Event ID Lookup

Searches for information about Windows Event IDs. Provides details about event purposes, provider, OS version and log format version, as well as available data fields to help incident responders, detection engineers, threat hunters or system administrators get enriched context.

Event ID Lookup

API Endpoint

POST /analysis/lookup

HTTP Headers

Content-Type: application/json
X-Cursed-Api-Token: API token for authentication

Request Method

POST

Parameters

Request Body (JSON):

Parameter	Type	Required	Description
`search`	string	Yes	Event ID to search for
`module`	string	Yes	Must be "event_id" for this endpoint
`filter`	array	No	Array of filter criteria objects
`page`	integer	No	Page number for pagination (1-10, default: 1)
`show`	integer	No	Number of results per page (1-100, default: 10)

Filter Criteria Schema

{
  "field": "string",
  "operator": "string", 
  "value": "string"
}

Supported Filter Operators

Operator	Description
`equals`	Exact match
`not_equals`	Not equal to
`contains`	Contains substring
`does_not_contain`	Does not contain substring
`starts_with`	Starts with substring
`ends_with`	Ends with substring

Request Body Schema

{
  "search": "string",
  "module": "event_id",
  "filter": [
    {
      "field": "string",
      "operator": "string",
      "value": "string"
    }
  ],
  "page": 1,
  "show": 10
}

Response Format

Success Response (200 OK):

{
  "columns": ["Event ID","OS Version","Version","Provider","Description Short","Data Fields"],
  "rows": [
    ["1005","Windows11","0","Application Error","Windows cannot access the file %1 for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program %2 because of this error.","FilePath|AppName|StatusCode|MediumType"],["1000","Windows11","0","Application Error","Faulting application name: %1, version: %2, time stamp: 0x%3","AppName|AppVersion|AppTimeStamp|ModuleName|ModuleVersion|ModuleTimeStamp|ExceptionCode|FaultingOffset|ProcessId|ProcessCreationTime|AppPath|ModulePath|IntegratorReportId|PackageFullName|PackageRelativeAppId"],
    ["1120","Windows10|Windows11","0","Intel-iaLPSS2-GPIO2","Controller stopped",""]
  ]
}

Response Schema

The response contains tabular data where:

columns: Array of column names describing the data fields
rows: Array of arrays containing the actual data values

Error Response (400 Bad Request):

Unknown lookup module

Error Response (401 Unauthorized):

Unauthorized

Error Response (422 Unprocessable Entity):

Validation failed

Error Codes

HTTP Status	Description
200	Success - Results retrieved successfully
400	Bad Request - Invalid module name or search parameters
401	Unauthorized - Authentication required
422	Unprocessable Entity - Validation failed
500	Internal Server Error - Server processing error

Example cURL Commands

Basic Event ID Search

curl -X POST https://api.cursedtools.com/analysis/lookup \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -d '{
    "search": "4624",
    "module": "event_id",
    "page": 1,
    "show": 10
  }'

Search with Filters

curl -X POST https://api.cursedtools.com/analysis/lookup \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -d '{
    "search": "46",
    "module": "event_id",
    "filter": [
      {
        "field": "Provider",
        "operator": "contains",
        "value": "RDP"
      },
      {
        "field": "OS Version",
        "operator": "contains",
        "value": "Windows11"
      }
    ],
    "page": 1,
    "show": 25
  }'

Search for System Events

curl -X POST https://api.cursedtools.com/analysis/lookup \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -d '{
    "search": "",
    "module": "event_id",
    "filter": [
      {
        "field": "Description Short",
        "operator": "contains",
        "value": "System"
      }
    ],
    "page": 1,
    "show": 50
  }'

Example Response

{
  "columns": [
    "EventID",
    "OS Version",
    "Provider", 
    "Description Short",
    "Data Fields",
  ],
  "rows": [
    ["1005","Windows11","0","Application Error","Windows cannot access the file %1 for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program %2 because of this error.","FilePath|AppName|StatusCode|MediumType"],
    ["1000","Windows11","0","Application Error","Faulting application name: %1, version: %2, time stamp: 0x%3","AppName|AppVersion|AppTimeStamp|ModuleName|ModuleVersion|ModuleTimeStamp|ExceptionCode|FaultingOffset|ProcessId|ProcessCreationTime|AppPath|ModulePath|IntegratorReportId|PackageFullName|PackageRelativeAppId"],
    ["1120","Windows10|Windows11","0","Intel-iaLPSS2-GPIO2","Controller stopped",""], ...
  ]
}

Notes

Authentication is optional but affects rate limiting
Search supports keywords and partial matches across all fields
Results include both standard Windows events and Sysmon events
Pagination helps manage large result sets
Filters can be combined for more precise searches
Event descriptions provide context for log analysis

Sigma Rules Retrieval

Retrieves specific Sigma rules from the community rule set by name. Allows users to fetch one or multiple rules for inspection, customization or context enrichment. This API endpoint is meant to only be supplemental and to perform lookups for rules that matches when the user desires to see more context on top of the rule metadata.

File Name Lookup

Searches for information about native Windows executable files and DLLs. Provides details about file name, path, description, product name, company name and runtime window title if they've been indexed across a variety of Windows OS versions, service packs and editions.