> ## Documentation Index
> Fetch the complete documentation index at: https://docs.luumen.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# SAP Security Notes

> How Luumen ingests SAP Security Notes, maps them to your hosts, and filters out the noise so you only see notes that affect your environment.

SAP publishes Security Notes — bulletins describing vulnerabilities, misconfigurations, and recommended fixes across SAP products. The volume is high, and most notes are irrelevant to any given customer because they target products or component versions you don't have installed. Luumen ingests every published note and uses your captured SAP component data to filter the list down to the ones that actually affect your fleet.

## How it works

<Steps>
  <Step title="Luumen ingests notes from SAP">
    Notes are pulled in continuously as SAP publishes them. Each note carries its identifier, CVSS score, description, affected products, and recommended fix.
  </Step>

  <Step title="AI summarizes the note">
    Luumen generates a human-readable summary, classifies severity and impact, and extracts the SAP components and versions the note affects.
  </Step>

  <Step title="Luumen matches notes to hosts">
    Each note is compared against the `SAP Components` property reported for each host. Hosts that have an affected component (at an affected version) are flagged as exposed.
  </Step>

  <Step title="Irrelevant notes are auto-resolved">
    Notes with no matching hosts in your fleet are marked **Resolved** automatically — they don't clutter the active list.
  </Step>

  <Step title="Unverifiable notes are flagged for manual review">
    Some notes can't be matched programmatically (e.g., they reference configuration that isn't visible from outside the SAP system). These are surfaced separately so a human can decide.
  </Step>
</Steps>

The net result: your team sees a focused list of notes that match your real exposure, not the full SAP feed.

## Where to find them in the UI

Open **System Alerts → SAP Security Notes** to see the current list. Two tabs at the top:

* **Unresolved** — notes that match at least one host in your fleet and need attention.
* **Resolved** — notes auto-resolved because no hosts match, plus any you've manually resolved.

Columns include:

| Column        | Description                                                             |
| ------------- | ----------------------------------------------------------------------- |
| **CVSS**      | Severity score and label (Critical, High, Medium, Low).                 |
| **Name**      | SAP note ID, CVE identifier when present, and a short title.            |
| **Days Open** | Days since the note was published or first detected as relevant to you. |
| **Hosts**     | Count of hosts in your fleet affected by this note.                     |

Click any row to see the full note: the AI summary, affected components and versions, the list of affected hosts in your environment, and the recommended remediation.

## Triage flow

When a new note appears as **Unresolved**:

1. Open the note and read the AI summary to understand the impact.
2. Click into the **Affected hosts** list to see which hosts in your fleet are exposed.
3. Decide on a remediation path — typically applying the SAP-recommended fix (often itself an SAP Note / transport) on each affected host.
4. After applying the fix and the next agent run, the note's component versions should no longer match. The note moves to **Resolved** automatically.

## Why a note might be missing

If you expect a specific note to appear and don't see it, the most common cause is missing component data:

* The matching engine uses the `SAP Components` property. If a host has no value for that property, no security note can match against it.
* See [SAP security notes troubleshooting](/enterprise/troubleshooting/common-issues#i-do-not-see-any-unresolved-sap-security-notes-but-expect-to) for the diagnostic flow.

If components are reported but you still don't see a specific note, check whether the note is filed under a product or version that isn't actually present on your hosts. The AI mapping is conservative — it won't match a note to a host unless the component and version overlap meaningfully.

## A note about auto-resolution

Auto-resolving notes with no matching hosts is a deliberate design choice. SAP publishes hundreds of notes per month, the majority of which don't apply to any given customer. Without filtering, the active list becomes unusable and security teams stop reading it. Auto-resolution keeps the signal-to-noise ratio high.

If you want to audit what was auto-resolved (e.g., during a compliance review), the **Resolved** tab includes every auto-resolved note alongside the matching attempt that ruled it out.
