Skip to main content

View incidents (Northstar)

Incidents represent major security issues that you need to investigate. Contrast creates incidents automatically when observes at least one exploited or suspicious attack event and the score (based on CVSS v4) exceeds seven.

Steps

  1. To view a list of incidents, from the left navigation, select Incidents.

    The list displays these details for each incident:

    • Severity: The severity Contrast assigned to the incident.

    • Contrast score: The Contrast score represents the risk of an issue or incident at a particular point in time.  Contrast determines this score by using information from the Contrast SAST, IAST, SCA, ADR, and Observability technologies.

      Contrast uses the Common Vulnerability Scoring System Version Version 4 (CVSS 4) standard as the primary framework for calculating the score.

    • Incident: The type of incident, for example, SQL Injection.

    • Incident ID: An identifier that Contrast assigns to the incident. It has this format:

      INC-<year>-<numberOfIncidents>

      For example, INC-2025-33 represents an incident that occurred in the year 2025 and was the 33rd incident that Contrast reported.

    • Status: The status of the incident: Open or Closed.

    • Associated applications: The applications affected by the incident.

    • Assigned to: The person assigned to investigate the incident.

    • Time created: The time when Contrast created the incident.

    • Last updated: The last time for ?

  2. To view details about an incident, select it. The Overview tab shows these details:

    • General information:

      • Incident ID: The identifier that Contrast assigns to the incident.

      • Source IP: The IP address from which an attack event originated.

      • Severity: The severity that Contrast assigned to the incident.

      • Status: The status of the incident: Open or Closed.

      • Created: The date when Contrast created the incident.

      • Assigned to: The person assigned to investigate and remediate the incident.

      • Rule: The rule that triggered the incident.

      • MITRE: A link to the MITRE ATT&CK tactic associated with the issue.

        The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques derived from real-world observations.

        A single attack event can map to multiple tactics. In the case where multi-stage attacks events occur, an observed event might represent a single action within a larger attack chain. Alternatively, it could indicate a threat vector.

        Combining event data with context from other security tools, such as Web Application Firewalls (WAFs) or Endpoint Detection and Response (EDR) solutions, allows for more precise identification of tactics. This refinement helps you to understand the full scope of an attack.

        Mapping events to ATT&CK tactics is crucial for risk assessment. It enables you to identify high-risk areas and prioritize the development of new detections. This process leads to expanded security coverage.

        For more information, visit MITRE ATT&CK.

    • Summary:

      • Contrast score: The score that Contrast assigned to the incident.

      • What happened: A description of the observation that triggered the creation of the incident.

    • Associated assets: The applications, servers, and environments where the incident occurred.

      To view the relationships between the application and its associated entities (servers, called APIs, and databases), select the application link to open the view in Explorer.

      The environments are Development, QA, and Production.

    • Associated issues: All the issues related to the incident.

    • Attack value: The suspicious value that Contrast observed going to a sink.

    • Vector analysis: The different pathways or methods that Contrast observed where a malicious attacker could gain access to your system.

    • Code location: Details about the location in your code where Contrast detected the attack event. These details include:

      • File: The file associated with the attack event.

      • Method: The method associated with the attack event.

      • Stack: The code stack associated with the attack event.

  3. To view the activity log for incidents, select the Activity tab.

    1. To view all the activity from Contrast and activities related to task assignments, select the All tab.

      Use the Recent filter to change the order from most recent to oldest.

    2. To view comments, select the Comments tab

    3. To add a comment, enter the comment in the Add comments box and select the arrow icon.

Refine the view

To refine the view, select the Filter icon (icon-filter.svg to open the filter panel and select one or more filters. The filters are:

  • Severity: The severity of an incident

  • Status: The status of the incident

  • Assigned users: Name of users assigned to an incident

See also

Assign tasks for incidents

Close incidents

In this section:

The Contrast score represents the risk of an issue or incident at a particular point in time.  Contrast determines this score by using information from the Contrast SAST, IAST, SCA, ADR, and Observability technologies.