2017 - Page 2 of 3 - Layer Seven Security

Q&A: Cybersecurity Monitoring with SAP Solution Manager

Layer Seven on July 30, 2017

How does Solution Manager detect threats and vulnerabilities in SAP systems? What specific applications in SolMan are used for vulnerability, patch and threat management? What are the requirements for using these areas? How long does it take to configure? What are the differences between monitoring using SolMan 7.1 and 7.2? What are the benefits of using SolMan versus third party tools? Why should you partner with Layer Seven Security to help you leverage the cybersecurity capabilities of SAP Solution Manager?

Discover the answers to these and many other questions in the new Q&A section and learn how you can immediately protect your SAP systems from advanced threats using tools you already own and an approach recommended by SAP.

Remember to bookmark the page since we will be updating the questions and answers periodically. Also, feel free to submit your questions for our experts in the comments below.

Q: What is SAP Solution Manager?
A: Solution Manager is the most widely deployed SAP product after ECC. It’s installed in almost all SAP landscapes and is used for application lifecycle activities such as system patching and upgrades, change management, incident management, and system monitoring.

Q: How is Solution Manager licensed?
A: Usage rights for Solution Manager are bundled with SAP support and maintenance agreements. SAP Enterprise Support customers can manage their whole IT infrastructure with Solution Manager. Customers with Standard Support can manage SAP products within their IT landscapes with Solution Manager. Licensing for SAP HANA is included with the usage rights for SAP Solution Manager 7.2.

Q: What security tools are available in Solution Manager?
A: There are several applications in Solution Manger that should be used for advanced security monitoring. We recommend Service Level Reporting, Security Dashboards, System Recommendations, Interface Monitoring and Security Alerting.

Q: Why doesn’t Layer Seven Security recommend the EWA and SOS reports?
E: There are drawbacks with both reports. The EarlyWatch Alert (EWA) performs some security checks but is not specifically a security report. Therefore, the range and volume of checks performed by EWA for security is low. The Security Optimization Service (SOS) provides better coverage but is not fully automated. You must submit a service request to run SOS for ABAP systems. Service requests to run SOS for Java systems must be submitted to SAP.

Q: What are Service Level Reports?
A: Service Level Reports (SLR) automate vulnerability reporting for SAP systems. They perform scheduled checks for hundreds of security weaknesses for ABAP, HANA and Java systems and automatically distribute the results via email, SFTP or the Enterprise Portal. SLRs include detailed descriptions for findings, risk ratings, links to relevant SAP Notes and guidance at the SAP Help Portal and compliance scorecards for frameworks such as NIST, PCI DSS and IT-SOX.

Q: How do SLRs work?
A: SLRs read the results of automated daily vulnerability scans performed by Solution Manager for SAP systems. The results are checked against security KPIs during runtime. SLRs are typically scheduled to run on a weekly or monthly schedule.

Q: Are SLRs available in multiple languages?
A: Yes, SLRs can be run in any language including French, German, Spanish, Arabic, Japanese, and Mandarin.

Q: Are SLRs customizable?
A: Yes, you can customize every aspect of service level reports including the design, layout, security checks, and KPI metrics and thresholds.

Q: Can you provide a sample Service Level Report?
A: Yes, submit your request here.

Q: What is System Recommendations?
A: System Recommendations is an application in Solution Manger that performs automated patch management for SAP systems. It connects directly to SAP Support to download required security notes and monitor the status of notes implemented in systems through regular background jobs.

Q: Does System Recommendations also download and apply corrections?
A: Yes, System Recommendations downloads corrections from SAP Support to target systems. The user is automatically directed to SNOTE in the target systems once the corrections are downloaded.

Q: Does System Recommendations identify the impact of security patches?
A: Yes, System Recommendations integrates with applications in Solution Manager to perform change impact analysis and discover programs, function modules, transactions, reports and business processes effected by notes.

Q: Does System Recommendations integrate with Change Request Management (ChaRM)?
A: Yes, System Recommendations includes the option to automatically generate a change request for required notes.

Q: What are Security Dashboards?
A: Security Dashboards monitor critical key performance indicators to track vulnerabilities and threats across SAP landscapes in real-time.

Q: What type of metrics are monitored by Security Dashboards?
A: The Dashboards connect to data stores in Solution Manager for event-driven alerts and system and user level vulnerabilities. Users can drilldown from aggregated results to detailed values.

