Monitor SAP data streams and user downloads


  • Close security gaps that are still underestimated by monitoring back-end data streams.
  • Quick detection and near real-time notification in case of security incidents such as unauthorized attempts to  download sensitive data.
  • Comply with GDPR (Articles 5(2) & 30) through comprehensive audit documentation.

Increasing business and compliance requirements need more than what SAP GRC can offer

Business and operations do not happen in silos. There is a constant need to share relevant data through different networks, which also get stored in new storage locations, thus making it almost impossible to control. In such a scenario, it would be incorrect to assume that only authorized users view and access sensitive data related to their job function. It is a fact that most companies running their businesses on SAP have very little knowledge and control over how documents extracted from SAP systems and applications are being shared or who is accessing them. Authorized users access data regularly to perform their job functions, but once that data leaves SAP, there is no way to track and monitor it. This leaves companies at a high risk of data loss due to malicious or accidental actions.

While end users present one side of the case, on the other hand, data also flows through the backend in the form of API-based machine-to-machine communication. Most often than not, enterprises do not have insight into ‘invisible’ SAP application activities and, thus, significantly heighten their IT security risk.

Currently SAP GRC can detect only unauthorized SAP data exports, not SAP data streams (Audit & Classification for applications). Also, it does not offer the capability to prevent unauthorized SAP data exports or protect exported SAP data files.


HALOCORE MONITOR audits all exports and downloads of critical SAP data regardless from which egress point the data flows. Through pseudonymization, the audit log meets, by default, Works Council requirements. It is a key extension to the standard SAP Security Audit Log (SAL) and, furthermore, enriches the auditing data shown in SAP Enterprise Threat Detection (ETD) and SAP Digital Boardroom, especially as it audits all exports using an automated classification engine. Closing these GRC compliance gaps even during ‘firefighter’ activities, the module provides real-time insight into which sensitive data is at risk of leaving your SAP system and sends e-mail notifications in case of data leakage.

Frequently Asked Questions

SAP GRC detects unauthorized SAP data exports. How does HALOCORE add value and differentiate?

Typically, SAP GRC monitors unauthorized SAP data exports, which basically covers audit and classification of SAP ‘user downloads’. However, HALOCORE does not only do this for individual end users, but also monitors backend API data flows. In other words, it extends the audit and classification functionalities to applications as well. This is critical the current complex SAP operations scenario as many protocol-based machine-to-machine communication (APIs) are legacy. SECUDE’s on-the-field experience reveals that this is a grey area for most data security practitioners today.

Does the HALOCORE module 'MONITOR' provide real-time notification of data leaks?

Yes. HALOCORE reduces risk and helps users stay compliant by providing real-time alerts of sensitive data downloads. Also, all data downloads and extraction activities from SAP are aggregated into a fully customizable audit log, which can be extracted to powerful tools such as SAP Business Intelligence and Analytics solutions.

Is it possible to implement the module 'MONITOR' alone without buying/implementing the complete HALOCORE suite?

Definitely. HALOCORE is a suite of modules that can be implemented piecemeal as per the data security requirements of the end user. Most often than not, MONITOR has been installed to meet the client’s data tracking and audit requirements. In fact, implementing MONITOR is often considered the first step in establishing a comprehensive data security system. As the MONITOR module of HALOCORE provides the vital visibility into what happens to downloaded data by tracking and analyzing access to sensitive SAP data exports for enhanced control and compliance, it forms the must-have foundation for subsequent deployment of BLOCK and PROTECT.

Discover More


Holger Hugel
VP Products & Services

Follow Us

Close security gaps in SAP and let business run.