So I have been playing around with the Microsoft Endpoint Manager tenant attach configuration without co-management of client collections. Its pretty cool but other than Defender policies I didn't think there was really much going on that I could make use of... until I started deploying ASR policies (Attack Surface Reduction).

So I am working with a setup where from home it is far easier to use the Microsoft 365 Endpoint Manager than log into the on-premise SCCM server, but I need to monitor client the Defender logs for audit and block events while I fine tune the ASR policies. (No, there is no event log forwarding for me either!).

CMPivot to the rescue, using the below query you can grab all the audit (EventID 1122) events you need remotely and even export them to Excel if that's what floats your boat.

WinEvent('Microsoft-Windows-Windows Defender/Operational', 1d) | where ID == 1122

If you want the blocks then just change the "| where ID == 1122" to "| where ID == 1121"

This is a really handy way to get all kinds of info from your SCCM managed devices, its not as feature rich as CMPivot in the SCCM console but worth checking out...

If you haven't looked into Tenant attach then I recommend you read this article from Microsoft and get going!