Skip to main content

View attack events Hosted customers only

Note

This feature is for hosted customers.

If you are an on-premises customer, visit View attacks.

An attack event occurs when there is a violation of Protect rules or other suspicious application activity in instrumented applications.

Steps

  1. Select Attack events in the header.

  2. Set the main view by selecting an option in Group by:

    • If you want to view groups of attack events, select a group type (currently the only option is Source IP).

      For example, if a source IP address of 111.111.111.111 has multiple attack events, grouping by Source IP displays an aggregated view for all the events.

    • Group by Source IP is the default selection.

    • If you want to view all individual attack events, clear the group by selection by moving your cursor to the Group by box and selecting the Delete (icon-close.svg) icon.

  3. To view individual attack events in a group, select the group row.

  4. To refine the view, open the filter panel by selecting Open filters.

    Use any of these filters:

    • Date range: Select a date range or select Custom to specify a preferred data range.

      The default date range is 12 hours.

    • Severity: Select one or more vulnerability severity levels.

    • Results: Select one or more result types for an attack event.

    • Rules: Select one or more of the Protect rules associated with the attack event.

    • Application: Select one or more of the available applications.

    • Environments: Select one or more server environments.

    • Source IP: Select one or more source IP addresses associated with the attack event.

  5. To view details about a specific attack event, select an individual attack event (not a group) which opens the Attack details view. This view includes:

    • Overview: An overview of the attack event details, including recommended steps.

    • Code location: Where available, details about the location in your code where Contrast detected the attack event. If no information is available, this tab is not displayed.

    Image shows an attack event details panel.

Attack event views

Depending on whether you are using a grouped view or an individual view, the Attack Events list displays these details:

Column

Grouped view

Individual view

Source IP

The IP address where multiple attack events originated.

To see this detail for each attack event, select the group row or clear the Group by selection.

The IP address from which an attack event originated.

Severity

A severity bar that shows the number of severity types for the attack events in the group.

Not shown

Rules

The number of Contrast rules that the attack value violated.

To see the name of the rule for each attack event, select the group row or clear the Group by selection.

The name of the Contrast rule that the attack value violated.

Applications

The number of applications where Contrast detected the attack event.

The see the names of the applications, select the group row or clear the Group by selection.

The name of the Contrast rule that the attack value violated.

Servers

The number of servers where Contrast detected the attack event.

To see the name of the server for each attack event, select the group row or clear the Group by selection.

The name of the server where Contrast detected the attack event.

Detected

The time frame when Contrast detected the attack events in the group.

To see the detected time for each attack event, select the group row or clear the Group by selection.

The time when Contrast detected the attack event.

Result

A result bar that shows the number of result types for the attack events in the group.

To see the result for each attack event, select the group row or clear the Group by selection.

The result for the attack event.

The possible results are, in order of severity:

  • Exploited: Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Monitor.

  • Suspicious:

    • Contrast detected a low confidence attack event at the perimeter for a perimeter-only rule in Block mode.

    • Contrast detected a high or low confidence attack event at the perimeter for a perimeter-only rule in Monitor mode.

    • Contrast detected an attack event using sink-only heuristics. The mode is set to Monitor.

  • Blocked:

    • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Block.

    • Contrast detected an attack using sink-only heuristics. The mode is set to Block.

  • Probed:

    • Contrast detected an attack event at the perimeter, but did NOT confirm it at the sink. The mode is set to Block or Monitor.

    • These are ineffective attacks that can indicate an attacker is probing, scanning, or fuzzing your application for vulnerabilities.

URL

Not shown.

To view the URL for each attack event, select the group row or clear the Group by selection.

The path the attacker used for the attack event.

Attack value

Not shown.

To view the attack value for each attack event, select the group row or clear the Group by selection.

The value that the attacker sent that the Contrast agent detected was going to a sink.

Actions

Not shown.

To view actions for each attack value, select the group row or clear the Group by selection.

The possible actions you can take for the attack event:

  • Configure a Protect rule.

  • Create an exclusion

  • Add the IP address to a denylist

  • Create a virtual patch

See also

Manage attack events (hosted customers)

In this section:

An attack event is a violation of Protect rules or other suspicious application activity in instrumented applications. The event corresponds to a single attack vector, such as an HTTP request or SQL query. Multiple attack events make up an attack, usually in the same area of code and timeframe.