Insight Agent - data collected

Hello everyone, i’m looking at this page How the Insight Agent Works | Insight Agent Documentation but I want more details about event codes, process, etc that are collected from the agent installed on the machines. In the web page you could see the list at high level, I need more deeper details. Anyone could help me?

Hi @valentina_ceoletta

these are the event codes the agent pulls

Notably on endpoints we pull 7045,1102, 4624, 4625, 4648, 4720

and on DCs we pull 1102, 4624, 4625, 4648, 4704, 4720, 4722, 4724, 4725, 4728, 4732, 4738, 4740, 4741, 4756, 4767, 4768, 4769

if the setting is enabled.

Also we pull the Windows Defender codes listed.

We collect all process starts on windows and MacOS and Linux.

1 Like

Optionally you can configure FIM and FAAM

and lastly you can configure the logging.json on endpoints (not available on DCs) to pull all Windows System, Security and Application events



Thank you very much!

Hi Everyone,

i had this same question as i need to collect event id 4732 from server for when a user is added to a local group on the server and not on the DC. is there a way to do so?