Re-onboard LogAnalytics to Sentinel, if SecurityInsights solution is deleted by mistake

Critical features will break or stop working, if you delete too much in Legacy solutions like SecurityInsights, SQLAdvancedThreatProtection or SQLVulnerabilityAssessment.

Background

Azure Automation and Microsoft Monitoring Agent (MMA) is being retired 31. aug. 2024.

As part of removing these legacy services, you will need to remove legacy solutions inside Azure LogAnalytics like Updates and Change Tracking.

Note: Please don’t remove all Legacy solutions, as some of them are important for Sentinel and Defender for Cloud:

NameUsage
SQLAdvancedThreatProtection
SQLVulnerabilityAssessment
Used by Microsoft Defender for Cloud for Database Protection
SecurityInsightsThis solution is important showing that the LogAnalytics workspace has been onboarded to Sentinel.

If you delete this solution (or have deleted it by mistake), please check the guide below with instructions on how to re-create.

I deleted SecurityInsights solution and now I cannot use Microsoft Sentinel – how to fix ?

If you have deleted SecurityInsights, you will loose access to the Microsoft Sentinel portal.

You can re-create access by running the following Powershell commands:

install-module Az
import-module Az

install-module Az.SecurityInsights
import-module Az.SecurityInsights

Connect-AzAccount
Set-AzContext -Subscription <subscription-id for sub with LogAnalytics workspace>

Remove-AzSentinelOnboardingState -ResourceGroupName "<rg-name" -workspaceName "<LogAnalytics workspacename>" -Name "default"
 
New-AzSentinelOnboardingState -ResourceGroupName "<rg-name" -workspaceName "<LogAnalytics workspacename>" -Name "default"
Example
Remove-AzSentinelOnboardingState -ResourceGroupName "rg-logworkspaces" -workspaceName "log-platform-management-srvnetworkcloud-p" -Name "default"
 
New-AzSentinelOnboardingState -ResourceGroupName "rg-logworkspaces" -workspaceName "log-platform-management-srvnetworkcloud-p" -Name "default"

Now you will have access after approx. 1 min. You will again see all your incidents, connectors, etc.

If your Sentinel was connected to the Universal XDR portal, you will need to connect it again in the security.microsoft.com portal.

Leave a Reply