@Billy and Julius, Thanks for your prompt replies.
Security Configuration Validation has a pre-requisite of a 'model' baseline system against which the configuration will be checked. In order to build this baseline, we need to assess how our systems are currently being used. I find EWA report as a very good source to begin with, but it appears challenging to aggregate the data from multiple reports.