SOLVED

View 'Audit Only' results

%3CLINGO-SUB%20id%3D%22lingo-sub-1506075%22%20slang%3D%22en-US%22%3EView%20'Audit%20Only'%20results%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1506075%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20I'm%20missing%20something%2C%20but%20does%20anyone%20know%20how%20to%20view%20the%20'Audit%20Only'%20logs%20for%20InTune%3F%20I've%20it%20setup%20for%20Win%2010%20End%20Point%20Protection%20%26gt%3B%26nbsp%3B%3CSPAN%3EMicrosoft%20Defender%20Exploit%20Guard%20%26gt%3B%26nbsp%3BProcess%20creation%20from%20Office%20communication%20products%20(beta).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI've%20enabled%20InTune%20to%20use%20Log%20Analytics%2C%20but%20can't%20see%20how%20to%20query%20this%20or%20where%20to%20start%20from.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1506075%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20Center%20Recommendations%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1542825%22%20slang%3D%22en-US%22%3ERE%3A%20View%20'Audit%20Only'%20results%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1542825%22%20slang%3D%22en-US%22%3Esecuritycenter.microsoft.com%20(if%20you%20have%20an%20MDATP%20subscription)%20otherwise%20they%20are%20stored%20in%20the%20local%20event%20logs%20of%20each%20machine.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fevent-views%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fevent-views%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1542891%22%20slang%3D%22en-US%22%3ERe%3A%20View%20'Audit%20Only'%20results%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1542891%22%20slang%3D%22en-US%22%3EAgree%20with%20Joe%2C%20If%20you%20use%20log%20analytics%2C%20you%20need%20to%20install%20the%20agent%20on%20the%20PCs%20and%20then%20you%20can%20query%20info%20you%20need.%3CBR%20%2F%3E%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

Maybe I'm missing something, but does anyone know how to view the 'Audit Only' logs for InTune? I've it setup for Win 10 End Point Protection > Microsoft Defender Exploit Guard > Process creation from Office communication products (beta).

 

I've enabled InTune to use Log Analytics, but can't see how to query this or where to start from.

 

Thanks.

2 Replies
Best Response confirmed by sp-jmglade (Occasional Contributor)
Solution
securitycenter.microsoft.com (if you have an MDATP subscription) otherwise they are stored in the local event logs of each machine. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/event-vie...
Agree with Joe, If you use log analytics, you need to install the agent on the PCs and then you can query info you need.

Moe