Public API > Events API.

Documentation Menu

Events API

This page explains how to get your events. Note that the example array of events further down shows only a few entries. You can use query parameters to filter your search.


/events Returns an array of events GET
/events/{id} Returns one event GET
/computers/{computername}/events Returns an array of events for a certain computer GET
/users/{user}/events Returns an array of events for a certain user (user account or full name) GET
Note that the prefix of urls above depend on which data center you belong to. If USA, use Otherwise (i.e., Europe), use


apikey Your apikey listed in your settings to retrieve the data int


Filters can be supplied either as URL parameters or headers.
startid The starting ID you wish to receive. Can be used for incremental offload of data to your own system int
take Maximum number of resources to return. Default is 50 to preserve bandwidth, maximum is 10000. For queries with more than 10000 records, pagination is mandatory int
last Entries are retrieved in ascending order by default. Last returns the latest X number of entries in descending order. Maximum is 10000. int
code Only return entries with a certain event code; see list further down. int
days By default, entries up to 30 days are returned, unless specied otherwise. If startdate is specified, days is not used. int
startdate Only return entries after the specified start date (format: yyyy-mm-dd). date
enddate Only return entries before and including the specified end date (format: yyyy-mm-dd). date
  • Example filtered url to get 10 install events (code 40): /events?startid=4050334&take=10&code=40
  • Pagination works by using the last id in the list and feeding it as startid in the next query
  • To copy new data to your own system, we recommend to store the highest id (last entry in list) you have retrieved from a previous call and pass this number plus 1 as “startid”
  • Do NOT consistently use a high “take” number or flood the api. We will automatically throttle your account


id The unique ID of this entry. This ID can be used to query updated information on this entry by appending it to the url to request this resource only int
eventCode The event code to uniquely identify this type of event; see list further down. The code can be used as filter. int
eventLevel The severity level; 0 = Informational, 1 = Warning, 2 = Alert int
eventText Description of the event string
eventTime Time of the event datetime
eventTimeUTC Event time in Coordinated Universal Time (UTC). Will default to eventTime if not available. datetime
computerName The computer name of the event string
userAccount The user’s account name int
userName The full name of the user int
alertAccount A secondary account. For example the account added to the local administrators account by the “userAccount” user int
auditLogURL URL to the auditlog entry (if any) int
rollback Inidicating if the event was rolled back. An example is a user adding a user to the local administrators group that was rolled back bit
additionalData Additional data can for example be the version of the Admin By Request install/uninstall event or the tampered registry key string
application.file The file name of the application (if any) string
application.path The file path of the application string The name of the application (description property of file) string
application.vendor The vendor of the application string
application.version The version of the file string
application.sha256 The checksum of the file string

Event Codes

1 User added to local admins group
2 User downgraded from administrator to user
3 Group removed from local adminstrators group
5 Audited administrator logged on
6 Unaudited administrator logged on
8 Support assist initiated
10 Password changed for local user
11 Local user disabled
12 Local user enabled
13 Local user created
14 Local user deleted
20 Policy registry key changed
21 Policy registry key added
30 Uninstall attempted
31 Uninstalled by PIN code
32 PIN code uninstall attempted unsuccessfully
40 Admin By Request Workstation installed
41 Admin By Request Workstation uninstalled
42 Admin By Request Server installed
43 Admin By Request Server uninstalled
50 Diagnostics submitted
60 User restored to local administrators group
61 Group restored to local administrators group
70 Break Glass Account created
71 Break Glass Account removed
72 Break Glass Account logged on
73 Clock tampering using Break Glass account
80 Azure Device Administrator restored
81 Azure Company Administrator restored
90 Admin Session denied by policy
91 Clock tampering during Admin Session
92 Execution of file blocked by policy
93 Execution of file blocked due to detected malware
94 Execution of file blocked due to suspected malware
95 Admin Session PIN code used
97 Application block PIN code used
98 Elevated application block PIN code used
100 Application block PIN 2 issued
101 Uninstall PIN issued
102 Break Glass Account issued
103 Admin Session PIN 2 issued
110 Local administrator account revoke issued
111 Local administrator group revoke issued
112 Local administrator account revoke cancelled
113 Local administrator group revoke cancelled
114 Local administrator account restore issued
115 Local administrator group restore issued
116 Local administrator account restore cancelled
117 Local administrator group restore cancelled
120 Device owner set
121 Device ownership released
122 Device owner set by administrator
123 Admin Session denied by lack of ownership
124 Execution of file blocked by lack of ownership
130 Admin Session denied by lack of Intune compliance
131 Execution of file blocked by lack of Intune compliance
140 Remote desktop account revoke issued
141 Remote desktop group revoke issued
142 Remote desktop account revoke cancelled
143 Remote desktop group revoke cancelled
144 Remote desktop account restore issued
145 Remote desktop group restore issued
146 Remote desktop account restore cancelled
147 Remote desktop group restore cancelled
150 User removed from remote desktop users
151 Group removed from remote desktop users
152 User restored to remote desktop users
153 Group restored to remote desktop users
160 Local administrator account addition issued
161 Local administrator group addition issued
162 Local administrator account addition cancelled
163 Local administrator group addition cancelled
170 Remote desktop account addition issued
171 Remote desktop group addition issued
172 Remote desktop account addition cancelled
173 Remote desktop group addition cancelled
180 Rotating admin account created
181 Rotating admin account removed
182 Rotating admin account logged on
Down ArrowUp ArrowLeft ArrowRight ArrowHide

Example successful request

[ { “id”: 49287606, “eventCode”: 40, “eventLevel”: 0, “eventText”: “Admin By Request Workstation installed”, “eventTime”: “2022-01-23T15:49:20.597”, “eventTimeUTC”: “2022-01-23T15:49:20.597”, “computerName”: “FTWIN11”, “userAccount”: null, “userName”: null, “alertAccount”: null, “auditLogURL”: null, “rollback”: false, “additionalData”: “7.3.0”, “application”: { “file”: null, “path”: null, “name”: null, “vendor”: null, “version”: null, “sha256”: null } }, { “id”: 53820480, “eventCode”: 92, “eventLevel”: 0, “eventText”: “Execution of file blocked by policy”, “eventTime”: “2022-01-27T12:16:38.817”, “eventTimeUTC”: “2022-01-27T12:16:38.817”, “computerName”: “FTWIN11”, “userAccount”: “TEST”, “userName”: “FastTrack Support”, “alertAccount”: null, “auditLogURL”: null, “rollback”: false, “additionalData”: null, “application”: { “file”: “msedge.exe”, “path”: “C:\\Program Files (x86)\\Microsoft\\Edge\\Application”, “name”: “Microsoft Edge”, “vendor”: “Microsoft Corporation”, “version”: “msedge.exe”, “sha256”: “3BC499B8B30FE66A91FABC2FF5AE6E6A9452C116AEDCAC7DBC5AEEEAEED2EB9C” } }, { “id”: 53821158, “eventCode”: 5, “eventLevel”: 0, “eventText”: “Audited administrator logged on”, “eventTime”: “2022-01-27T12:30:13.357”, “eventTimeUTC”: “2022-01-27T12:30:13.357”, “computerName”: “FTWIN11”, “userAccount”: “ADMINISTRATOR”, “userName”: “Administrator”, “alertAccount”: null, “auditLogURL”: null, “rollback”: false, “additionalData”: null, “application”: { “file”: null, “path”: null, “name”: null, “vendor”: null, “version”: null, “sha256”: null } } ]