Skip to main content

View incidents (Northstar)

Incidents represent major security issues that you need to investigate. Contrast creates incidents automatically when it observes at least one exploited or suspicious attack event and the score (based on CVSS v4) exceeds seven.

Steps

  1. To view a list of incidents, from the left navigation, select Incidents.

    The list displays these details for each incident:

    • Severity: The severity Contrast assigned to the incident.

    • Contrast score: The Contrast score represents the risk of an issue or incident at a particular point in time.  Contrast determines this score by using information from the Contrast SAST, IAST, SCA, ADR, and Observability technologies.

      Contrast uses the Common Vulnerability Scoring System Version 4 (CVSS 4) standard as the primary framework for calculating the score.

    • Incident: The type of incident, for example, SQL Injection.

    • Incident ID: An identifier that Contrast assigns to the incident. It has this format:

      INC-<year>-<numberOfIncidents>

      For example, INC-2025-33 represents an incident that occurred in the year 2025 and was the 33rd incident that Contrast reported.

    • Status: The status of the incident: Open or Closed.

    • Associated applications: The applications affected by the incident.

    • Assigned to: The person assigned to investigate the incident.

    • Time created: The time when Contrast created the incident.

    • Last updated: The last time Contrast updated the incident with new issues or observations.

  2. To view details about an incident, select it. The Overview tab shows these details:

    • General information:

      • Incident ID: The identifier that Contrast assigns to the incident.

      • Source IP: The IP address from which an attack event originated.

      • Severity: The severity that Contrast assigned to the incident.

      • Status: The status of the incident: Open or Closed.

      • Created: The date when Contrast created the incident.

      • Assigned to: The person assigned to investigate and remediate the incident.

      • Rule: The rule that triggered the incident.

      • MITRE: A link to the MITRE ATT&CK tactic associated with the issue.

        The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques derived from real-world observations.

        A single attack event can map to multiple tactics. In the case where multi-stage attacks events occur, an observed event might represent a single action within a larger attack chain. Alternatively, it could indicate a threat vector.

        Combining event data with context from other security tools, such as Web Application Firewalls (WAFs) or Endpoint Detection and Response (EDR) solutions, allows for more precise identification of tactics. This refinement helps you to understand the full scope of an attack.

        Mapping events to ATT&CK tactics is crucial for risk assessment. It enables you to identify high-risk areas and prioritize the development of new detections. This process leads to expanded security coverage.

        For more information, visit MITRE ATT&CK.

    • Summary:

      • Contrast score: The score that Contrast assigned to the incident.

      • What happened: A description of the observation that triggered the creation of the incident.

    • Containment actions:

      • View runbook: A runbook provides a step-by-step guide for security teams to effectively triage and respond to specific security events and incidents.

      • Escalate: Sends an email to a team member who needs to respond to the incident.

      • Block IP: Lets you add the IP address associated with the incident to a denylist.

    • Incident trace:

      Incident trace provides a graphical model of behavior, connections to other components, and attack data that Contrast detects and reports for an incident. It shows application entry such as routes used, message queues, web requests, databases, API calls, and more. If an incident affects a specific entity, the model displays an incident indicator.

      The image shows the incident indicator for a resource in the incident trace model.

      To view details about each entry point, hover over it.

      Note

      Incident trace supports the Java 6.20.1 agent only. You must turn on Observe mode in the agent configuration file.

      Incident trace displays these entities:

      Entity

      Description

      Example

      Application

      The application that the incident affects.

      my-petclinic

      Resource

      Identifies an application’s entry points, such as routes used, message queues, web requests, and so forth.

      GET/customer-info

      Actions

      Security-relevant behavior that Contrast observes in the application entry points

      One or more of these behaviors:

      • Database connections, including the instance name of the database

      • Database calls

      • File system access, including the name of the file or directory accessed

      • Outbound service or API calls

      • Authentication and authorization detection

      • System commands

      • Potentially dangerous functions

      • Custom security controls applied to a service or API route

      Depending on the entity you view, the incident trace shows some or all of these details (not all entities show the same details):

      Entity

      Details

      Applications

      • URL: The URL for the application

      Resources

      • Attack value: The attack payload that Contrast observed

      • Environment: The environment where an action occurs: Development, QA, or Production

      • Type: The response type that a resource uses. For example: application/json or text/htmll

      Actions

      • Sink information (if applicable):

        • Attack result indicating the action that Contrast took (for example, Blocked or Exploited)

        • Name of the Contrast policy applied to the attack

        • Attack value

      • Request value: The contents of the request that Contrast observed.

    • Associated assets: The applications, servers, and environments where the incident occurred.

      To view the relationships between the application and its associated entities (servers, called APIs, and databases), select the application link to open the view in Explorer.

      The environments are Development, QA, and Production.

    • Associated issues: All the issues related to the incident.

    • Attack value: The suspicious value that Contrast observed going to a sink.

    • Vector analysis: The different pathways or methods that Contrast observed where a malicious attacker could gain access to your system.

    • Request details: Additional details about the request associated with the incident.

    • Code location: Details about the location in your code where Contrast detected the attack event. These details include:

      • File: The file associated with the attack event.

      • Method: The method associated with the attack event.

      • Stack: The code stack associated with the attack event.

  3. To view the activity log for incidents, select the Activity tab.

    1. To view all the activity from Contrast and activities related to task assignments, select the All tab.

      Use the Recent filter to change the order from most recent to oldest.

    2. To view comments, select the Comments tab

    3. To add a comment, enter the comment in the Add comments box and select the arrow icon.

Refine the view

To refine the view, open the filter panel by selecting the Filter icon at the top right of the list (icon-filter.svg and selecting one or more filters.

IncidentFilters.png

The filters are:

  • Severity: The severity of an incident

  • Status: The status of the incident

  • Assigned users: Name of users assigned to an incident

  • Environments: The environment where Contrast found the incident: Development, QA, and Production.

See also

Assign tasks for incidents

Close incidents