SOLVED

Defender Streaming API is not removed during offboarding process (and cannot be deleted)

Regular Contributor

Hi everyone,

 

we were testing out Sentinel but postponed the project. So we did the offboarding process of Sentinel - where it states for connectors automatic removal: Remove Microsoft Sentinel | Microsoft Docs

  • Microsoft services security alerts: Microsoft Defender for Identity, Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) including Cloud Discovery Shadow IT reporting, Azure AD Identity Protection, Microsoft Defender for Endpoint, security alerts from Microsoft Defender for Cloud (formerly Azure Defender)

But .. the Streaming API is still existing AND cannot be deleted.

We already deleted the RGs related to our Sentinel installation.

 

How to get rid of it? We can also not uncheck the types - as it does not allow to save. I am a global admin.

StephanGee_0-1662467087193.png

As i have already a long ongoing support case - i hope someone here can help me out.

 

BR

Stephan

2 Replies
best response confirmed by StephanGee (Regular Contributor)
Solution

Hi @StephanGee,

 

This export setting can be removed via API by sending a delete call to https://api.security.microsoft.com/api/dataexportsettings/<export setting name>. The export setting name should be the full name starting with SentinelExportSettings - for example: https://api.security.microsoft.com/api/dataexportsettings/SentinelExportSettings-sentinel-test

 

The easiest method to perform this is with the API explorer in the Microsoft 365 Defender portal (under Endpoints -> Partners and APIs -> API explorer), but you can use any method of calling an API (cURL, Postman, etc):

 

nickselvaggiomsft_0-1663781659880.png

 

Following this and assuming you get a 200 status code returned, you can confirm in the portal that the setting has been deleted. You'll need to have the appropriate RBAC permissions to call this API.