Audit Show Enable Lost Mode Devices
Query
// Show devices for which the enableLostMode was activated and who initiated that.
IntuneAuditLogs
| where OperationName has "enableLostMode"
| extend User = tostring(todynamic(Properties).Actor.UPN)
| extend DeviceId = tostring(todynamic(Properties).TargetObjectIds[0])
| join kind=leftouter IntuneDevices on DeviceId // DeviceName from IntuneDevices
| distinct TimeGenerated, User, DeviceName
| sort by TimeGenerated descExplanation
This query is pulling data from the IntuneAuditLogs to show which devices have had the "enableLostMode" operation activated. It also shows who initiated this operation. The query then joins this data with the IntuneDevices data to get the device name. The results are unique entries, sorted by the time they were generated, with the most recent entries shown first.
Details

Ugur Koc
Released: July 26, 2022
Tables
IntuneAuditLogsIntuneDevices
Keywords
IntuneAuditLogsOperationNamePropertiesActorUPNDeviceIdTargetObjectIdsIntuneDevicesDeviceNameTimeGeneratedUser
Operators
IntuneAuditLogswherehasextendtostringtodynamicjoinkind=leftouterIntuneDevicesondistinctTimeGeneratedUserDeviceNamesort bydesc.