| title | Containerized Agent to Agentless Connector migration guide | ||
|---|---|---|---|
| description | Learn how to migrate from the containerized SAP agent to the agentless data connector for Microsoft Sentinel Solution for SAP applications. | ||
| author | mberdugo | ||
| ms.author | monaberdugo | ||
| ms.reviewer | mapankra | ||
| ms.topic | article | ||
| ms.date | 10/23/2025 | ||
| appliesto |
|
||
| ms.collection | usx-security |
This article outlines the steps required to migrate from the containerized SAP agent to the agentless data connector for Microsoft Sentinel Solution for SAP applications.
[!INCLUDE data-connector-agent-deprecation]
The migration from the containerized SAP agent to the agentless data connector is a simple exercise that can be accomplished in a few steps. The agentless connector offers several advantages:
- Simplified deployment (zero footprint on SAP NetWeaver)
- Reduced maintenance overhead (no more container management and standard SAP updates)
- Future-proof architecture based on SAP Integration Suite and SAP Cloud Connector
- Improved scalability
In a nut-shell, the migration process involves deploying the new agentless connector side-by-side with the existing containerized agent, validating log retrieval from the new connector, and finally decommissioning of the deprecated containerized agent.
Your existing investment in the Microsoft Sentinel Solution for SAP analytic rules, workbooks, and playbooks remains functional with the agentless data connector. Enhancement of the kql functions used in the solution were applied to support both data ingestion methods side-by-side. They use the fuzzy union operator to combine data from both sources no matter if they exist.
- Assess: Review your existing containerized SAP agent deployment to identify monitored SAP systems, log types collected, and any custom configurations.
- Review: Familiarize yourself with the approaches for feature parity between the containerized agent and the agentless data connector, including configuration options and capabilities.
- Deploy: Set up the agentless data connector following the deployment guide.
- Validate: Ensure that logs are being collected correctly from your SAP systems using the agentless data connector. Use kql queries to verify log ingestion.
let startTime = ago(1h); let endTime = now(); ABAPAuditLog | where TimeGenerated between (startTime .. endTime) | summarize Count = count() by SourceSystem, bin(TimeGenerated, 5m) | order by TimeGenerated desc
- Monitor: Run both the containerized agent and the agentless data connector in parallel for a defined period to ensure stability and completeness of log collection.
- Decommission: Once you have validated that the agentless data connector is functioning correctly, proceed to decommission the containerized SAP agent. See the "Stop SAP data collection" article for details.
Tip
Follow the agentless migration video playlist for latest insights for a smooth transition.
Important
Review the authorizations of the Sentinel user and role on your SAP systems used with the containerized agent. The agentless data connector requires less but different authorizations compared to the containerized SAP agent. Refer to the configuration guide for details and SAP role sample for minimum authorizations.
The agentless data connector provides built-in feature parity with the containerized SAP agent for most important use cases regarding analytic rules and workbooks. See the content reference for details.
All analytics rules and workbooks built on the underlying SAP sources mentioned on the table reference remain functional without any changes.
These sources include but are not limited to the following logs:
- SAPcon - Audit Log
- SAPcon - Change Documents Log
- User and User Authorization Details
The solution scope can be extended through extensions patterns available for the agentless data connector. Watchlists and Playbooks remain fully functional without any changes.
SAP HANA database or OS-level detections are out of scope for the comparison because they are covered by their own connectors in Microsoft Sentinel.