View attacks

  1. Select Attacks in the header, then  Attacks to view all attacks that have occurred in your organization. Contrast organizes the attacks by:

    • Source IP: The IP address from which the attack is originating.

    • Status: The current status of the attack.

      An attack status is determined by the highest severity status of the attack events within the attack. If any event has an "Exploited" status, the attack status will be "Exploited." If there are no "Exploited" events, the status will be the next highest severity event's status. The severity order, starting with the highest, is: Exploited, Suspicious, Blocked (P), Blocked, Probed (P), Probed.

    • Application: Any applications that saw attack events from the IP address while the attack was active.

    • Server: Any server that saw attack events from the IP address while the attack was active.

    • Rule: Any attack type identified from the IP address while the attack was active.

    • Start: The timestamp of the first attack event seen from the IP address during the attack timeframe.

    • End: The timestamp of the last attack event seen from the IP address during the attack timeframe.

    • Events: The number of attack events that comprise the attack.

  2. Select source name or IP address to view more details on the attack. Under Overview, you can see each attack event for the attack. Select Source IP to see more details about the attack event. Under Attack duration, select See timeline to view the time of each event.

  3. Select Notes to see more details including the Rate of EventsSeverity and Attacker.