deviceTRUST Product Events
deviceTRUST delivers information about its runtime behavior to the Windows Event Log for easy integration into existing Security Information and Event Management (SIEM) and reporting solutions. This information includes detailed properties of the remote device during user logon, reconnect, and also includes all properties that are changed whilst the user session is active.
Application Channel
The APPLICATION channel refers to the system Windows Event Log under WINDOWS LOGS\APPLICATION. The following events are included:
| Event ID | Name | Type | Data Format Name | Description |
|---|---|---|---|---|
| 1311 | Event Info | Information | Event | A custom information event was created by the Audit Event task set to Information. |
| 1312 | Event Warning | Warning | Event | A custom information event was created by the Audit Event task set to Warning. |
| 1313 | Event Error | Error | Event | A custom information event was created by the Audit Event task set to Error. |
deviceTRUST/Admin Channel
The ADMIN channel can be found within the Windows Event Log under APPLICATION AND SERVICE LOGS\DEVICETRUST\ADMIN, or queried programmatically using the deviceTRUST/Admin channel. The following events are included:
| Event ID | Name | Type | Data Format Name | Description |
|---|---|---|---|---|
| 1 | Service Started | Information | Service Status | The deviceTRUST Host Service has started. |
| 2 | Service Stopped | Information | Service Status | The deviceTRUST Host Service has stopped. |
| 3 | Policy Loaded | Information | Policy Loaded | The deviceTRUST Host Service loaded new policies. |
| 4 | Policy Load Failed | Error | Policy Load Failed | The deviceTRUST Host Service attempted to load new policies but an error occurred. |
| 11 | License Validated | Information | License | The license has been read, is valid, and is not yet expired, or within the expiry threshold (30 days). The license is read on service startup, and any time a new license is deployed by Group Policy. |
| 12 | Hard License Expires Soon | Warning | License | The license is a hard license, is valid, but it expires within the expiry threshold (30 days). Since the license is a hard license, the software will stop functioning once the expiry date is reached. |
| 13 | Soft License Expires Soon | Warning | License | The license is a soft license, is valid, but it expires within the expiry threshold (30 days). Since the license is a soft license, the software will continue to function after the expiry date is reached. |
| 14 | Soft License Expired | Error | License | The license is a soft license, is valid, but has expired. Since the license is a soft license, the software will continue to function. |
| 15 | Hard License Expired | Error | License | The license is a hard license, is valid, but has expired. Since the license is a hard license, the software will not function. |
| 16 | License Invalid | Error | License Invalid | The license does not exist or contains invalid data. |
| 17 | Unmanaged User Logon | Information | Unmanaged User Logon | An unmanaged user logged on. |
| 101 | Logon | Information | Connection | A user successfully logged onto a new session. |
| 102 | Reconnect | Information | Connection | A user successfully reconnected to an existing session. |
| 103 | Logoff | Information | Session | A user which previously successfully logged onto a session was logged off. |
| 104 | Disconnect | Information | Session | A user which previously successfully logged onto a session was disconnected from that session. |
| 105 | Property Changed | Information | Property Changed | One or more properties of the host or remote connected device were added, removed or changed. |
| 106 | Context Changed | Information | Context Changed | One or more context values changed. |
| 111 | Untrusted Device Blocked | Warning | Untrusted Device Blocked | A user attempted to logon or reconnect to an existing session, but the deviceTRUST Client failed to provide properties of the remote connected device, and the policy determines that this information is required. |
| 112 | Trusted Device Blocked | Warning | Trusted Device | A trusted device, i.e. a device with the deviceTRUST Client installed, was blocked from access due to not meeting version or encryption minimum requirements. |
| 113 | Trusted Device Auto Update Succeeded | Information | Trusted Device Auto Update | A trusted device was successfully auto-updated. |
| 114 | Trusted Device Auto Update Failed | Error | Trusted Device Auto Update Failed | A trusted device failed to auto-update. |
| 201 | Custom Process Executed | Information | Custom Process | A custom process was executed. |
| 202 | Custom Process Succeeded | Information | Custom Process Complete | A custom process finished executing and the process did not report an error. |
| 203 | Custom Process Failed | Error | Custom Process Complete | A custom process finished executing, but the process either timed out or reported an error. |
| 301 | Access Allowed | Information | Access Allowed | Access to the shell was allowed after a Deny Access task was reverted. |
| 302 | Access Denied | Warning | User Message | Access to the shell was denied by a Deny Access task. |
| 303 | Access Failed | Error | Access Failed | A request to change access to the shell failed. |
| 304 | Logon Aborted | Warning | Logon Aborted | The logon process was aborted. |
| 311 | Event Info | Information | Event | A custom information event was created by the Audit Event task set to Information. |
| 312 | Event Warning | Warning | Event | A custom information event was created by the Audit Event task set to Warning. |
| 313 | Event Error | Error | Event | A custom information event was created by the Audit Event task set to Error. |
| 321 | AppLocker Rule | Information | AppLocker Rule | The Microsoft AppLocker task generated a new rule. |
| 322 | AppLocker Rule Failed | Error | AppLocker Rule Failed | The Microsoft AppLocker task failed to generate a new rule. |
| 323 | AppLocker Policy | Information | AppLocker Policy | The Microsoft AppLocker Policy was generated following a change to the Microsoft AppLocker Policy Settings or a call to dtcmd APPLOCKER. |
| 324 | AppLocker Policy Failed | Error | AppLocker Policy | An attempt to generate the Microsoft AppLocker Policy resulted in one or more errors. |
| 325 | AppLocker PowerShell Allowed | Information | AppLocker PowerShell | A PowerShell Script or Cmdlet was allowed to execute. |
| 326 | AppLocker PowerShell Prevented | Error | AppLocker PowerShell | A PowerShell Script or Cmdlet was prevented from executing. |
| 331 | Application Terminated | Information | Application Terminated | An application was terminated because a user failed to close an application discovered by the Terminate App task. |
| 332 | Application Shutdown | Information | Application Shutdown | A user was asked to shutdown an application discovered by the Terminate App task. |
| 341 | Popup Shown | Information | Popup Shown | A popup message was shown to the user. |
| 342 | Popup Failed | Error | Popup Failed | An attempt to display a popup message to the user failed. |
| 351 | Registry Updated | Information | Registry Updated | The registry was updated. |
| 352 | Registry Warning | Warning | Registry Warning | A warning was generated while updating the registry. |
| 353 | Registry Failed | Error | Registry Failed | An attempt to update the registry failed. |
| 361 | Printer Mapped | Information | Printer Operation | Printers were successfully mapped. |
| 362 | Printer Map Failed | Error | Printer Operation Failed | An attempt to map printers failed. |
| 363 | Printer Unmapped | Information | Printer Operation | Printers were successfully unmapped. |
| 364 | Printer Unmap Failed | Error | Printer Operation Failed | An attempt to unmap printers failed. |
| 365 | Printer Set Default | Information | Printer Operation | A printer was set as default. |
| 366 | Printer Set Default Failed | Error | Printer Operation Failed | An attempt to set a default printer failed. |
| 367 | Printer Map Warning | Warning | Printer Operation Failed | A warning was generated when attempting to map a printer. |
| 368 | Printer Set Default Warning | Warning | Printer Operation Failed | A warning was generated when attempting to set a default printer. |
| 371 | App Masking Update | Information | App Masking Update | A Microsoft FSLogix App Masking update was successfully applied. |
| 372 | App Masking Update Failed | Error | App Masking Update Failed | A Microsoft FSLogix App Masking update failed. |
| 381 | Send Mail Succeeded | Information | Send Mail Succeeded | A send mail task succeeded. |
| 382 | Send Mail Failed | Error | Send Mail Failed | A send mail task failed. |
| 391 | Web Request Succeeded | Information | Web Request Succeeded | A web request task succeeded. |
| 392 | Web Request Failed | Error | Web Request Failed | A web request task failed. |
| 401 | Windows Firewall Succeeded | Information | Windows Firewall | The Windows Firewall task succeeded to create a rule. |
| 402 | Windows Firewall Failed | Error | Windows Firewall Failed | The Windows Firewall task failed to create a rule. |
| 411 | Drive Map | Information | Drive Operation | A network drive was mapped. |
| 412 | Drive Map Warning | Warning | Drive Operation Failed | A network drive failed to map, but the failover drive was successfully mapped. |
| 413 | Drive Map Failed | Error | Drive Operation Failed | A network drives and any failover drives failed to map. |
| 414 | Drive Unmap | Information | Drive Operation | A network drive was unmapped. |
| 415 | Drive Unmap Failed | Error | Drive Operation Failed | A network drive failed to unmap. |
| 421 | Shortcut Creation Succeeded | Information | Shortcut Operation | A shortcut was successfully created. |
| 422 | Shortcut Creation Failed | Error | Shortcut Operation Failed | A shortcut failed to be created. |
| 423 | Shortcut Deletion Succeeded | Information | Shortcut Operation | A shortcut was successfully deleted. |
| 424 | Shortcut Deletion Failed | Error | Shortcut Operation Failed | A shortcut failed to be deleted. |
The above events report the following event data:
| Name | Field Name (Index) | Format | Description |
|---|---|---|---|
| Name (1) | TEXT | The name of the service, e.g. deviceTRUST Host Service. | |
| CustomerId (1) | GUID | An identifier that uniquely identifies the customer. | |
| LicenseId (2) | GUID | An identifier that uniquely identifies the license. | |
| IssueDate (3) | SYSTEMTIME | The date that the license was issued. | |
| ExpiryDate (4) | SYSTEMTIME | The date that the license expires. | |
| Type (5) | TEXT | The type of license, e.g. Subscription. | |
| Quantity (6) | INT | The quantity of units that can consume a license. | |
| Unit (7) | TEXT | The unit of license, e.g. User. | |
| Days (8) | INT | The number of days remaining on the license. | |
| Message (1) | TEXT | A description of the reason why the license is invalid. | |
| LogonId (1) | GUID | An identifier representing the user logon. | |
| LogonTime (2) | SYSTEMTIME | The time that the user logged onto the session. | |
| SessionId (3) | INT | The session id that the user is connected to. | |
| UserName (4) | TEXT | The name of the user logged into the session. | |
| UserDomain (5) | TEXT | The domain of the user logged into the session. | |
| UserSID (6) | TEXT | The security identifier of the user logged into the session. | |
| Name (1) | TEXT | The name of the service, e.g. deviceTRUST Host Service. | |
| Policies (2) | TEXT | A list of the policies that were loaded and the timestamp that the policy was saved. | |
| Error (3) | TEXT | A description of the error that occurred. | |
| LogonId (1) | GUID | Uniquely identifies events from the same logon session. By filtering on this field, all events related to a single logon session can be determined. | |
| LogonTime (2) | SYSTEMTIME | The time that the user logged onto the session. | |
| ConnectedId (3) | GUID | Uniquely identifies events from the same connection. Unlike the LogonId, the value of this field changes every time a new connection is established to an existing session. | |
| ConnectedTime (4) | SYSTEMTIME | The time that the user logged on, or reconnected, to the session. | |
| SessionId (5) | INT | The session id that the user is connected to. | |
