Skip navigation

Microsoft Sentinel solution for SAP

Protect business-critical data within SAP systems and applications from advanced threats

Guard critical data against advanced threats

SAP systems and applications handle massive amounts of sensitive data that is hosted on Azure, Google Cloud Platform (GCP), Amazon Web Services (AWS), or on-premises infrastructure. The SAP ecosystem is complex and difficult for security operations (SecOps) teams to effectively monitor and protect. The Microsoft Sentinel solution for SAP allows you to monitor, detect, and respond to suspicious activities and guard your business-critical data against sophisticated cyberattacks.

  • Monitor all SAP system layers

    Gain visibility across business logic, application, database and operating system layers with built-in investigation and threat detection tools.

  • Detect and automatically respond to threats

    Discover suspicious activity including privilege escalation, unauthorised changes, sensitive transactions and suspicious data downloads with out-of-the-box detection capabilities.

  • Correlate SAP activity with other signals

    Accurately detect SAP threats with data correlation from all sources and SAP infrastructure.

  • Customise based on your needs

    Build your own threat detection solutions to monitor specific business risks to extend built-in security content.

Offer details

The Microsoft Sentinel solution for SAP will be generally available with a six-month free promotion starting in August 2022.

Billing will start on February 1, 2023, as an add-on charge in addition to the existing Microsoft Sentinel consumption-billing model.

See pricing details for Microsoft Sentinel

Get started

Start ingesting data from your SAP applications into Microsoft Sentinel with the SAP data connector. The data connector is an agent, delivered as a docker container, that's installed on a virtual machine, Kubernetes/AKS cluster, or a physical server and collects application logs from across the entire SAP system over the SAP applicative interfaces, NetWeaver RFC and SAPControl. The SAP data connector then sends those logs and data to Microsoft Sentinel for continuous threat monitoring.

After your data is connected, use the other solution components – analytics rules for threat detection, workbooks for interactive data visualisation, and watchlists for configuration and fine-tuning – to gain insights into your organisation's SAP environment and address security threats.


Microsoft has a broad set of partners to help you select, integrate, deploy and manage security solutions. As managed service providers, Microsoft partners can offer security operations centre (SOC) services using a common SIEM solution to proactively identify security anomalies for the entire IT landscape and take corrective actions in a timely manner. With the solution's native integrations with SAP, threat detection becomes more robust, and creation of compliance reports and dashboards can be automated.

Reach out to a Microsoft partner for:

  • Deploying Microsoft Sentinel for threat protection on SAP.
  • Securing SAP on Azure with native cloud security controls.

Frequently asked questions

  • The SAP data connector agent works virtually with any SAP NetWeaver system and requires preparation steps on the SAP side of the integration and in Azure. For more information refer to SAP prerequisites.

  • No, we only charge for active connections to SAP systems by the hour. Inactive systems do not get charged.
  • We only note for SAP application data collection triggered by connecting our SAP connector to SAP SIDs (instances). Only connected instances are billed by the hour.
  • The SAP specific cost is only influenced by the number of systems connected. Microsoft Sentinel ingestion costs may vary and is influenced by logs collected.
  • Yes, you can integrate to SAP Rise NetWeaver based systems.