Skip to main content

View incidents

Incidents represent major security issues that you need to investigate. Contrast creates incidents automatically when observes at least one exploited or suspicious attack event and the score (based on CVSS v4) exceeds seven.

Before you begin

  • You need a role with the View incident action.

Steps

  1. To view a list of incidents, from the left navigation, select Incidents.

    The list displays these details for each incident:

    • Severity: The severity Contrast assigned to the incident:

    • Contrast score: The Contrast score represents the risk of an issue or incident at a particular point in time.  Contrast determines this score by using information from the Contrast SAST, IAST, SCA, ADR, and Observability technologies.

      Contrast uses the Common Vulnerability Scoring System Version Version 4 (CVSS 4) standard as the primary framework for calculating the score.

    • Incident: The type of incident, for example, SQL Injection.

    • Incident ID: An identifier that Contrast assigns to the incident. It has this format:

      INC-<year>-<numberOfIncidents>

      For example, INC-2025-33 represents an incident that occurred in the year 2025 and was the 33rd incident that Contrast reported.

    • Status: The status of the incident: Open or Closed.

    • Associated applications: The applications affected by the incident.

    • Assigned to: The person assigned to investigate the incident.

    • Time created: The time when Contrast created the incident.

    • Last updated: The last time for ?

  2. To view details about an incident, select it. The Overview tab shows these details:

    • General information:

      • Incident ID: The identifier that Contrast assigns to the incident.

      • Source IP: The IP address from which an attack event originated.

      • External reference ID:

      • Severity: The severity that Contrast assigned to the incident.

      • Status: The status of the incident: Open or Closed.

      • Created: The date when Contrast created the incident.

      • Assigned to: The person assigned to investigation of the incident.

      • Rule: The rule that triggered the incident.

      • MITRE: MITRE ATT&CK tactics that apply to the incident

    • Summary:

      • Contrast score: The score that Contrast assigned to the incident.

      • Incident summary: The observation that triggered the creation of the incident.

    • Associated assets: The applications, servers, and environments where the incident occurred.

      The environments are Development, QA, and Production.

    • Associated issues: All the issues related to the incident.

    • Attack value: The suspicious value that Contrast observed going to a sink.

    • Vector analysis: The different pathways or methods that Contrast observed where a malicious attacker could gain access to your system.

    • Code location: Details about the location in your code where Contrast detected the attack event. These details include:

      • File: The file associated with the attack event.

      • Method: The method associated with the attack event.

      • Stack: The code stack associated with the attack event.

  3. To view the activity log for incidents, select the Activity tab.

    1. To view all the activity from Contrast and activities related to task assignments, select the All tab.

      Use the Recent filter to change the order from most recent to oldest.

    2. To view comments, select the Comments tab

    3. To add a comment, enter the comment in the Add comments box and select the arrow icon.

See also

Assign tasks for incidents

In this section: