View 'Audit Only' results

Occasional Contributor



Maybe I'm missing something, but does anyone know how to view the 'Audit Only' logs for InTune? I've it setup for Win 10 End Point Protection > Microsoft Defender Exploit Guard > Process creation from Office communication products (beta).


I've enabled InTune to use Log Analytics, but can't see how to query this or where to start from.



2 Replies
best response confirmed by sp-jmglade (Occasional Contributor)
Solution (if you have an MDATP subscription) otherwise they are stored in the local event logs of each machine.
Agree with Joe, If you use log analytics, you need to install the agent on the PCs and then you can query info you need.