Containerized SAP agent to the agentless data connector migration guide

This article outlines the steps required to migrate from the containerized SAP agent to the agentless data connector for Microsoft Sentinel Solution for SAP applications.

Why move to the agentless data connector?

The migration from the containerized SAP agent to the agentless data connector is a simple exercise that can be accomplished in a few steps. The agentless connector offers several advantages:

• Simplified deployment (zero footprint on SAP NetWeaver)
• Reduced maintenance overhead (no more container management and standard SAP updates)
• Future-proof architecture based on SAP Integration Suite and SAP Cloud Connector
• Improved scalability

In a nut-shell, the migration process involves deploying the new agentless connector side-by-side with the existing containerized agent, validating log retrieval from the new connector, and finally decommissioning of the deprecated containerized agent.

Your existing investment in the Microsoft Sentinel Solution for SAP analytic rules, workbooks, and playbooks remains functional with the agentless data connector. Enhancement of the kql functions used in the solution were applied to support both data ingestion methods side-by-side. They use the fuzzy union operator to combine data from both sources no matter if they exist.

Migration path

1. Assess: Review your existing containerized SAP agent deployment to identify monitored SAP systems, log types collected, and any custom configurations.
2. Review: Familiarize yourself with the approaches for feature parity between the containerized agent and the agentless data connector, including configuration options and capabilities.
3. Deploy: Set up the agentless data connector following the deployment guide.
4. Validate: Ensure that logs are being collected correctly from your SAP systems using the agentless data connector. Use kql queries to verify log ingestion.

   let startTime = ago(1h);
   let endTime = now();
   ABAPAuditLog
   | where TimeGenerated between (startTime .. endTime)
   | summarize Count = count() by SourceSystem, bin(TimeGenerated, 5m)
   | order by TimeGenerated desc
   

5. Monitor: Run both the containerized agent and the agentless data connector in parallel for a defined period to ensure stability and completeness of log collection.
6. Decommission: Once you have validated that the agentless data connector is functioning correctly, proceed to decommission the containerized SAP agent. See the "Stop SAP data collection" article for details.

Feature parity

The agentless data connector provides built-in feature parity with the containerized SAP agent for most important use cases regarding analytic rules and workbooks. Less relevant features are being covered through the extension patterns available for the agentless data connector. Watchlists and Playbooks remain fully functional without any changes. You may consider using the capabilities of SAP Integration Suite however to further simplify your SOAR workflows. See this integration flow for SAP user blocking.

All analytics rules and workbooks built on the underlying SAP sources mentioned on the table reference remain functional without any changes.

These sources include but are not limited to the following logs:

• SAPcon - Audit Log
• SAPcon - Change Documents Log
• User and User Authorization Details

SAP HANA database or OS-level detections are out of scope for the comparison because they are covered by their own connectors in Microsoft Sentinel.

Next steps

• Learn more about Microsoft Sentinel Solution for SAP applications.

• Learn more about Microsoft Sentinel Solution for SAP BTP.

• Learn more about Microsoft Sentinel Solution for SAP partner add-ons.