Forum Discussion
msef280
May 20, 2021Copper Contributor
Raw Logs Download (Sentinel)
Hi Team,
Is there any way I can download the raw log from Sentinel? I am investigating alert from Sentinel default template "Brute force attack against Azure Portal" which has basically my name but I want to see how the alert got generated. I know the threshold is "5" by default but if I can see the logs too then I will be sure that this is how it happened. Still learning Sentinel so any help would be appreciated 🙂
- AnalystHOKCopper Contributorhope this KQL helps you
let StartTime=ago(24h);
let StopTime=now();
TableName
|where TimeGenerated >StartTime and TimeGenerated <=StopTime
|where user=="username"
|project pack_all() - msef280Copper ContributorThanks a lot guys for the reply 🙂 So what I am trying to see all 5 events of this alert which I am unable to see. It does tell me that 5 failures happened that's why the alert got created but I am not able to see those 5 events. (see screenshot attached)
- msef280Copper Contributor
- GaryBusheyBronze Contributor
msef280 If you run a query in Logs you can then export the results to a CSV file or for use in PowerBI. Hope that helps
- Rod_Trent
Microsoft
Agree with Gary. Trust the tool. 🙂 However, I have a PowerShell script that will download specific tables, if you want to do it that way... https://github.com/rod-trent/SentinelPS