Skip to main content

View attack events (Preview)

Note

This feature is part of the Contrast pre-release customer testing program and not available to all customers. If you want access to it, contact your Contrast representative.

An attack event occurs when there is a violation of Protect rules or other suspicious application activity in instrumented applications.

Before you begin

  • Ensure that role-based access control is turned on.

    Role-based access control is a preview feature and not available to all customers. Contact your Contrast representative to have role-based access control turned on.

  • You need a role with the View Attack Data action.

Steps

  1. Select Attack events in the header.

  2. Set the main view by selecting an option in Group by:

    • Group by Source IP is the default selection.

    • If you want to view groups of attack events, select a group type (currently the only option is Source IP).

      For example, if a source IP address of 111.111.111.111 has multiple attack events, grouping by Source IP displays an aggregated view for all the events.

    • If you want to view all individual attack events, clear the group selection by moving your cursor to the Group by box and selecting the Delete (icon-close.svg) icon.

    Depending on whether you are using a grouped view or an individual view, the Attack Events list displays these details:

    • Source IP:

      • Grouped view: The IP address where multiple attack events originated.

        To see this detail for each attack event, select the group row.

      • Individual view: The IP address from which an attack event originated.

    • Severity (grouped views only): A severity bar that shows the number of severity types for the attack events in the group.

    • Rules:

      • Grouped view: The number of Contrast rules that the attack value violated.

        To see the name of the rule for each attack event, select the group row.

      • Individual view The name of the Contrast rule that the attack value violated.

    • Applications:

      • Grouped view: The number of applications where Contrast detected the attack event.

        To see the name of the application for each attack event, select the group row.

      • Individual view: The name of the application where Contrast detected the attack event.

    • Servers:

      • Grouped view: The number of servers where Contrast detected the attack event.

        To see the name of the server for each attack event, select the group row.

      • Individual view: The name of the server where Contrast detected the attack event.

    • Detected:

      • Grouped view: The time frame when Contrast detected the attack events in the group.

        To see the detected time for each attack event, select the group row.

      • Individual view: The time when Contrast detected the attack event.

    • Result:

      • Grouped view: A result bar that shows the number of result types for the attack events in the group.

        To see the result for each attack event, select the group row.

      • Individual view: The result for the attack event.

      • Result: Action that the Contrast agent takes for the attack event.

        The possible results are, in order of severity:

        • Exploited: Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Monitor.

        • Suspicious:

          • Contrast detected a low confidence attack event at the perimeter for a perimeter-only rule in Block mode.

          • Contrast detected a high or low confidence attack event at the perimeter for a perimeter-only rule in Monitor mode.

          • Contrast detected an attack event using sink-only heuristics. The mode is set to Monitor.

        • Blocked:

          • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Block.

          • Contrast detected an attack using sink-only heuristics. The mode is set to Block.

        • Probed:

          • Contrast detected an attack event at the perimeter, but did NOT confirm it at the sink. The mode is set to Block or Monitor.

          • These are ineffective attacks that can indicate an attacker is probing, scanning, or fuzzing your application for vulnerabilities.

    • URL: The path the attacker used for the attack event.

    • Attack value: The value that the attacker sent that the Contrast agent detected was going to a sink.

    • Actions: The actions you can take for the attack event.

  3. To refine the view, open the filter panel by selecting Open filters.

    Use any of these filters:

    • Date range: Select a date range or select Custom to specify a preferred data range.

      The default date range is 12 hours.

    • Severity: Select one or more vulnerability severity levels.

    • Results: Select one or more result types for an attack event.

    • Rules: Select one or more of the Protect rules associated with the attack event.

    • Application: Select one or more of the available applications.

    • Environments: Select one or more server environments.

    • Source IP: Select one or more source IP addresses associated with the attack event.

See also

Manage attack events

In this section:

An attack event is a violation of Protect rules or other suspicious application activity in instrumented applications. The event corresponds to a single attack vector, such as an HTTP request or SQL query. Multiple attack events make up an attack, usually in the same area of code and timeframe.