| UserName (6) | TEXT | The name of the user logged into the session. | |
| UserDomain (7) | TEXT | The domain of the user logged into the session. | |
| UserSID (8) | TEXT | The security identifier of the user logged into the session. | |
| DeviceId (9) | TEXT | Uniquely identifies the remote connected device. All activity originating from the same device can be queried by filtering on this field. This field is blank for local console sessions. | |
| DeviceName (10) | TEXT | The name of the remote connected device. This field is blank for local console sessions. | |
| DeviceOS (11) | TEXT | The operating system of the remote connected device. This field is blank for local console sessions, and if the deviceTRUST Client did not provide details of the operating system. | |
| Properties (12) | TEXT | A textual representation of all properties, including host and device properties. The properties are formatted with the name and value separated by an equals symbol (=), and multiple properties separated by a newline (\n) character. E.g. PROPERTY1=VALUE1\nPROPERTY2=VALUE2\n | |
| Contexts (13) | TEXT | A textual representation of all contexts. The contexts are formatted with the name and value separated by an equals symbol (=), and multiple contexts separated by a newline (\n) character. E.g. CONTEXT1=VALUE1\nCONTEXT2=VALUE2\n | |
| Errors (14) | TEXT | A description of any errors that occurred whilst obtaining properties. | |
| Timings (15) | TEXT | Lists the five deviceTRUST Host and Client property providers that took the longest to return, in milliseconds. | |
| Duration (16) | INT | The number of milliseconds it took for all deviceTRUST property providers to return. | |
| AddedProperties (9) | TEXT | A textual representation of all properties that were added. The properties are formatted with the name and value separated by an equals symbol (=), and multiple properties separated by a newline (\n) character. E.g. PROPERTY1=VALUE1\nPROPERTY2=VALUE2\n | |
| RemovedProperties (10) | TEXT | A textual representation of all properties that were removed. The properties are formatted with the name of each property, with multiple properties separated by a newline (\n) character. E.g. PROPERTY1 \nPROPERTY2 \n | |
| ChangedProperties (11) | TEXT | A textual representation of all properties that were changed. The properties are formatted with the name and value separated by an equals symbol (=), and multiple properties separated by a newline (\n) character. E.g. PROPERTY1=VALUE1\nPROPERTY2=VALUE2\n | |
| PreviousProperties (12) | TEXT | A textual representation of the previous value of all properties that were changed or removed. The properties are formatted with the name and value separated by an equals symbol (=), and multiple properties separated by a newline (\n) character. E.g. PROPERTY1=VALUE1\nPROPERTY2=VALUE2\n | |
| ClientName (9) | TEXT | The Operating System reported name of the connecting device. | |
| ClientName (9) | TEXT | The deviceTRUST Client reported name of the connected device. | |
| ClientVersion (10) | TEXT | The version number of the deviceTRUST Client on the remote device. | |
| MinimumVersion (11) | TEXT | The minimum version of the deviceTRUST Client as defined by policy. | |
| Encrypted (12) | BOOLEAN | Set to true when application level encryption was used in addition to the encryption offered by the underlying protocol. | |
| AutoUpdateUrls (13) | TEXT | The auto-update URLS that were used to upgrade the deviceTRUST Client. | |
| ErrorMessage (14) | TEXT | An error message reported by the upgrade of the deviceTRUST Client. | |
| TriggerName (9) | TEXT | The name of the trigger that launched the custom process, e.g. Logon or Reconnect. | |
| TriggerTime (10) | TIME | The time that the custom process was executed. | |
| TriggeredBy (11) | TEXT | The properties that resulted in the execution of the custom process. | |
| ActionName (12) | TEXT | The name of the action where the Custom Process task is located. | |
| SequenceIndex (13) | TEXT | The zero based index of the sequence within the action where the Custom Process task is located. | |
