Public API > Events API.

Documentation Menu

Events API

This page explains how to get your events data extracted. Note that the example array of events further down shows only a few entries. You can use query parameters to filter your search.




Filters can be supplied either as URL parameters or headers.
  • Example filtered url to get 10 install events (code 40):
  • Pagination works by using the last id in the list and feeding it as startid in the next query
  • To copy new data to your own system, we recommend to store the highest id (last entry in list) you have retrieved from a previous call and pass this number plus 1 as “startid”
  • Please DO NOT consistently use a high “take” number or flood the api. We will automatically throttle your account


Event Codes




1User added to local admins group
2User downgraded from administrator to user
3Group removed from local adminstrators group
5Audited administrator logged on
6Unaudited administrator logged on
8Support assist initiated
10Password changed for local user
11Local user disabled
12Local user enabled
13Local user created
14Local user deleted
20Policy registry key changed
21Policy registry key added
30Uninstall attempted
31Uninstalled by PIN code
32PIN code uninstall attempted unsuccessfully
40Admin By Request Workstation installed
41Admin By Request Workstation uninstalled
42Admin By Request Server installed
43Admin By Request Server uninstalled
50Diagnostics submitted
60User restored to local administrators group
61Group restored to local administrators group
70Break Glass Account created
71Break Glass Account removed
72Break Glass Account logged on
73Clock tampering using Break Glass account
80Azure Device Administrator restored
81Azure Company Administrator restored
90Admin Session denied by policy
91Clock tampering during Admin Session
92Execution of file blocked by policy
93Execution of file blocked due to detected malware
94Execution of file blocked due to suspected malware
95Admin Session PIN code used
97Application block PIN code used
98Elevated application block PIN code used
100Application block PIN 2 issued
101Uninstall PIN issued
102Break Glass Account issued
103Admin Session PIN 2 issued
110Local administrator account revoke issued
111Local administrator group revoke issued
112Local administrator account revoke cancelled
113Local administrator group revoke cancelled
114Local administrator account restore issued
115Local administrator group restore issued
116Local administrator account restore cancelled
117Local administrator group restore cancelled
120Device owner set
121Device ownership released
122Device owner set by administrator
123Admin Session denied by lack of ownership
124Execution of file blocked by lack of ownership
130Admin Session denied by lack of Intune compliance
131Execution of file blocked by lack of Intune compliance
140Remote desktop account revoke issued
141Remote desktop group revoke issued
142Remote desktop account revoke cancelled
143Remote desktop group revoke cancelled
144Remote desktop account restore issued
145Remote desktop group restore issued
146Remote desktop account restore cancelled
147Remote desktop group restore cancelled
150User removed from remote desktop users
151Group removed from remote desktop users
152User restored to remote desktop users
153Group restored to remote desktop users
160Local administrator account addition issued
161Local administrator group addition issued
162Local administrator account addition cancelled
163Local administrator group addition cancelled
170Remote desktop account addition issued
171Remote desktop group addition issued
172Remote desktop account addition cancelled
173Remote desktop group addition cancelled
180Rotating admin account created
181Rotating admin account removed
182Rotating admin account logged on

Example of Successful Request

        "id": 49287606,
        "eventCode": 40,
        "eventLevel": 0,
        "eventText": "Admin By Request Workstation installed",
        "eventTime": "2022-01-23T15:49:20.597",
        "eventTimeUTC": "2022-01-23T15:49:20.597",
        "computerName": "FTWIN11",
        "userAccount": null,
        "userName": null,
        "alertAccount": null,
        "auditLogURL": null,
        "rollback": false,
        "additionalData": "7.3.0",
        "application": {
            "file": null,
            "path": null,
            "name": null,
            "vendor": null,
            "version": null,
            "sha256": null
        "id": 53820480,
        "eventCode": 92,
        "eventLevel": 0,
        "eventText": "Execution of file blocked by policy",
        "eventTime": "2022-01-27T12:16:38.817",
        "eventTimeUTC": "2022-01-27T12:16:38.817",
        "computerName": "FTWIN11",
        "userAccount": "TEST",
        "userName": "FastTrack Support",
        "alertAccount": null,
        "auditLogURL": null,
        "rollback": false,
        "additionalData": null,
        "application": {
            "file": "msedge.exe",
            "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application",
            "name": "Microsoft Edge",
            "vendor": "Microsoft Corporation",
            "version": "msedge.exe",
            "sha256": "3BC499B8B30FE66A91FABC2FF5AE6E6A9452C116AEDCAC7DBC5AEEEAEED2EB9C"
        "id": 53821158,
        "eventCode": 5,
        "eventLevel": 0,
        "eventText": "Audited administrator logged on",
        "eventTime": "2022-01-27T12:30:13.357",
        "eventTimeUTC": "2022-01-27T12:30:13.357",
        "computerName": "FTWIN11",
        "userAccount": "ADMINISTRATOR",
        "userName": "Administrator",
        "alertAccount": null,
        "auditLogURL": null,
        "rollback": false,
        "additionalData": null,
        "application": {
            "file": null,
            "path": null,
            "name": null,
            "vendor": null,
            "version": null,
            "sha256": null