Critical features will break or stop working, if you delete too much in Legacy solutions like SecurityInsights, SQLAdvancedThreatProtection or SQLVulnerabilityAssessment.
Background
Azure Automation and Microsoft Monitoring Agent (MMA) is being retired 31. aug. 2024.
As part of removing these legacy services, you will need to remove legacy solutions inside Azure LogAnalytics like Updates and Change Tracking.
Note: Please don’t remove all Legacy solutions, as some of them are important for Sentinel and Defender for Cloud:
Name | Usage |
SQLAdvancedThreatProtection SQLVulnerabilityAssessment | Used by Microsoft Defender for Cloud for Database Protection |
SecurityInsights | This solution is important showing that the LogAnalytics workspace has been onboarded to Sentinel. If you delete this solution (or have deleted it by mistake), please check the guide below with instructions on how to re-create. |
I deleted SecurityInsights solution and now I cannot use Microsoft Sentinel – how to fix ?
If you have deleted SecurityInsights, you will loose access to the Microsoft Sentinel portal.
You can re-create access by running the following Powershell commands:
install-module Az
import-module Az
install-module Az.SecurityInsights
import-module Az.SecurityInsights
Connect-AzAccount
Set-AzContext -Subscription <subscription-id for sub with LogAnalytics workspace>
Remove-AzSentinelOnboardingState -ResourceGroupName "<rg-name" -workspaceName "<LogAnalytics workspacename>" -Name "default"
New-AzSentinelOnboardingState -ResourceGroupName "<rg-name" -workspaceName "<LogAnalytics workspacename>" -Name "default"
Example
Remove-AzSentinelOnboardingState -ResourceGroupName "rg-logworkspaces" -workspaceName "log-platform-management-srvnetworkcloud-p" -Name "default"
New-AzSentinelOnboardingState -ResourceGroupName "rg-logworkspaces" -workspaceName "log-platform-management-srvnetworkcloud-p" -Name "default"
Now you will have access after approx. 1 min. You will again see all your incidents, connectors, etc.
If your Sentinel was connected to the Universal XDR portal, you will need to connect it again in the security.microsoft.com portal.
After the last New-AzSentinelOnboardingState command, I get the error
New-AzSentinelOnboardingState : The gateway did not receive a response from ‘Microsoft.SecurityInsights’ within the specified time period.
Ideas how to fix this?
Same person here. It seems something was wrong on Microsoft’s end as creating brand new Sentinel workspace had exactly same error. Next day, the problem was gone and last “New-AzSentinelOnboardingState” command executed succesfully and old Sentinel workspace was up and running again.
Thanks for this guide!
Great to hear that 🙂