Forum Discussion

msef280's avatar
msef280
Copper Contributor
May 20, 2021

Raw Logs Download (Sentinel)

Hi Team,

Is there any way I can download the raw log from Sentinel? I am investigating alert from Sentinel default template "Brute force attack against Azure Portal" which has basically my name but I want to see how the alert got generated. I know the threshold is "5" by default but if I can see the logs too then I will be sure that this is how it happened. Still learning Sentinel so any help would be appreciated 🙂 

  • AnalystHOK's avatar
    AnalystHOK
    Copper Contributor
    hope this KQL helps you

    let StartTime=ago(24h);
    let StopTime=now();
    TableName
    |where TimeGenerated >StartTime and TimeGenerated <=StopTime
    |where user=="username"
    |project pack_all()
  • msef280's avatar
    msef280
    Copper Contributor
    Thanks a lot guys for the reply 🙂 So what I am trying to see all 5 events of this alert which I am unable to see. It does tell me that 5 failures happened that's why the alert got created but I am not able to see those 5 events. (see screenshot attached)
  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor

    msef280 If you run a query in Logs you can then export the results to a CSV file or for use in PowerBI. Hope that helps

Resources