Raw logs data in sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2003846%22%20slang%3D%22en-US%22%3ERaw%20logs%20data%20in%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2003846%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20been%20exploring%20sentinel%20for%20quite%20some%20time%20now%20but%20I'm%20unable%20to%20figure%20out%20how%20to%20see%20the%20raw%20logs%20coming%20out%20from%20different%20sources.%20We%20can%20see%20it%20on%20different%20SIEM%20solutions%20like%20Qradar%2Fsplunk.%3C%2FP%3E%3CP%3ETo%20explain%20better%3A%20I%20wanna%20see%20what%20logs%20have%20come%20in%20from%20a%20specific%20machine%20in%20last%201%20hour.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2005102%22%20slang%3D%22en-US%22%3ERe%3A%20Raw%20logs%20data%20in%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2005102%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F849868%22%20target%3D%22_blank%22%3E%40yaniys04%3C%2FA%3E%26nbsp%3BI%20do%20not%20believe%20the%20raw%20logs%20coming%20via%20Syslog%20or%20CEF%20are%20stored%20anywhere.%26nbsp%3B%20You%20can%20write%20your%20queries%20to%20be%20able%20to%20see%20the%20information%20coming%20from%20individual%20machines%20as%20long%20as%20that%20information%20is%20being%20passed%20in.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I have been exploring sentinel for quite some time now but I'm unable to figure out how to see the raw logs coming out from different sources. We can see it on different SIEM solutions like Qradar/splunk.

To explain better: I wanna see what logs have come in from a specific machine in last 1 hour.

1 Reply

@yaniys04 I do not believe the raw logs coming via Syslog or CEF are stored anywhere.  You can write your queries to be able to see the information coming from individual machines as long as that information is being passed in.