Skip to main content

View observations (Northstar)

You can view all Contrast observations or view observations for a specific issue.

View all observations

  1. In the left navigation, select Observations.

    The observation data includes:

    • Severity: The severity that Contrast assigned to the observation. The severity filters are:

      • Critical

      • High

      • Low

      • Medium

      • None

    • Contrast score: The score that Contrast assigned to the observation.

    • Source IP: The IP address where an attack event originated.

    • Associated issue ID: An identifier that Contrast assigns to the issue. It has this format:

      ISS-<year>-<numberOfIssues>

      For example, ISS-2025-10 represents an issue that occurred in the year 2025 and was the 10th issue that Contrast reported.

    • Application: The name of the application where Contrast detected an attack event.

      To view the relationships between the application and its associated entities (servers, called APIs, and databases), select the application link to open the view in Explorer.

    • Result: The result for the attack event. The possible results are, in order of severity:

      • Exploited:

        • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Monitor.

        • Maps to this severity: Critical or High

      • Suspicious:

        • Contrast detected a low confidence attack event at the perimeter for a perimeter-only rule in Block mode.

        • Contrast detected a high or low confidence attack event at the perimeter for a perimeter-only rule in Monitor mode.

        • Contrast detected an attack event using sink-only heuristics. The mode is set to Monitor.

        • Maps to this severity: Medium

      • Blocked:

        • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Block.

        • Contrast detected an attack using sink-only heuristics. The mode is set to Block.

        • Maps to this severity: Informational

      • Probed:

        • Contrast detected an attack event at the perimeter, but did NOT confirm it at the sink. The mode is set to Block or Monitor.

        • These are ineffective attacks that can indicate an attacker is probing, scanning, or fuzzing your application for vulnerabilities.

        • Maps to this severity: Low

    • Rule: The name of the Contrast rule that the attack value violated.

    • Detected: The time when Contrast detected the attack event.

    • Value: The value associated with the observation.

      • For attack observations, this value is the attack value.

      • For vulnerability observations, no value is shown.

  2. To refine the view, select the Filter icon. The available filters are:

    • Severity: The severity that Contrast assigned to the observation.

    • Has issue: Observations that have an issue associated with them.

    • Environments: The environments where the application is running: Development, QA, or Production.

    • Languages: The language of the code associated with the observation.

  3. To view details about a specific observation, select an Associated issue link.

    This action opens the Issues view. To view data that Contrast used to create the issue, select Evidence or Observations.

  4. To view a map of the associated application and its connections in Explorer, select an Application link.

View observations for an issue

  1. In the left navigation, select Issues.

  2. Select an issue.

  3. Select the Observations tab. The observation data includes:

    • Source IP: The IP address where an attack event originated.

    • Rule: The name of the Contrast rule that the attack value violated.

    • