Microsoft Sentinel | Data connector won't disconnect

Andreas Bjelven 130 Reputation points
2024-01-30T08:05:09.4866667+00:00

Hi,

I've currently got these data connectors:
User's image

I want to disconnect the following:
User's image

When i open the connector page on Defender for Endpoint etc, everything is disabled, see below:
User's image

The same with Defender XDR:
User's image

The same with Threat Intelligence Upload Indicators API:
User's image All the data connectors above haven't ingested data since january 25th, and I can't delete the connectors because they are still connected... Is there something I'm missing?

// Andreas Bjelvén

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
977 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 16,026 Reputation points Microsoft Employee
    2024-01-31T10:50:52.2066667+00:00

    @Andreas Bjelven

    Thank you for posting your query on Microsoft Q&A. From above description I could understand that you have configured Defender for Endpoint and Microsoft Defender XDR data connectors in Microsoft Sentinel but have not seen any new events generated since 25th Jan nor you are able to delete the connector.

    Please do correct me if this is not the ask by responding in the comments section.

    When I open the connector page on Defender for Endpoint etc, everything is disabled, I want to disconnect.

    When you enable the Microsoft Defender XDR connector, all of the Microsoft Defender XDR components’ connectors (the ones mentioned at the beginning of this article) are automatically connected in the background. In order to disconnect one of the components’ connectors, you must first disconnect the Microsoft Defender XDR connector.

    Kindly try disconnecting XDR connector first and then other M365 defender connector "disconnect" option will be active.:

    User's image

    The same with Threat Intelligence Upload Indicators API:

    For Threat Intelligence Upload Indicators API you may click on "Delete" option at top left and it will get disconnected

    • User's image

    All the data connectors above haven't ingested data since January 25th.

    This could be validated from the source itself, for example for Microsoft Defender for Endpoint and XDR, kindly validate:

    • If any configured events in connector are generated in Microsoft defender portal:

    User's image

    • If alerts are generated validate if your Sentinel workspace is showing up with chosen event types in Microsoft Defender XDR settings:

    User's image

    ***Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik