20.597”,
        “eventTimeUTC”: “2022-01-23T15:49:20.597”,
        “computerName”: “FTWIN11”,
        “userAccount”: null,
        “userName”: null,
        “alertAccount”: null,
        “auditLogURL”: null,
        “rollback”: false,
        “additionalData”: “7.3.0”,
        “application”: {
            “file”: null,
            “path”: null,
            “name”: null,
            “vendor”: null,
            “version”: null,
            “sha256”: null
        “id”: 53820480,
        “eventCode”: 92,
        “eventLevel”: 0,
        “eventText”: “Execution of file blocked by policy”,
        “eventTime”: “2022-01-27T12:16:38.817”,
        “eventTimeUTC”: “2022-01-27T12:16:38.817”,
        “computerName”: “FTWIN11”,
        “userAccount”: “TEST”,
        “userName”: “FastTrack Support”,
        “alertAccount”: null,
        “auditLogURL”: null,
        “rollback”: false,
        “additionalData”: null,
        “application”: {
            “file”: “msedge.exe”,
            “path”: “C:\\Program Files (x86)\\Microsoft\\Edge\\Application”,
            “name”: “Microsoft Edge”,
            “vendor”: “Microsoft Corporation”,
            “version”: “msedge.exe”,
            “sha256”: “3BC499B8B30FE66A91FABC2FF5AE6E6A9452C116AEDCAC7DBC5AEEEAEED2EB9C”
        “id”: 53821158,
        “eventCode”: 5,
        “eventLevel”: 0,
        “eventText”: “Audited administrator logged on”,
        “eventTime”: “2022-01-27T12:30:13.357”,
        “eventTimeUTC”: “2022-01-27T12:30:13.357”,
        “computerName”: “FTWIN11”,
        “userAccount”: “ADMINISTRATOR”,
        “userName”: “Administrator”,
        “alertAccount”: null,
        “auditLogURL”: null,
        “rollback”: false,
        “additionalData”: null,
        “application”: {
            “file”: null,
            “path”: null,
            “name”: null,
            “vendor”: null,
            “version”: null,
            “sha256”: null