Skip to main content

View observations (Northstar)

You can view Contrast observations by selecting an issue in the Issues page and selecting the Observations tab.

Steps

  1. In the left navigation, select Issues.

  2. Select an issue.

  3. Select the Observations tab. The observation data includes:

    • Source IP: The IP address where an attack event originated.

    • Rule: The name of the Contrast rule that the attack value violated.

    • Application: The name of the application where Contrast detected an attack event.

      To view the relationships between the application and its associated entities (servers, called APIs, and databases), select the application link to open the view in Explorer.

    • Server: The name of the server where Contrast detected the attack event.

    • Detected: The time when Contrast detected the attack event.

    • Result: The result for the attack event. The possible results are, in order of severity:

      • Exploited:

        • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Monitor.

        • Maps to this severity: Critical or High

      • Suspicious:

        • Contrast detected a low confidence attack event at the perimeter for a perimeter-only rule in Block mode.

        • Contrast detected a high or low confidence attack event at the perimeter for a perimeter-only rule in Monitor mode.

        • Contrast detected an attack event using sink-only heuristics. The mode is set to Monitor.

        • Maps to this severity: Medium

      • Blocked:

        • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Block.

        • Contrast detected an attack using sink-only heuristics. The mode is set to Block.

        • Maps to this severity: Informational

      • Probed:

        • Contrast detected an attack event at the perimeter, but did NOT confirm it at the sink. The mode is set to Block or Monitor.

        • These are ineffective attacks that can indicate an attacker is probing, scanning, or fuzzing your application for vulnerabilities.

        • Maps to this severity: Low

    • URL: The path the attacker used for the attack event.

    • Attack value: The value that the attacker sent that the Contrast agent detected was going to a sink.