How to disconnect Azure Sentinel data connectors?

RAHUL MP 20 Reputation points
2024-06-28T16:23:07.86+00:00

In Sentinel I cant able to find an option to disconnect the data connectors . And there are no documents available for the same. So what are the methods to disconnect a data connector inside sentinel for both native and non native products. When I checked I understood that we can either disconnect the connector by stopping the logs from source or by deleting the DCR associated with that data connector. Is this the only way or do we have any other methods.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,057 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marcin Policht 18,005 Reputation points MVP
    2024-06-28T16:47:10.6666667+00:00

    While this would be data connector-specific, in general, this is unfortunately not straightforward. For more, refer to https://techcommunity.microsoft.com/t5/microsoft-sentinel/re-how-to-disconnect-a-data-connector/m-p/3884388


    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Akshay-MSFT 17,656 Reputation points Microsoft Employee
    2024-07-01T12:36:09.0266667+00:00

    @RAHUL MP

    Thank for posting your query on Microsoft Q&A, from above description I could understand that you are looking for guidance on removing a data connector from Sentinel.

    Please do correct me if this is not the ask by responding in the comments section.

    For Microsoft services data connectors:

    To delete the connector, please follow the below steps.

    • Open sentinel portal >
    • Click on Data connectors blade at the left > Search for "Microsoft Entra ID" data connector
    • Click on the three dots at the right and delete it.

    It will take some time for the connector to show as disconnected. (We can’t give an actual ETA for it) But since there are no logs ingested, there wouldn’t be any impact on your environment. (There won’t be any extra charges incurred). 

    It will take a maximum of 14 days without logs for the connector to get disconnected. https://learn.microsoft.com/en-us/azure/sentinel/connect-services-diagnostic-setting-based#instructions-1

    For Third party services:

    The connector disconnection steps would be same until it's an API solution. You must connect with the third-party support to stop the logs ingestion and get it disconnected.

    Once done the threshold would be same to get it deleted.

    If you don't have any further queries and the suggestion above answers your ask, please "Accept the answer", This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    0 comments No comments