View attacks

Go to the Attacks tab in the Attacks page to view all attacks that have occurred in your organization. Contrast organizes the components of each attack into the following columns.

  • Source IP: The IP address from which the attack is originating.

  • Status: The current status of the attack.

    An attack status is determined by the highest severity status of the attack events within the attack. If any event has an "Exploited" status, the attack status will be "Exploited." If there are no "Exploited" events, the status will be the next highest severity event's status. The severity order, starting with the highest, is: Exploited, Suspicious, Blocked (P), Blocked, Probed (P), Probed.

  • Application: Any applications that saw attack events from the IP address while the attack was active.

  • Server: Any server that saw attack events from the IP address while the attack was active.

  • Rule: Any attack type identified from the IP address while the attack was active.

  • Start: The timestamp of the first attack event seen from the IP address during the attack timeframe.

  • End: The timestamp of the last attack event seen from the IP address during the attack timeframe.

  • Events: The number of attack events that comprise the attack.

View attack details

Click on the Source IP to view more details on the attack. In the Overview tab, view each attack event in the grid. Click on each row to expand your view for more details. Under Attack Duration, click the See Timeline link to view the exact time sequence of each event. Use the dropdown menus and search field to find specific events.

In the Notes tab, view more details including the Rate of EventsSeverity and Attacker.