Skip to main content

Manage attacks

Before you begin

Ensure that Protect is enabled on the servers that host your applications. The Contrast header displays Attacks only when Protect is enabled.

Steps

To take action on attacks and attack events, use the following procedures.

  1. View attacks or attack events.

    1. Select Attacks in the header.

      Image shows Attacks in the header

    2. Select the Attacks tab or the Attack Events tab.

  2. (Optional) Tag attacks or attack events.

    Tagging attacks or attack events lets you organize them for better search results.

    1. Select one or more attacks or attack events.

    2. Select the tag icon ( Image shows tag icon) above the list.

    3. In the Tag Attacks window, enter a name for one or more tags.

  3. Suppress attacks or events.

    Suppressing attacks removes an attack and its related events from view. To suppress an attack or an attack event, use the following procedure:

    1. On the Attacks or Attacks Events list, select the check box for one or more rows and select the Suppress Attacks or Suppress Events icon (SuppressAttackIcon.png).

      Alternatively, select the arrow at the end of a row and select the Suppress Attacks or Suppress Events option in the dropdown.

    2. Click Suppress.

  4. Block IP addresses

    This option blocks a specified IP address. Blocking an IP address prevents unwanted activity from a specific IP address in the future.

    1. At the end of an attack or attack events row, select the dropdown (icon-dropdown-expand.svg).

    2. From the menu, select Denylist IP.

    3. Enter a name for the rule that blocks the specified IP address.

    4. Select a date when the block expires.

    5. Click Save.

  5. Add exclusions (attack events)

    Adding application exclusions lets you exclude certain applications, or parts of them, from security analysis.

    This option is available if you are using Java, .NET Framework, .NET Core, Python, Node.js, Go, or Ruby agents.

    1. In the Attack Events list, at the end of an attack events row, select the dropdown (icon-dropdown-expand.svg).

    2. Select Add Exclusion.

    3. Specify a name for the exclusion.

    4. Select the exclusion type and enter the details for that type.

    5. Select the rules for which the exclusion applies.

      To see a list of rules, click the Applicable rules box.

      Image shows an example of Exclusion Applicable Rules

    6. (Optional) Select the checkbox to suppress all events that match the exclusion.

    7. Click Add.

  6. Create a virtual patch (attack events):

    Virtual patches are short-term, custom defense rules that defend against specific, newly-discovered vulnerabilities in your code.

    1. In the Attack Events grid, at the end of an attack events row, select the arrow.

    2. Select Create Virtual Patch.

    3. In Add Virtual Patch, enter the details for the virtual patch.

    4. Click Save.

  7. Specify modes for Protect rules (attack events):

    Protect rules let you monitor or block specific kinds of cyber-attacks in application environments.

    1. In the Attack Events list, select an event.

      This action displays the details for the attack event.

    2. Select the settings icon (icon-settings.svg ) next to the event name.

    3. As needed, change the modes for each rule by selecting Change Mode or the current mode or a specific environment.

      This images shows the how to change modes for Protect rules

    4. Select the appropriate modes for each environment.

  8. Save attack data:

    Contrast keeps attack event data for thirty days before removing it. You have several options for saving your data:

    • Output the data to syslog.

    • Set up a generic webhook.

      A generic webhook can receive notifications on any URL that receives POST messages.

    • Export the data to a CSV or XML file.

      At the end of an attack row, select the arrow at the end of the row and select Export attack (CSV) or Export Attack (XML).

      This image shows the export options.
In this section: