Deleting Microsoft Sentinel but keep the ingested data
In this post I'm sharing a tip about how you can remove the Azure Sentinel service, but keep your ingested data in Log Analytics so you can actually keep working with the data for reports and auditing reasons.
Someone asked me the other day about deleting Microsoft Sentinel from their subscription, because as of November 1 2019, billing will start for this service since it hit GA. They had ingested quite a lot of data that wouldn't be ideal to pay for since it's part of a large-scale test of the service reliability. They want to keep the data since they use it to fine-tune other systems and integrations too, before deciding on a go-live.
Take caution when you make any modifications to services you have running in production. With that in mind, please read the entire post including the summary before you actually delete anything.
Disconnecting the connected solutions from Microsoft Sentinel
Since the requirement is about keeping the ingested data, but to remove the integration between Microsoft Sentinel and the LAW (Log Analytics Workspace), we don't want to actually delete everything - just disconnect them to avoid the cost.
Let's keep this short. Here's how you can disconnect Microsoft Sentinel from your LAW.
First, head on over to your Microsoft Sentinel service and then click "Workspace settings"
From this view, select "Solutions".
Listed on this page are all the connected solutions. Depending on how many connectors and data sources you have, this will look different for you. You can select what you want to disconnect from your Microsoft Sentinel by removing the appropriate solutions from the list.
Click the solution you want to remove.
Now, ensure that this is really the solution that you really want to remove. I emphasize this as it's likely not a good idea to disconnect something that you would like to keep. Be sure you're doing the right thing, then continue by clicking "Delete".
Query the data from your Log Analytics Workspace
The data remains because we just removed the solution that connects Microsoft Sentinel to the Azure Log Analytics workspace. Looking at the workspace and making a query, we see that all the data still remains. Great.
This was a simple tip for how to disconnect your ingested data from the Microsoft Sentinel service in your directory. I hope it can help someone benefit from the experience.
I also recommend that you run a couple of dry-runs in your separate test and staging subscriptions before you make changes to workloads and services that have a lot of data. Because you do have those environments to test things out, right? :)
Read more about Microsoft Sentinel: