Skip to main content

View observation details Northstar

The observation details panel shows additional details for a selected observation.

Before you begin

  • A role with the View application action is required.

Steps

  1. From the left navigation, select Observations.

  2. Select an observation row.

    This action opens an observation details panel.

  3. Select Overview or Evidence.

Observation overview details

You can view additional details for observability, vulnerabilities, and attack events.

Details for observability and attacks

The Overview tab in the details panel for observability shows this information for observability and attacks:

  • Source: Observability or attack event.

  • Source IP: The IP address where an event originated.

  • Rule: The name of the Contrast rule that the observed value violated.

  • Associated application: The name of the application associated with the observation.

    To view the relationships between the application and its associated entities (servers, called APIs, and databases), select the application link to open the view in Explorer.

  • Detected: The time when Contrast detected the attack event.

  • Result: The result for the attack event. The possible results are, in order of severity:

    • Exploited:

      • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Monitor.

      • Maps to this severity: Critical or High

    • Suspicious:

      • Contrast detected a low confidence attack event at the perimeter for a perimeter-only rule in Block mode.

      • Contrast detected a high or low confidence attack event at the perimeter for a perimeter-only rule in Monitor mode.

      • Contrast detected an attack event using sink-only heuristics. The mode is set to Monitor.

      • Maps to this severity: Medium

    • Blocked:

      • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Block.

      • Contrast detected an attack using sink-only heuristics. The mode is set to Block.

      • Maps to this severity: Informational

    • Probed:

      • Contrast detected an attack event at the perimeter, but did NOT confirm it at the sink. The mode is set to Block or Monitor.

      • These are ineffective attacks that can indicate an attacker is probing, scanning, or fuzzing your application for vulnerabilities.

      • Maps to this severity: Low

  • URL: The path the attacker used for the attack event.

  • Associated issue: A link to the issue associated with the observation.

    Selecting the link opens the Issues view.

  • CVE: The CVEs associated with the observation.

  • CWE: The CWEs associated with the observation.

  • Mitre: The MITRE ATT&CK tactics associated with the observation.

  • Data type: The source of the issue: attack or vulnerability.

  • Target: What Contrast analyzed: code or a library.

  • Sensor: How Contrast detected the issue. The current value is Contrast agent.

  • Technique: The analysis technique: static or runtime.

  • What happened: A description of what Contrast observed.

  • Associated assets: The name of the server and the environment associated with the affected application.

Details for vulnerabilities

The Overview tab in the observation details panel shows this information for vulnerabilities.

  • Identification:

    • Issue ID: An ID that Contrast assigns to the issue.

    • CVE: A link to the NIST description of the CVE.

    • Mitre CWE: A link to the Mitre description of the CWE.

    • EPSS score: A score that Contrast calculates using the Exploit Prediction Scoring System.

      This score estimates the probability a specific vulnerability will be exploited in the next 30 days.

  • Application context:

    • Detected: The time when Contrast observed the vulnerability or library.

    • Associated application: The application affected by the vulnerability or library event.

    • Server name: The name of the server associated with the application.

    • Environment: The environment in which the vulnerability or library event occurred: Development, QA, or Production.

  • Library information:

    • Release date: The date the library was released.

    • License: The type of license used for the library. For example, Apache-2.0

  • Metadata:

    • Data type: The source of the issue.

    • Target: What Contrast analyzed: code or a library.

    • Sensor: How Contrast detected the issue. The current value is Contrast agent.

    • Technique: The analysis technique: static or runtime.

  • Description: A description of the behavior that Contrast observed.

Observation evidence details

The Evidence tab shows data that Contrast used to create observations. It includes this information:

  • Vulnerability evidence details:

    • HTTP info: Observed HTTP requests.

    • Details: Information about observed data flows, such as: class method, object, return values, and parameters

  • Attack value evidence details:

    • Attack value: The suspicious values that Contrast observed.

    • Vector analysis: Analysis of the observed attack.

    • Request details: Details about the requests associated with the attack.

    • Code location: Details about the file, methods, and stack traces where Contrast observed the attack.

  • Observability evidence details:

    • Code location: The stack trace associated with the observed use of a cryptography algorithm.

In this section: