You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/offboard.md
+15-7Lines changed: 15 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,13 +18,21 @@ If you no longer want to use Microsoft Sentinel, this article explains how to re
18
18
19
19
Follow this process to remove Microsoft Sentinel from your workspace:
20
20
21
-
1.Go to **Microsoft Sentinel**, followed by **Settings**, and select the tab **Remove Microsoft Sentinel**.
21
+
1.From the Microsoft Sentinel navigation menu, under **Configuration**, select **Settings**.
22
22
23
-
1. Before you remove Microsoft Sentinel, please use the checkboxes to let us know why you're removing it.
23
+
1. In the **Settings** pane, select the **Settings** tab.
24
+
25
+
1. Locate and expand the **Remove Microsoft Sentinel** expander (at the bottom of the list of expanders).
26
+
27
+
:::image type="content" source="media/offboard/locate-remove-sentinel.png" alt-text="Screenshot to find the setting to remove Microsoft Sentinel from your workspace.":::
28
+
29
+
1. Read the **Know before you go...** section and the rest of this document carefully, making sure that you understand the implications of removing Microsoft Sentinel, and that you take all the necessary actions before proceeding.
30
+
31
+
1. Before you remove Microsoft Sentinel, please mark the relevant checkboxes to let us know why you're removing it. Enter any additional details in the space provided, and indicate whether you want Microsoft to email you in response to your feedback.
24
32
25
33
1. Select **Remove Microsoft Sentinel from your workspace**.
26
34
27
-
35
+
:::image type="content" source="media/offboard/remove-sentinel-reasons.png" alt-text="Screenshot to remove the Microsoft Sentinel solution from your workspace and specify reasons.":::
28
36
29
37
## What happens behind the scenes?
30
38
@@ -37,27 +45,27 @@ After the disconnection is identified, the offboarding process begins.
37
45
38
46
- AWS
39
47
40
-
- Microsoft services security alerts: Microsoft Defender for Identity (*formerly Azure ATP*), Microsoft Defender for Cloud Apps including Cloud Discovery Shadow IT reporting, Azure AD Identity Protection, Microsoft Defender for Endpoint (*formerly Microsoft Defender ATP*), security alerts from Microsoft Defender for Cloud
48
+
- Microsoft services security alerts: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps (*formerly Microsoft Cloud App Security*) including Cloud Discovery Shadow IT reporting, Azure AD Identity Protection, Microsoft Defender for Endpoint, security alerts from Microsoft Defender for Cloud (*formerly Azure Defender*)
41
49
42
50
- Threat Intelligence
43
51
44
52
- Common security logs (including CEF-based logs, Barracuda, and Syslog) (If you get security alerts from Microsoft Defender for Cloud, these logs will continue to be collected.)
45
53
46
54
- Windows Security Events (If you get security alerts from Microsoft Defender for Cloud, these logs will continue to be collected.)
47
55
48
-
Within the first 48 hours, the data and analytic rules (including real-time automation configuration) will no longer be accessible or queryable in Microsoft Sentinel.
56
+
Within the first 48 hours, the data and analytics rules (including real-time automation configuration) will no longer be accessible or queryable in Microsoft Sentinel.
49
57
50
58
**After 30 days these resources are removed:**
51
59
52
60
- Incidents (including investigation metadata)
53
61
54
-
-Analytic rules
62
+
-Analytics rules
55
63
56
64
- Bookmarks
57
65
58
66
Your playbooks, saved workbooks, saved hunting queries, and notebooks are not removed. **Some may break due to the removed data. You can remove those manually.**
59
67
60
-
After you remove the service, there is a grace period of 30 days during which you can re-enable the solution and your data and analytic rules will be restored but the configured connectors that were disconnected must be reconnected.
68
+
After you remove the service, there is a grace period of 30 days during which you can re-enable the solution. Your data and analytics rules will be restored, but the configured connectors that were disconnected must be reconnected.
61
69
62
70
> [!NOTE]
63
71
> If you remove the solution, your subscription will continue to be registered with the Microsoft Sentinel resource provider. **You can remove it manually.**
0 commit comments