Raw Logs Download (Sentinel)

%3CLINGO-SUB%20id%3D%22lingo-sub-2373739%22%20slang%3D%22en-US%22%3ERaw%20Logs%20Download%20(Sentinel)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2373739%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20I%20can%20download%20the%20raw%20log%20from%20Sentinel%3F%20I%20am%20investigating%20alert%20from%20Sentinel%20default%20template%20%22%3CSPAN%3EBrute%20force%20attack%20against%20Azure%20Portal%3C%2FSPAN%3E%22%20which%20has%20basically%20my%20name%20but%20I%20want%20to%20see%20how%20the%20alert%20got%20generated.%20I%20know%20the%20threshold%20is%20%225%22%20by%20default%20but%20if%20I%20can%20see%20the%20logs%20too%20then%20I%20will%20be%20sure%20that%20this%20is%20how%20it%20happened.%20Still%20learning%20Sentinel%20so%20any%20help%20would%20be%20appreciated%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2373860%22%20slang%3D%22en-US%22%3ERe%3A%20Raw%20Logs%20Download%20(Sentinel)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2373860%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F988869%22%20target%3D%22_blank%22%3E%40pirate280%3C%2FA%3E%26nbsp%3BIf%20you%20run%20a%20query%20in%20Logs%20you%20can%20then%20export%20the%20results%20to%20a%20CSV%20file%20or%20for%20use%20in%20PowerBI.%20Hope%20that%20helps%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2373975%22%20slang%3D%22en-US%22%3ERe%3A%20Raw%20Logs%20Download%20(Sentinel)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2373975%22%20slang%3D%22en-US%22%3EAgree%20with%20Gary.%20Trust%20the%20tool.%20%3A)%3C%2Fimg%3E%20However%2C%20I%20have%20a%20PowerShell%20script%20that%20will%20download%20specific%20tables%2C%20if%20you%20want%20to%20do%20it%20that%20way...%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Frod-trent%2FSentinelPS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Frod-trent%2FSentinelPS%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2383762%22%20slang%3D%22en-US%22%3ERe%3A%20Raw%20Logs%20Download%20(Sentinel)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2383762%22%20slang%3D%22en-US%22%3EThanks%20a%20lot%20guys%20for%20the%20reply%20%3A)%3C%2Fimg%3E%20So%20what%20I%20am%20trying%20to%20see%20all%205%20events%20of%20this%20alert%20which%20I%20am%20unable%20to%20see.%20It%20does%20tell%20me%20that%205%20failures%20happened%20that's%20why%20the%20alert%20got%20created%20but%20I%20am%20not%20able%20to%20see%20those%205%20events.%20(see%20screenshot%20attached)%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2383766%22%20slang%3D%22en-US%22%3ERe%3A%20Raw%20Logs%20Download%20(Sentinel)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2383766%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F988869%22%20target%3D%22_blank%22%3E%40msef280%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Team,

Is there any way I can download the raw log from Sentinel? I am investigating alert from Sentinel default template "Brute force attack against Azure Portal" which has basically my name but I want to see how the alert got generated. I know the threshold is "5" by default but if I can see the logs too then I will be sure that this is how it happened. Still learning Sentinel so any help would be appreciated :) 

4 Replies

@msef280 If you run a query in Logs you can then export the results to a CSV file or for use in PowerBI. Hope that helps

Agree with Gary. Trust the tool. :) However, I have a PowerShell script that will download specific tables, if you want to do it that way... https://github.com/rod-trent/SentinelPS
Thanks a lot guys for the reply :) So what I am trying to see all 5 events of this alert which I am unable to see. It does tell me that 5 failures happened that's why the alert got created but I am not able to see those 5 events. (see screenshot attached)