Deleting Microsoft Sentinel but keep the ingested data

In this post I'm sharing a tip about how you can remove the Azure Sentinel service, but keep your ingested data in Log Analytics so you can actually keep working with the data for reports and auditing reasons.

Tobias Zimmergren
Tobias Zimmergren
💡TIP: Check out the guidance for building sustainable Azure workloads! 🌿

Someone asked me the other day about deleting Microsoft Sentinel from their subscription, because as of November 1 2019, billing will start for this service since it hit GA. They had ingested quite a lot of data that wouldn't be ideal to pay for since it's part of a large-scale test of the service reliability. They want to keep the data since they use it to fine-tune other systems and integrations too, before deciding on a go-live.

Take caution when you make any modifications to services you have running in production. With that in mind, please read the entire post including the summary before you actually delete anything.

Disconnecting the connected solutions from Microsoft Sentinel

Since the requirement is about keeping the ingested data, but to remove the integration between Microsoft Sentinel and the LAW (Log Analytics Workspace), we don't want to actually delete everything - just disconnect them to avoid the cost.

Let's keep this short. Here's how you can disconnect Microsoft Sentinel from your LAW.

First, head on over to your Microsoft Sentinel service and then click "Workspace settings"

Microsoft Sentinel workspace overview.

From this view, select "Solutions".

Listed on this page are all the connected solutions. Depending on how many connectors and data sources you have, this will look different for you. You can select what you want to disconnect from your Microsoft Sentinel by removing the appropriate solutions from the list.

Click the solution you want to remove.

Showing Microsoft Sentinel Solutions page with the connected SecurityInsights solution

Now, ensure that this is really the solution that you really want to remove. I emphasize this as it's likely not a good idea to disconnect something that you would like to keep. Be sure you're doing the right thing, then continue by clicking "Delete".

Microsoft Sentinel SecurityInsights solution, and where to remove it from the Azure Portal.

Query the data from your Log Analytics Workspace

The data remains because we just removed the solution that connects Microsoft Sentinel to the Azure Log Analytics workspace. Looking at the workspace and making a query, we see that all the data still remains. Great.

Querying Azure Log Analytics workspace after Microsoft Sentinel has been disconnected.

Summary

This was a simple tip for how to disconnect your ingested data from the Microsoft Sentinel service in your directory. I hope it can help someone benefit from the experience.

I also recommend that you run a couple of dry-runs in your separate test and staging subscriptions before you make changes to workloads and services that have a lot of data. Because you do have those environments to test things out, right? :)

Read more about Microsoft Sentinel:

AzureSecurityLog AnalyticsAzure Sentinel

Tobias Zimmergren Twitter

Hi, I'm Tobias! 👋 I write about Microsoft Azure, security, cybersecurity, compliance, cloud architecture, Microsoft 365, and general tech!

Reactions and mentions


Hi, I'm Tobias 👋

Tobias Zimmergren profile picture

Find out more about me.

Recent comments

Mastodon