| TaskName (14) | TEXT | The name of the Custom Process task. | |
| CommandLine (15) | TEXT | The command line that was executed. | |
| RunAs (16) | TEXT | Either ‘USER’ or ‘SYSTEM’, depending upon the configuration of the trigger that was executed. | |
| Identity (17) | TEXT | The user name of the custom process. | |
| Pid (18) | INT | The Process ID of the custom process. | |
| Location (19) | TEXT | Determines whether the custom process was executed on the host or client. | |
| Duration (20) | INT | The time taken for the custom process to complete, in milliseconds. | |
| Output (21) | TEXT | The output messages returned by the custom process. | |
| Error (22) | TEXT | The error messages returned by the custom process. | |
| Title (9) | TEXT | A message title displayed to the user. | |
| Message (10) | TEXT | The message displayed to the user. | |
| Timeout (11) | INT | The timeout period that the message is displayed to the user. | |
| Message (9) | TEXT | The message reported by a call to dtcmd.exe ACCESS. | |
| Reason (9) | TEXT | The reason that a call dtcmd.exe ACCESS failed. | |
| Message (10) | TEXT | The message supplied to a call to dtcmd.exe ACCESS that would have been displayed to the user if the call succeeded. | |
| Timeout (11) | INT | The timeout period that the user would have had before being disconnected from the session, if the call to dtcmd.exe ACCESS succeeded. | |
| Message (9) | TEXT | A user supplied message from a call to dtcmd.exe EVENT. | |
| Report (10) | INT | Set to 1 when the report fields have been populated, or 0 otherwise. | |
| ReportTrigger (11) | TEXT | The trigger that resulted in the task being executed, such as Logon or ContextChanged. | |
| ReportAction (12) | TEXT | The name of the action that generated the event. | |
| ReportDeviceName (13) | TEXT | The name of the remote device that the user was connecting from. | |
| ReportDeviceOSName (14) | TEXT | The OS name of the remote device that the user was connecting from. | |
| ReportDeviceOSType (15) | TEXT | The OS type, such as Client or Server that the user was connecting from. | |
| ReportClientVersion (16) | TEXT | The version of the deviceTRUST Client that was used to establish the remote device information. | |
| ReportContexts (17) | TEXT | The name and value of all contexts. | |
| ReportProperties (18) | TEXT | The name and value of all properties. | |
| Name (9) | TEXT | The name of the rule. | |
| Operation (10) | TEXT | The operation of the AppLocker rule, either Allow, Deny or Delete. | |
| Target (11) | TEXT | The target of the AppLocker rule, either Executable, Dll, Installer, Script or Package. | |
| Duration (12) | INT | The time taken for the AppLocker rule to become effective. | |
| Rule (13) | TEXT | The AppLocker XML fragment that defines the rule. | |
| Name (9) | TEXT | The name of the rule. | |
| Operation (10) | TEXT | The operation of the AppLocker rule, either Allow, Deny or Delete. | |
| Target (11) | TEXT | The target of the AppLocker rule, either Executable, Dll, Installer, Script or Package. | |
| Duration (12) | INT | The time taken for the AppLocker rule to become effective. | |
| Message (13) | TEXT | A message explaining why the rule failed to apply. | |
| Event (1) | TEXT | The event that triggered the regeneration of policy, either ‘Policy Change’ or ‘External Process’. | |
| Message (2) | TEXT | A description of the changes that were made. | |
| Duration (3) | INT | The time taken for the AppLocker Policy to be generated, in milliseconds. | |
| ImageName (9) | TEXT | The full path of the process that attempted to run the script or cmdlet. | |
| Pid (10) | INT | The process identifier of the process that attempted to run the script or cmdlet. | |
| Type (11) | INT | Set to 0 whenever PowerShell was running a cmdlet, or 1 when running a script. | |
| Script (12) | TEXT | The full path to the script that attempted to execute. | |
| Title (9) | TEXT | The title displayed to the user following a call to dtcmd.exe APPTERMINATE. | |
| Message (10) | TEXT | The message displayed to the user following a call to dtcmd.exe APPTERMINATE. | |
