| title | description | author | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|
Remove Microsoft Sentinel | Microsoft Docs |
How to delete your Microsoft Sentinel instance. |
yelevin |
conceptual |
11/09/2021 |
yelevin |
ignite-fall-2021 |
[!INCLUDE Banner for top of topics]
If you no longer want to use Microsoft Sentinel, this article explains how to remove it from your workspace.
Follow this process to remove Microsoft Sentinel from your workspace:
-
From the Microsoft Sentinel navigation menu, under Configuration, select Settings.
-
In the Settings pane, select the Settings tab.
-
Locate and expand the Remove Microsoft Sentinel expander (at the bottom of the list of expanders).
:::image type="content" source="media/offboard/locate-remove-sentinel.png" alt-text="Screenshot to find the setting to remove Microsoft Sentinel from your workspace.":::
-
Read the Know before you go... section and the rest of this document carefully, making sure that you understand the implications of removing Microsoft Sentinel, and that you take all the necessary actions before proceeding.
-
Before you remove Microsoft Sentinel, please mark the relevant checkboxes to let us know why you're removing it. Enter any additional details in the space provided, and indicate whether you want Microsoft to email you in response to your feedback.
-
Select Remove Microsoft Sentinel from your workspace.
:::image type="content" source="media/offboard/remove-sentinel-reasons.png" alt-text="Screenshot to remove the Microsoft Sentinel solution from your workspace and specify reasons.":::
When you remove the solution, Microsoft Sentinel takes up to 48 hours to complete the first phase of the deletion process.
After the disconnection is identified, the offboarding process begins.
The configuration of these connectors is removed:
-
Office 365
-
AWS
-
Microsoft services security alerts: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) including Cloud Discovery Shadow IT reporting, Azure AD Identity Protection, Microsoft Defender for Endpoint, security alerts from Microsoft Defender for Cloud (formerly Azure Defender)
-
Threat Intelligence
-
Common security logs (including CEF-based logs, Barracuda, and Syslog) (If you get security alerts from Microsoft Defender for Cloud, these logs will continue to be collected.)
-
Windows Security Events (If you get security alerts from Microsoft Defender for Cloud, these logs will continue to be collected.)
Within the first 48 hours, the data and analytics rules (including real-time automation configuration) will no longer be accessible or queryable in Microsoft Sentinel.
After 30 days these resources are removed:
-
Incidents (including investigation metadata)
-
Analytics rules
-
Bookmarks
Your playbooks, saved workbooks, saved hunting queries, and notebooks are not removed. Some may break due to the removed data. You can remove those manually.
After you remove the service, there is a grace period of 30 days during which you can re-enable the solution. Your data and analytics rules will be restored, but the configured connectors that were disconnected must be reconnected.
Note
If you remove the solution, your subscription will continue to be registered with the Microsoft Sentinel resource provider. You can remove it manually.
In this document, you learned how to remove the Microsoft Sentinel service. If you change your mind and want to install it again:
- Get started on-boarding Microsoft Sentinel.