Q: What type of data visualizations are available in the Security Dashboards?
Users can select from column, line, pie, scatter and other charts and Fiori tiles and tables.

Q: What is Interface Monitoring?
A: Interface Monitoring is used to map and track system interfaces in SAP landscapes including RFC, HTTP, IDoc and Web Service connections. It automatically creates a topology of system interfaces and monitors the usage of the interfaces in real-time. Alerts can be generated for channel metrics including availability, configuration and performance.

Q: What is Security Alerting?
A: Security Alerting is based on the Monitoring and Alerting Infrastructure (MAI) of Solution Manager. MAI connects to data providers including event logs to monitor for security vulnerabilities and incidents. MAI generates automatic notifications for security incidents including emails and text messages.

Q: What type of security vulnerabilities and events are monitored by MAI?
A: MAI monitors system-level vulnerabilities such as the enabling of the invoker servlet in Java systems, insecure entries in access control lists for gateway servers, vulnerable RFC destinations, missing security notes, and many other areas. It also monitors KPIs for user-level security including users with dangerous profiles such as SAP_ALL and unlocked standard users.

Q: Can you perform threat detection using MAI in Solution Manager?
A: Yes, MAI includes file and database connectors for real-time monitoring of event data captured in SAP logs. This includes the security audit log, HANA log, UME log, HTTP log, gateway server log, and the Read Access Log.

Q: Can you integrate MAI alerts with Security Information Event Management (SIEM) and incident management systems?
A: Yes, MAI alerts can be automatically forwarded to SIEM systems such as Splunk, ArcSight, and QRadar for event correlation and forensic analysis. Alerts can also be forwarded to incident management systems such as BMC Remedy and ServiceNow.

Q: Does Solution Manager provide best practices for alert handling?
A: Yes, the Guided Procedure (GP) Framework in Solution Manager provides best practices and standard operating procedures for investigating and resolving security alerts. This standardizes and improves incident management procedures and reduces response times. The guided procedures include automated steps to further improve incident handling.

Q: What are the main differences between SAP Enterprise Threat Detection (ETD) and threat detection using SAP Solution Manager?
A: SAP ETD provides more advanced capabilities for event correlation and forensic analysis. However, Solution Manager can forward event data to SIEM systems that can correlate and analyze data on a wider scale than ETD by combining data from SAP and non-SAP sources. Also, ETD does not monitor for system-level vulnerabilities or provide guided procedures for alert handling.

Q: What are the requirements for using the security applications in Solution Manager?
A: The security applications are available in any SP level of Solution Manager versions 7.1 and 7.2. The only requirements are the completion of the SOLMAN_SETUP procedures for the relevant version.

Q: What are the differences between Solution Manager 7.1 ad 7.2 for security monitoring?
A: The main difference is the user-experience. Solution Manager 7.2 provides the improved Fiori interface including a launchpad for direct access to applications. Some functions such as automatic download of SAP corrections in System Recommendations are only available in Solution Manager 7.2. Also, the dashboarding and interface monitoring capabilities are more advanced in the latest version of Solution Manager.

Q: How many environments and systems can you monitor with Solution Manager?
A: There are no limits on the number of environments or systems that can be monitored by Solution Manager. However, Solution Manager must be appropriately sized to monitor large landscapes.

Q: How long does it take to configure the security applications?
A: Typical implementation timeframes are between 2-4 weeks for mid-sized landscapes.

Q: If security applications are available in standard installations of Solution Manager, why do we need to work with SAP Partners such as Layer Seven Security to configure these components?
A: Solution Manager provides the framework and the tools to perform advanced security monitoring. However, the standard installation of Solution Manager does not provide sufficient content for security monitoring. The content is developed, maintained and supported by Layer Seven Security. This includes patent-pending custom security policies, BW infoproviders, service level reports, monitoring objects and guided procedures. The content is licensed by SAP customers from Layer Seven Security and imported or transported into Solution Manager.

Q: What are the benefits of using Solution Manager for security monitoring versus third party tools ?

A: There are many advantages for using Solution Manager over third party tools. The most significant is lower cost: licensing and importing content for Solution Manager is less expensive than licensing entire platforms and solutions for SAP security monitoring. Solution Manager is also more flexible and customizable. It’s also recommended by SAP and supported and maintained directly by SAP. For further information, download the comparison chart.

Q: Does Layer Seven Security provide online demos for security monitoring using Solution Manager?
A: Yes, you can request a demo here.

Q: Does Layer Seven Security provide free readiness checks and trials for security monitoring using Solution Manager?
A: Yes, we offer free readiness checks to discover and remove any configuration gaps in Solution Manager to support security monitoring. We also provide free trials for Layer Seven’s custom security content. The trials can be performed remotely or on-site for up to 5 systems.

Q: Who shall I contact for further information?
A: Please call Layer Seven Security at 1-647-964-7370 or email info@layersevensecurity.com

SAP Security Notes, June 2017

Zarah on July 7, 2017

Note 2416119 was reissued in June with updated release information and solution instructions. The note provides instructions for maintaining the property URLCheck ServerCertificate in Java Application Servers. The instructions are intended to mitigate the risk of man-in-the-middle attacks by securing client-server HTTPS connections. Certificates signed by Certificate Authorities should be maintained in client keystores to avoid possible failures in HTTPS calls. Detailed instructions are available in the Manual Activities section of Note 2416119 and in the Resolution section of Note 2452615.

Note 2444321 corrects a program error in the SsfVerifyEx function of the SAP Common Cryptographic Library (Common CryptoLib). The error can lead to a failure in authorization and authentication checks for certificates. SAP-delivered applications do not use the vulnerable SsfVerifyEx function. However, SsfVerifyEx may be called by custom programs through the function module SSFW_KRN_VERIFY within the SSFW function group and the method VERIFY_XML within the SAP class CL_SEC_ SXML_DSIGNATURE.

Notes 2313631 and 2389181 deal with Denial of Service vulnerabilities impacting the Launchpad and Central Management Console (CMC) within Business Intelligence and the Instance Agent Service (sapstartsrv), respectively. The Launchpad and CMC are popular portals used to access BI content.

Sapstartsrv is a host-level service for controlling and monitoring SAP processes.

Note 2427292 includes corrections for an information disclosure vulnerability in the Microsoft Management Console (MMC) that could enable attackers to discover the password of hidden users. The credentials could be used to start or stop Java systems via the MMC Web Service.

A First Look at Support Pack 5 of SAP Solution Manager 7.2

Layer Seven on June 26, 2017

Released earlier this month, Support Pack 5 for SAP Solution Manager 7.2 delivers important enhancements in several key areas. This includes support for exporting and importing solution documentation between systems, improved SAP-delivered solution blueprints, and an enhanced graphical editor for mapping business processes. SP05 also introduces a new Fiori App for Quality Gate Management in ChaRM. There are also new Fiori Apps for Data Volume Management to support data aging and identifying unused data.

For security, SP05 introduces several notable changes. Solution Manager Configuration and Administration now includes a tile for Security-Relevant Activities. This function can be used to check the status of authentication, connection, and user related activities required for the effective setup and operation of Solution Manager.

Solution Manager Configuration and Administration also includes a new scenario for setting up and tracking usage logging. Areas such as System Recommendations analyze usage data to identify the impact of changes and corrections on ABAP objects.

SP05 also introduces several functional improvements for System Recommendations. The available filters in System Recommendations now include a selection field for Note Number. This can be used to jump directly to specific Notes.

System Recommendations also includes a new tool for side-effect Notes. The tool was originally introduced in the SAP Marketplace in 2003 and enables users to identify interdependencies between SAP Notes and guard against the known side-effects of applying certain SAP Notes. Note 651948 discusses side-effects Notes.

Interface and Connection Monitoring (ICMon) includes an improved interface to drill down from monitoring overviews and topologies to the details of each interface channel. Users can also now assign severity ratings for ICMon alerts. SP05 widens the coverage for supported interface channels to include the SAP Application Interface Framework, SAP Information Lifecycle Management (SAP ILM) and Ariba Network. It also provides additional metrics for monitoring existing channels such as web services.

The Fiori launchpad for Solution Manager SP05 includes new tiles for the Guided Procedure Framework. The Guided Procedure Catalog can be used to browse available guided procedures. The Guided Procedure Usage tile can be used to access the execution logs for guided procedures. Available filters have also been improved to support selection for guided procedures based on technical systems and hosts.

Full details of the changes introduced with SAP Solution Manager Support Pack 05 are available at the SAP Help Portal.

SAP Security Notes, May 2017

Zarah on June 7, 2017

Note 2380277 addresses a high priority memory corruption vulnerability in the GUI control component of the Internet Graphics Server (IGS). GUI control is a self-contained component of the presentation server in ABAP systems. The Note contains corrections for logical errors in memory management within the component. The errors could be exploited by attackers to extract sensitive information or perform a denial of service by provoking a buffer overflow or underflow. This is caused by specially crafted commands or objects that force GUI Control to perform out-of-bounds memory reads. For detailed information, refer to CVE-2015-8540.

Note 2462813 provides instructions for securing dynamic selections in SQL queries using the function module FREE_SELECTIONS_RANGE_2_WHERE. The instructions are intended to mitigate SQL injection attacks against the Revenue Accounting application in SAP ERP. Successful SQL injection exploits can lead attackers to perform administrative database operations including reading, modifying and deleting sensitive data.

Note 2433777 deals with authorization errors in the ABAP File Interface used to edit files stored in SAP application servers. The Interface does not effectively perform authority checks for file or path names containing specific control characters. This could enable attackers to access restricted files. As a result, the corrections packaged with the Note disable the ABAP statements OPEN DATASET and DELETE DATASET for file names with control characters.

Note 2441560 removes a denial of service vulnerability in SAPCAR that could be exploited by attackers to gain root access to servers processing prepared archives. SAPCAR is a utility that is used to compress and decompress files delivered by SAP. SAPCAR 7.21 should be updated to patch level 816 or higher to address the vulnerability.

Discover, Implement and Test Security Notes using SAP Solution Manager 7.2

Layer Seven on May 11, 2017

The results of the recent Verizon DBIR revealed significant differences between industries in terms of vulnerability patching. Organizations in sectors such as information technology and manufacturing typically remove over 75% of vulnerabilities within 3 weeks of detection. At the other end of the spectrum, 75% or more of vulnerabilities discovered in financial and public sector organizations and educational institutions remain unpatched for longer than 12 weeks after discovery.

The DBIR masks important differences between patching for devices and applications. Servers, for example, are generally more effectively patched than routers and switches.

Patch cycles for SAP infrastructure and applications are typically more drawn-out than most other technologies. There are several reasons for this. The most important is the lack of visibility into the impact of SAP patches. This leads to a reluctance to apply corrections that may disrupt the performance or availability of systems.

SAP Solution Manager 7.2 overcomes this challenge by enabling customers to pinpoint the impact of security notes before they are applied in systems. Change impact analysis is performed using Usage and Procedure Logging (UPL) and Business Process Change Analyzer (BPCA) integrated with System Recommendations (SysRec).

SysRec provides a real-time analysis of missing security notes and support packs for ABAP and non-ABAP systems including Java and HANA. It connects directly to SAP Support to discover relevant notes and packs for systems configured in the LMDB – SolMan’s landscape information repository. It also connects to each managed system within SAP landscapes to check the implementation status of notes.

System Recommendations is accessed through the Change Management group in the Fiori launchpad for SAP Solution Manager.

The dashboard below is displayed after the SysRec tile is selected and summarizes notes across the landscape. IT Admin Role and System Priority are attributes maintained in the LMDB. Views can be personalized to sort or filter by attributes or notes.

You can apply a wider selection of filters in the detailed section of SysRec to further breakdown the results.

Once the filters are applied, the selection can be saved as a Fiori to tile to avoid reapplying the filters during future sessions. The tile is saved to the launchpad and the counter in the tile automatically updates based on the current status of the system.

The details for each note can be read by clicking on the short text.

The Actions option allows users to change the status of notes and add comments. Status options are customizable.

Corrections can be downloaded directly from SAP Support by selecting Integrated Desktop Actions – Download SAP Notes.

Once selected, you can change the target system before the download. The note will be available in SNOTE within the target system after the download.

Change impact analysis is performed at both a technical and business level. For technical analysis, SysRec reads data collected by Usage and Procedure Logging (UPL) to display information related to the usage level of objects such as programs, methods and function modules impacted by notes. This is performed by selecting the relevant notes and then Actions – Show Object List.

The results below reveal that Note 2373175 is impacting the standard SAP class CL_HTTP_SERVER_NET. This class was used 325311 times in system AS2 during the timeframe defined for UPL.