| Applications (11) | TEXT | A comma separated list of all processes and their PID’s that were terminated. | |
| Termination Time (12) | DATE/TIME | The time that the applications will be terminated. | |
| Title (9) | TEXT | The popup title. | |
| Message (10) | TEXT | The popup message. | |
| Timeout (11) | INT | The timeout in seconds to display the popup. | |
| Reason (9) | TEXT | The reason that the popup failed to shown. | |
| Title (10) | TEXT | The popup title. | |
| Message (11) | TEXT | The popup message. | |
| Timeout (12) | INT | The timeout in seconds to display the popup. | |
| Values (9) | TEXT | The registry values. | |
| Persist (10) | TEXT | How to persist the registry values. | |
| Protect (11) | BOOLEAN | Whether the registry key is protected. | |
| Warnings (12) | TEXT | The warning messages generated by the update. | |
| Source (9) | TEXT | The source of the registry update. | |
| Reason (10) | TEXT | The reason the registry update failed. | |
| Printer (9) | TEXT | The path to the printers. | |
| Reason (10) | TEXT | The reason that the printer operation failed. | |
| Path (9) | TEXT | The path to the Microsoft FSLogix App Masking Rule Assignment file. | |
| Operation (10) | TEXT | The type of operation. | |
| Entry (11) | TEXT | The entry to apply to the file. | |
| Error (12) | TEXT | The reason that the Microsoft FSLogix App Masking update failed. | |
| Host Name (9) | TEXT | The host name of the SMTP server. | |
| Recipients (10) | TEXT | A list of the recipients of the mail message. | |
| Subject (11) | TEXT | The subject of the mail message. | |
| Status Code (12) | INT | The status code reported by the SMTP server representing the success of the mail message. | |
| Duration (13) | INT | The time in milliseconds taken to send the mail message. | |
| Message Id (14) | TEXT | Uniquely identifies the sent mail message. | |
| Error (14) | TEXT | An error message representing the problem that occurred. | |
| Response (15) | TEXT | The response from the SMTP server. | |
| Method (9) | TEXT | The method used in the web request. | |
| URL (10) | TEXT | The URL that the web request was sent. | |
| Status Code (11) | INT | The status code reported by the web server. | |
| Duration (12) | INT | The time in milliseconds taken to perform the web request. | |
| Request Id (13) | INT | Uniquely identifies the web request. | |
| Error (14) | TEXT | An error message representing the problem that occurred. | |
| Response (15) | TEXT | The response from the web server. | |
| Action (9) | TEXT | Whether the firewall rule was an Allow or a Deny. | |
| RuleName (10) | TEXT | The name of the rule created. | |
| Error (11) | TEXT | A description of the error that occurred. | |
| Drive (9) | TEXT | The drive that was mapped or unmapped. | |
| Error (10) | TEXT | A description of the error that occurred. | |
| Shortcut Name (9) | TEXT | The name of the shortcut. | |
| Shortcut Directories (10) | TEXT | A list of directories that the shortcut should be created. | |
| Target Path (11) | TEXT | The path where the target file exists. | |
| Target Args (12) | TEXT | Any arguments to supply to the shortcut target. | |
| Error (13) | TEXT | A description of the error that occurred. |
deviceTRUST/Usage Channel
The USAGE channel can be found within the Windows Event Log under APPLICATION AND SERVICE LOGS\DEVICETRUST\USAGE, or queried programmatically using the deviceTRUST/Usage channel. The following event is included.
| Event ID | Name | Type | Data Format Name | Description |
|---|---|---|---|---|
| 21 | Usage | Information | Usage | Raised when a license unit, e.g. a User, logs into the host for the first time within a calendar month. |
The above event reports the following event data:
| Name | Field Name (Index) | Format | Description |
|---|---|---|---|
| TrackingId (1) | TEXT | Uniquely identifies the license unit, e.g. the User, that logged in. For a user, this is a Base64 encoded SHA256 hash of the user’s security identifier. | |
| TrackingName (2) | TEXT | The name of the license unit that logged in, e.g. the user name. | |
| TrackingUnit (3) | TEXT | The unit of license, e.g. User. |