How do I disconnect Data connectors in sentinel?

Khalid Alkazak 10 Reputation points
2024-08-23T19:14:08.1733333+00:00

I'm trying to remove data connectors from the microsoft sentinel tab. The data connectors that are giving me issues are ones that are still "ingesting" data, but there is no data collector rule attached to them. They are being collected through syslog/CEF via AMA data connectors but the older data connectors are still showing ingestion through their graph, which is keeping their status as connected. When trying to delete the Data Connector, it gives me a popup that I cannot delete the DC without disconnecting it. When opening the Data connector's page, there is no option to disconnect anywhere. What is the process to remove these legacy and unused data connectors?

I cannot just stop ingesting firewall logs until there are none seen anymore in the table, so what are my alternatives?

User's image

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,151 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Andrew Blumhardt 9,861 Reputation points Microsoft Employee
    2024-08-27T12:14:55.2466667+00:00

    Please provide a list of connectors that you are seeking to remove. Know that you can remove Sentinel from the workspace completely in settings if needed, though this will not cut off external sources. You can use a KQL query to the related tables to see if data is flowing and that can often reveal the source. There are data connectors that share the same tables. The data connectors are often not the source of the data, just a visual confirmation. It can be difficult for a connector to verify that a source has been disconnected when the data keeps flowing from another source. It is not uncommon to see some connectors to light up as active even when not in use due to unrelated data sources. These can be ignored, the active connectors simply state that the related tables are still seeing new data.

    0 comments No comments

  2. Khalid Alkazak 10 Reputation points
    2024-08-27T14:54:33.92+00:00

    I have issues with data connectors such as Cisco Identity Services Engine, CEF via Legacy Agent, Palo Alto Networks, Syslog via Legacy Agent. Removing the entire senitinel workbook is not an option and Im already aware that the data connectors act as a visual representation of data ingesting. Why is it that a visual representation is so difficult to remove? When trying to delete the data connector, it does not allow me to remove without disconnecting, but there is no option for it to be disconnected unless I actually stop ingesting data which is also unacceptable. Please tell me why the recommendation is to switch over to utilizing ingestion via AMA when the legacy methods are impossible to remove. What is the process?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.