Cloudbrothers
Azure Attack Paths Posts Categories About me Talks english
Cloudbrothers

Contents

Remove old or orphaned Sentinels from the XDR Streaming API

 included in Security Sentinel Defender XDR
   417 words   2 minutes 

This blog post is a sleeper. I documented it in 2023 and never came around to publish it. The post was always too short in my opinion, too niche. But today Jonathan Bourke reached out on Twitter and asked why he was getting this strange error message when trying to connect a new Sentinel workspace to his XDR instance.

Warning
The limit of 5 diagnostic settings was reached.
To create new setting ‘SentinelExportSettings-log-sentinel’, delete an existing one.

/en/remove-orphaned-sentinels-xdr-streaming-api/images/twitterpost.png
Post of Twitter

Exactly the issue I ran into two years ago and by all means, who does not hate it to search for a solution on Google, just to find the exact error message in a forum were somebody writes as the last comment: I found the solution, thanks…

So finally I took the time to document the solution for everybody to find

Error source

The source of this issue is the limit of Sentinel workspaces that can be connected to XDR and at the same time get data streamed to. As in forwarding of tables from XDR to Sentinel.

You will find the overview of all connected Sentinels under Settings → Microsoft 365 Defender → Streaming API.

/en/remove-orphaned-sentinels-xdr-streaming-api/images/StreamingAPI.png
The streaming API

Normally you can just go to one of those Sentinel instances and remove the event forwarding configuration. But in this case, the Sentinel instance was already long gone. So no chance to change anything there. And in the Defender portal the option to delete is disabled.

Solution

The solution is as simple as you can imaging. Go to Endpoints → Partners and APIs → API explorer and as URI put in https://api.security.microsoft.com/api/dataexportsettings/ and run with the method GET configured. This will return all configured Sentinel instances as JSON and you just need to copy the id of the instance you want to remove.

/en/remove-orphaned-sentinels-xdr-streaming-api/images/api-get.png
API explorer to the rescue

You then add the id to the end of the URI and change the method to DELETE. If you now press Run Query this configuration gets deleted and after the orphaned Sentinel instance is removed. Now you can add your new Sentinel instance without any problems.

DELETE
https://api.security.microsoft.com/api/dataexportsettings/SentinelExportSettings-log-c4a8korriban-sentinel-prd-weu

/en/remove-orphaned-sentinels-xdr-streaming-api/images/api-delete.png
Delete this export configuration...

/en/remove-orphaned-sentinels-xdr-streaming-api/images/StreamingAPIFixed.png
...and get back one more slot of export configurations

I hope this helps somebody in the future, either because they reached the limit of just finally can remove the one orphaned Sentinel they had in here for years.

Update: There was a Tech Community answer by nickselvaggio-msft already available. But I guess two solutions can’t be of harm.

Updated on 2025-08-25
Back | Home