Dear Community,

Following up on my private preview announcement about Microsoft Sentinel for SAP going agentless - what a title during Agentic AI times, right? I'm thrilled to share even more capabilities that have been added to our security monitoring arsenal recently!

Psst🤫 – you are also getting a sneak into the new community extensions area.

New Security Content Alert! 📣

The agentless data connector team has significantly expanded the security content coverage for the public preview, adding crucial monitoring capabilities for 3 addtional sources to increase parity with the legacy data connector:

• SAP Change Documents - Track critical modifications across your landscape with detailed visibility into who changed what and when
• SAP User Master Data - Monitor user provisioning, role assignments, and profile changes to detect suspicious activity patterns
• ABAP Authorization Details - Gain deeper insights into authorization checks, failures, and potential privilege escalation attempts

Note📌: To support transition for those of you on the Docker-based data connector, we have enhanced the first set of our built-in KQL functions for SAP to work across both data sources.

These additions activate the most used detections from our existing SAP security content library, providing comprehensive protection for your mission-critical SAP systems without requiring additional deployment steps. Bazinga!

These new sources allow us to extend the security coverage with dozens of analytics designed to detect suspicious activity on a number of previously uncovered attack vectors.

Community Extensions - Because Security is a Team Sport 🤝

The Microsoft Sentinel for SAP journey doesn't stop with official Microsoft offerings! We are expanding the proven community track to the agentless approach. Build on top of the platform to further enhance your SAP security operations tailored to your needs.

Partners, ISVs, and first and foremost customers are invited to share, contribute, and request additional artifacts.

Check out the Sentinel For SAP Community repository where you'll find the first set of Integration templates for you to build upon for additional security workflows.

What is already there?

The solution package features an SAP Integration Suite integration flow for SOAR use cases. With that you may re-use the same integration approach that the agentless data connector uses. This means requesting SAP user blocks or SAP audit log reactivation can now be done without any additional proxies like Microsoft On-premises-Data-Gateway, separate virtual network injection or the likes. Not too bad, huh?

I especially love seeing customers and partners contributing their expertise to make SAP environments more secure for everyone. This is what community is all about!

Getting Started

Already using Microsoft Sentinel Solution for SAP? The new agentless data connector automatically appears in your environment – make sure to upgrade to version 3.3.11 or higher.

New to this solution? Now is the perfect time to start! The agentless data connector approach (leveraging your existing SAP Cloud Connector setup -> significantly easier to configure than the Docker-based agent!) and the expanded security content are ready to protect your SAP landscape.

Get started from here.

In addition, I recommend to step by AryaG’s series giving details on how to move to production. See also my blog on the SAP community for more details on the matter.

#Kudos to the amazing Sentinel for SAP team and our incredible community contributors!

That's a wrap 🎬. Remember: bringing SAP under the protection of your central SIEM isn't just a checkbox - it's essential for comprehensive security across your entire IT estate.

Cheers, Martin