Raw Logs Download (Sentinel)

Copper Contributor

Hi Team,

Is there any way I can download the raw log from Sentinel? I am investigating alert from Sentinel default template "Brute force attack against Azure Portal" which has basically my name but I want to see how the alert got generated. I know the threshold is "5" by default but if I can see the logs too then I will be sure that this is how it happened. Still learning Sentinel so any help would be appreciated 🙂 

5 Replies

@msef280 If you run a query in Logs you can then export the results to a CSV file or for use in PowerBI. Hope that helps

Agree with Gary. Trust the tool. 🙂 However, I have a PowerShell script that will download specific tables, if you want to do it that way... https://github.com/rod-trent/SentinelPS
Thanks a lot guys for the reply 🙂 So what I am trying to see all 5 events of this alert which I am unable to see. It does tell me that 5 failures happened that's why the alert got created but I am not able to see those 5 events. (see screenshot attached)
hope this KQL helps you

let StartTime=ago(24h);
let StopTime=now();
TableName
|where TimeGenerated >StartTime and TimeGenerated <=StopTime
|where user=="username"
|project pack_all()