View attack events (Preview)
Note
This feature is part of the Contrast pre-release customer testing program and not available to all customers. If you want access to it, contact your Contrast representative.
An attack event occurs when there is a violation of Protect rules or other suspicious application activity in instrumented applications.
Before you begin
Ensure that role-based access control is turned on.
Role-based access control is a preview feature and not available to all customers. Contact your Contrast representative to have role-based access control turned on.
You need a role with the View Attack Data action.
Steps
Select Attack events in the header.
Set the main view by selecting an option in Group by:
Group by Source IP is the default selection.
If you want to view groups of attack events, select a group type (currently the only option is Source IP).
For example, if a source IP address of 111.111.111.111 has multiple attack events, grouping by Source IP displays an aggregated view for all the events.
If you want to view all individual attack events, clear the group selection by moving your cursor to the Group by box and selecting the Delete () icon.
Depending on whether you are using a grouped view or an individual view, the Attack Events list displays these details:
Source IP:
Grouped view: The IP address where multiple attack events originated.
To see this detail for each attack event, select the group row.
Individual view: The IP address from which an attack event originated.
Severity (grouped views only): A severity bar that shows the number of severity types for the attack events in the group.
Rules:
Grouped view: The number of Contrast rules that the attack value violated.
To see the name of the rule for each attack event, select the group row.
Individual view The name of the Contrast rule that the attack value violated.
Applications:
Grouped view: The number of applications where Contrast detected the attack event.
To see the name of the application for each attack event, select the group row.
Individual view: The name of the application where Contrast detected the attack event.
Servers:
Grouped view: The number of servers where Contrast detected the attack event.
To see the name of the server for each attack event, select the group row.
Individual view: The name of the server where Contrast detected the attack event.
Detected:
Grouped view: The time frame when Contrast detected the attack events in the group.
To see the detected time for each attack event, select the group row.
Individual view: The time when Contrast detected the attack event.
Result:
Grouped view: A result bar that shows the number of result types for the attack events in the group.
To see the result for each attack event, select the group row.
Individual view: The result for the attack event.
Result: Action that the Contrast agent takes for the attack event.
The possible results are, in order of severity:
Exploited: Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Monitor.
Suspicious:
Contrast detected a low confidence attack event at the perimeter for a perimeter-only rule in Block mode.
Contrast detected a high or low confidence attack event at the perimeter for a perimeter-only rule in Monitor mode.
Contrast detected an attack event using sink-only heuristics. The mode is set to Monitor.
Blocked:
Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Block.
Contrast detected an attack using sink-only heuristics. The mode is set to Block.
Probed:
Contrast detected an attack event at the perimeter, but did NOT confirm it at the sink. The mode is set to Block or Monitor.
These are ineffective attacks that can indicate an attacker is probing, scanning, or fuzzing your application for vulnerabilities.
URL: The path the attacker used for the attack event.
Attack value: The value that the attacker sent that the Contrast agent detected was going to a sink.
Actions: The actions you can take for the attack event.
To refine the view, open the filter panel by selecting Open filters.
Use any of these filters:
Date range: Select a date range or select Custom to specify a preferred data range.
The default date range is 12 hours.
Severity: Select one or more vulnerability severity levels.
Results: Select one or more result types for an attack event.
Rules: Select one or more of the Protect rules associated with the attack event.
Application: Select one or more of the available applications.
Environments: Select one or more server environments.
Source IP: Select one or more source IP addresses associated with the attack event.