For business impact analysis, SysRec integrates with Business Process Change Analyzer (BPCA). BPCA reads solution documentation maintained in Solution Manager to discover modules, transactions, reports, and other areas impacted by notes.

SysRec’s ability to perform comprehensive and reliable change impact analysis for security notes enables customers to overcome one of the most significant roadblocks to effectively patching SAP systems. The usage data collected through UPL together with the solution documentation leveraged using BPCA provides SAP customers with the insights to develop test strategies targeted at the actual areas impacted by notes and narrow the window of vulnerability for unpatched systems.

In a forthcoming article, we will discuss how to import SAP templates and create and execute test plans using Test Management in SAP Solution Manager 7.2.

Highlights of the 2017 DBIR Report

Layer Seven on May 10, 2017

The Data Breach Investigations Report (DBIR) has chronicled the growth in security and data breaches for over a decade. The findings of the most recent report released on April 27 are based on the analysis of more than 42,000 security incidents across a variety of industries and countries.

For the first time, the DBIR examines security breaches for key industries to analyze threats confronted by specific verticals. According to the report, attack patterns and motives, as well as susceptibility to different forms of attack vary considerably between industries. For example, manufacturing companies are more likely to fall victim to phishing attacks than public sector organizations. Manufacturers are also more likely to be targeted by attackers motivated by corporate espionage than financial fraud. The industry insights are useful for aligning defense strategies to the risk profiles of each vertical.

Overall, the DBIR revealed that the majority of breaches (75%) are perpetrated by outsiders. Over half of attacks are performed by organized criminal groups and 18% by state-sponsored attackers. Internal resources are detecting a greater proportion of breaches than prior years, pointing to improving detection and response capabilities within organizations.

Hacking and malware remain the leading causes of security breaches. The report revealed a 50% increase in ransomware attacks. Ransomware is now the fifth most common form of malware, up from 22nd in 2014. There was also a noticeable increase in phishing attacks. Phishing is used in 21% of security incidents and has a success rate of 7.3%.

The DBIR analyzed patching processes across industries and concluded that most sectors follow a quarterly patch cycle. However, the percentage of patches implemented on-time varies from a high of 97.5% in the Information sector to a low of 18% in Education.

The findings of the DBIR are summarized below. The full report is available at Verizon Enterprise.

SAP Security Notes, April 2017

Zarah on May 7, 2017

Note 2419592 includes further corrections for a code injection vulnerability in TREX that was originally patched by SAP through Note 2234226 in February 2016. The vulnerability impacts the TREXNet protocol used for internal communications by TREX components and servers. TREXNet communication does not require any authentication. Therefore, the protocol can be abused to execute dangerous commands including OS commands using the administrative privileges of the <SID>ADM user. As a result, SAP recommends running TREX in an isolated subnet. Detailed instructions are documented in the TREX Installation Guide. However, the corrections included in Note 2419592 block access to the TREXNet interface from outside the TREX landscape. Therefore, it protects unsegmented systems against malicious commands targeting the protocol. TREX versions 7.10 and 7.25 must be upgraded to revisions 74 and 37 respectively to apply the corrections.

Note 2235515 includes an important update for SNOTE to log information related to the RFC destination used to download notes. SNOTE can be abused to download malicious packages from attacker controlled servers if the default RFC destination is changed. SNOTE executes program SCWN_NOTE_DOWNLOAD during runtime. The program will use an alternative RFC destination maintained in table CWBRFCUSR if a destination is defined in the table. For more information refer to Note 2235514.

Notes 2410082, 2372301, 2400292 and 2387249 deal with weaknesses in XML input validation that expose several ABAP and Java applications to XML External Entity (XXE) attacks. The impact of successful XXE exploits include sensitive information disclosure and denial of service.

Finally, Note 2407616 provides an update for saprules.xml to secure against a high-risk vulnerability that could enable attackers to execute remote commands against SAP GUI. saprules.xml is used by the SAP GUI Security Module to protect clients against potentially malicious commands from back-end SAP servers.

Get Hands-On with SAP Solution Manager 7.2 at SAPPHIRE NOW + ASUG 2017

Layer Seven on April 25, 2017

Attending next month’s SAPPHIRE NOW and ASUG Annual Conference?

Drop by booth #1280A for a live demonstration of security monitoring using SAP Solution Manager.

Learn how to schedule Service Level Reports to automatically detect vulnerabilities in your SAP systems, enable Dashboards to monitor security KPIs, detect and apply security notes using System Recommendations, monitor system interfaces with Interface Monitoring, and leverage Security Alerts for real-time threat detection.

If you’ve yet to register, follow the link below to reserve your spot. We hope to see you there!

SAP Security Notes, March 2017

Zarah on April 7, 2017

Note 2424173 deals with vulnerabilities in SAP HANA that were the subject of media attention in March. This includes coverage from the television news channel MSNBC. The vulnerabilities impact areas such as User Self Service Tools that support account-related tasks including password resets and self-registration through a web interface.

The Note carries a CVSS of 9.8/10. The exploit range and impact are high. The attack complexity is low and no specific privileges are required to execute the related exploits.

Attacks that exploit the vulnerable areas of user self-service appear to target the SYSTEM user in SAP HANA. The SYSTEM user is a powerful default user that should be deactivated after the initial install of the database. Any compromise of the SYSTEM user can lead to anonymous and privileged access to SAP HANA, leading to the complete compromise of the platform and data stored or processed by HANA.

User self-service tools are disabled in the default configuration of SAP HANA. Activation requires the creation of a technical user, configuring SMTP services and maintaining relevant parameters in the xsengine.ini file.

User self-service parameters and the status of the SYSTEM user can be monitored using SAP Solution Manager. The latter includes successful and unsuccessful logon attempts. Automatic alerts can be enabled for vulnerable settings and any action performed by the SYSTEM user.

Other critical corrections include Note 2319506 which removes a blind SQL injection vulnerability in Database Monitors for Oracle. The exploit addressed by the Note targets vulnerable input parameters in the function modules STUO_GET_ORA_ SYS_TABLE and STUO_GET_ORA_SYS_ TABLE_2 used to read or modify system tables.

Notes 2381388 and 2378999 remove missing authorization checks in the stock transfer process of Materials Management, a widely-deployed module of SAP ERP.

Finally, Note 2429069 addresses a session fixation vulnerability in SAP HANA 2.0 that enables attackers to decipher the session IDs of concurrent users.

Security KPI Monitoring with SolMan Dashboards

Layer Seven on March 28, 2017

SAP Fiori revolutionizes the user experience in Solution Manager 7.2. The dynamic tile-based layout replaces the work center approach in Solution Manager 7.1. In fact, since the Fiori launchpad provides direct and customizable access to applications, it virtually removes the role of work centers in Solution Manager. Fiori and Fiori Apps are the first pillar of the new user experience in Solution Manager. The second is the revised dashboard framework.

Both Fiori and the dashboard framework are built on HTML5-compliant SAPUI5 technology. Unlike the Flash-based dashboards in Solution Manager 7.1, dashboards in version 7.2 are compatible with most browsers and mobile devices. In common with the packaged dashboards available using the Focused Insights add-on, the dashboard framework includes a series of reusable dashboard templates to support application and cross-application scenarios. This includes areas such as availability and performance management, incident management and service management.

However, in contrast to Focused Insights and dashboards in Solution Manager 7.1, the new framework provides a flexible and user-friendly platform for creating custom dashboards to monitor key performance indicators (KPIs) in SAP systems and landscapes, including security-relevant KPIs.

A dashboard consists of multiple tiles. Each tile is associated with a single KPI. Tiles can be clustered into groups within a dashboard. Once the option to a create new dashboard is selected (see below), users can select either standard tiles or create custom tiles for the dashboard. Standard tiles include predefined KPIs available from the SAP KPI Catalog.

For custom tiles, users can select from a variety of data sources including Business Warehouse. Security-related information such as vulnerabilities and missing security notes detected by Solution Manager are stored in InfoProviders within an internal Business Warehouse.

Once the data source is selected, users can maintain filters and thresholds to break down the results.

Users can also select the type of visualization for each tile including combination, micro, single, stack and table charts.

Dashboards support drill-down analysis by enabling users to navigate directly from summarized information in each tile to the detailed information in Business Warehouse. An example is provided below. The following dashboard monitors security KPIs for patch levels, network security, RFC security, access control, logging and auditing, and system configuration management. The highlighted tile in the dashboard displays the number of unapplied security notes for system PM1. A single click on the tile will display the details of the notes in a table that can then be exported directly to Excel.