Dear Community,

Today is the day: Our new agentless connector for Microsoft Sentinel Solution for SAP applications is Generally Available now!

Fully onboarded to SAP’s official Business Accelerator Hub and ready for prime time wherever your SAP systems are waiting – on-premises, hyperscalers, RISE, or GROW – to be protected.

Let’s hear from an agentless customer:

“With the Microsoft Sentinel Solution for SAP and its new agentless connector, we accelerated deployment across our SAP landscape without the complexity of containerized agents. This streamlined approach elevated our SOC’s visibility into SAP security events, strengthened our compliance posture, and enabled faster, more informed incident response”

SOC Specialist, North American aviation company

Use the video below to kick off your own agentless deployment today.

#Kudos to the amazing mvigilante​ for showing us around the new connector!

But we didn’t stop there! Security is being reengineered for the AI era - moving from static, rule-based controls to platform-driven, machine-speed defence that anticipates threats before they strike. Attackers think in graphs - Microsoft does too.

 

Schematic of the kill chain from human entry point on email through endpoints, identity, apps to data including SAP systems

We’re bringing relationship-aware context to Microsoft Security - so defenders and AI can see connections, understand the impact of a potential compromise (blast radius), and act faster across pre-breach and post-breach scenarios including SAP systems - your crown jewels.

See it in action in below phishing-compromise which lead to an SAP login bypassing MFA with followed operating-system activities on the SAP host downloading trojan software. Enjoy this clickable experience for more details on the scenario.

 

Attack Graph in Microsoft Defender: Shows how a phishing compromise escalated to an SAP MFA bypass, highlighting cross-domain correlation.

The Sentinel Solution for SAP has AI-first in mind and directly integrates with our security platform on the Defender portal for enterprise-wide signal correlation, Security Copilot reasoning, and Sentinel Data Lake usage.

 

Schematic on Microsoft Security Suite enabled for SAP through Sentinel for SAP solution

Your real-time SAP detections operate on the Analytics tier for instant results and threat hunting, while the same SAP logs get mirrored to the lake for cost-efficient long-term storage (up to 12 years). Access that data for compliance reporting or historic analysis through KQL jobs on the lake.

No more – yeah, I have the data stored somewhere to tick the audit report check box – but be able to query and use your SAP telemetry in long term storage at scale. Learn more here.

Findings from the Agentless Connector preview

During our preview we learned that majority of customers immediately profit from the far smoother onboarding experience compared to the Docker-based approach. Deployment efforts and time to first SAP log arrival in Sentinel went from days and weeks to hours.

⚠️ Deprecation notice for containerized data connector agent ⚠️ 

The containerised SAP data connector will be deprecated on 30 September 2026. This change aligns with the discontinuation of the SAP RFC SDK, SAP's strategic integration roadmap, and customer demand for simpler integration.

Migrate to the new agentless connector for simplified onboarding and compliance with SAP’s roadmap. 

All new deployments starting October 31, 2025, will only have the new agentless connector option, and existing customers should plan their migration using the guidance on Microsoft Learn.

It will be billed at the same price as the containerized agent, ensuring no cost impact for customers.

Note📌: To support transition for those of you on the Docker-based data connector, we have enhanced our built-in KQL functions for SAP to work across data sources for hybrid and parallel execution.

Spotlight on new Features

Inspired by the feedback of early adopters we are shipping two of the most requested new capabilities with GA right away.

• Customizable polling frequency: Balance threat detection value (1min intervals best value) with utilization of SAP Integration Suite resources based on your needs.

⚠️Warning! Increasing the intervals may result in message processing truncation to avoid SAP CPI saturation. See this blog for more insights.

Refer to the max-rows parameter and SAP documentation to make informed decisions. 

• Customizable API endpoint path suffix: Flexible endpoints allow running all your SAP security integration flows from the agentless connector and adherence to your naming strategies. Furthermore, you can add the community extensions like SAP S/4HANA Cloud public edition (GROW), the SAP Table Reader, and more.

Sentinel Deployment Experience: Displays the simplified onboarding flow for the agentless SAP connector

You want more?

Here is your chance to share additional feature requests to influence our backlog. We would like to hear from you!

Getting Started with Agentless

The new agentless connector automatically appears in your environment – make sure to upgrade to the latest version 3.4.05 or higher.

Sentinel Content Hub View: Highlights the agentless SAP connector tile in Microsoft Defender portal, ready for one-click deployment and integration with your security platform

The deployment experience on Sentinel is fully automatic with a single button click: It creates the Azure Data Collection Endpoint (DCE), Data Collection Rule (DCR), and Microsoft Entra ID app registration assigned with RBAC role "Monitoring Metrics Publisher" on the DCR to allow SAP log ingest.

Explore partner add-ons that build on top of agentless

The ISV partner ecosystem for the Microsoft Sentinel Solution for SAP is growing to tailor the agentless offering even further. The current cohort has flagship providers like our co-engineering partner SAP SE themselves with their security products SAP LogServ & SAP Enterprise Threat Detection (ETD), and our mutual partners Onapsis and SecurityBridge.

Partner solutions in alphabetical order

Ready to go agentless?

➤ Get started from here

➤ Explore partner add-ons here.

➤ Share feature requests here.

Next Steps

Once deployed, I recommend to check AryaG’s insightful blog series for details on how to move to production with the built-in SAP content of agentless. Looking to expand protection to SAP Business Technology Platform? Here you go.

#Kudos to the amazing Sentinel for SAP team and our incredible community contributors!

 

That's a wrap 🎬. Remember: bringing SAP under the protection of your central SIEM isn't just a checkbox - it's essential for comprehensive security and compliance across your entire IT estate.

 

Cheers, Martin