Documentation

Public API > Events API.

Documentation Menu

Events API

This page explains how to get your events data extracted. Note that the example array of events further down shows only a few entries. You can use query parameters to filter your search.

Resources

Headers

Filters

Filters can be supplied either as URL parameters or headers.

Example filtered url to get 10 install events (code 40): https://dc1api.adminbyrequest.com/events?startid=4050334&take=10&code=40
Pagination works by using the last id in the list and feeding it as startid in the next query
To copy new data to your own system, we recommend to store the highest id (last entry in list) you have retrieved from a previous call and pass this number plus 1 as “startid”
Please DO NOT consistently use a high “take” number or flood the api. We will automatically throttle your account

Fields

Event Codes

Code

Description

User added to local admins group

User downgraded from administrator to user

Group removed from local adminstrators group

Audited administrator logged on

Unaudited administrator logged on

Support assist initiated

Password changed for local user

Local user disabled

Local user enabled

Local user created

Local user deleted

Policy registry key changed

Policy registry key added

Uninstall attempted

Uninstalled by PIN code

PIN code uninstall attempted unsuccessfully

Admin By Request Workstation installed

Admin By Request Workstation uninstalled

Admin By Request Server installed

Admin By Request Server uninstalled

Diagnostics submitted

User restored to local administrators group

Group restored to local administrators group

Break Glass Account created

Break Glass Account removed

Break Glass Account logged on

Clock tampering using Break Glass account

Azure Device Administrator restored

Azure Company Administrator restored

Admin Session denied by policy

Clock tampering during Admin Session

Execution of file blocked by policy

Execution of file blocked due to detected malware

Execution of file blocked due to suspected malware

Admin Session PIN code used

Application block PIN code used

Elevated application block PIN code used

100

Application block PIN 2 issued

101

Uninstall PIN issued

102

Break Glass Account issued

103

Admin Session PIN 2 issued

110

Local administrator account revoke issued

111

Local administrator group revoke issued

112

Local administrator account revoke cancelled

113

Local administrator group revoke cancelled

114

Local administrator account restore issued

115

Local administrator group restore issued

116

Local administrator account restore cancelled

117

Local administrator group restore cancelled

120

Device owner set

121

Device ownership released

122

Device owner set by administrator

123

Admin Session denied by lack of ownership

124

Execution of file blocked by lack of ownership

130

Admin Session denied by lack of Intune compliance

131

Execution of file blocked by lack of Intune compliance

140

Remote desktop account revoke issued

141

Remote desktop group revoke issued

142

Remote desktop account revoke cancelled

143

Remote desktop group revoke cancelled

144

Remote desktop account restore issued

145

Remote desktop group restore issued

146

Remote desktop account restore cancelled

147

Remote desktop group restore cancelled

150

User removed from remote desktop users

151

Group removed from remote desktop users

152

User restored to remote desktop users

153

Group restored to remote desktop users

160

Local administrator account addition issued

161

Local administrator group addition issued

162

Local administrator account addition cancelled

163

Local administrator group addition cancelled

170

Remote desktop account addition issued

171

Remote desktop group addition issued

172

Remote desktop account addition cancelled

173

Remote desktop group addition cancelled

180

Rotating admin account created

181

Rotating admin account removed

182

Rotating admin account logged on

Example of Successful Request

				
					[
    {
        "id": 49287606,
        "eventCode": 40,
        "eventLevel": 0,
        "eventText": "Admin By Request Workstation installed",
        "eventTime": "2022-01-23T15:49:20.597",
        "eventTimeUTC": "2022-01-23T15:49:20.597",
        "computerName": "FTWIN11",
        "userAccount": null,
        "userName": null,
        "alertAccount": null,
        "auditLogURL": null,
        "rollback": false,
        "additionalData": "7.3.0",
        "application": {
            "file": null,
            "path": null,
            "name": null,
            "vendor": null,
            "version": null,
            "sha256": null
        }
    },
    {
        "id": 53820480,
        "eventCode": 92,
        "eventLevel": 0,
        "eventText": "Execution of file blocked by policy",
        "eventTime": "2022-01-27T12:16:38.817",
        "eventTimeUTC": "2022-01-27T12:16:38.817",
        "computerName": "FTWIN11",
        "userAccount": "TEST",
        "userName": "FastTrack Support",
        "alertAccount": null,
        "auditLogURL": null,
        "rollback": false,
        "additionalData": null,
        "application": {
            "file": "msedge.exe",
            "path": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application",
            "name": "Microsoft Edge",
            "vendor": "Microsoft Corporation",
            "version": "msedge.exe",
            "sha256": "3BC499B8B30FE66A91FABC2FF5AE6E6A9452C116AEDCAC7DBC5AEEEAEED2EB9C"
        }
    },
    {
        "id": 53821158,
        "eventCode": 5,
        "eventLevel": 0,
        "eventText": "Audited administrator logged on",
        "eventTime": "2022-01-27T12:30:13.357",
        "eventTimeUTC": "2022-01-27T12:30:13.357",
        "computerName": "FTWIN11",
        "userAccount": "ADMINISTRATOR",
        "userName": "Administrator",
        "alertAccount": null,
        "auditLogURL": null,
        "rollback": false,
        "additionalData": null,
        "application": {
            "file": null,
            "path": null,
            "name": null,
            "vendor": null,
            "version": null,
            "sha256": null
        }
    }
]

Trackside Talk with Kevin Magnussen – Leaving Haas

Hi, Kevin Magnussen. Happy to be back into racing after the summer break? “Absolutely! I love racing, but I also appreciate the few breaks I get between races. With 24 Grands Prix from March to December, all around the world, sometimes three weekends in a row, it’s obviously difficult...

Secure Remote Access: The Future of Remote Work

As the world continues to embrace digital transformation, remote work has very quickly become the new norm. This shift has brought flexibility and convenience, enabling organizations to tap into global talent pools and offer employees the freedom to work from anywhere (which we love, of course). However, with this...

Security

Productivity

Compliance

Security

Productivity

Compliance

Security

Productivity

Compliance

Security

Productivity

Compliance

Security

Productivity

Compliance

Security

Productivity

Compliance

Documentation

Documentation Menu

Events API

Resources

Headers

Filters

Fields

Event Codes

Code

Description

Example of Successful Request

Latest Blogs

Trackside Talk with Kevin Magnussen – Leaving Haas

Secure Remote Access: The Future of Remote Work

Streamlining Privileged Access Management on macOS

Get the Free Plan

All core features, unlimited term, no strings attached.

Product

Resources

Company

Support

© 2024 ADMIN BY REQUEST

Book a Demo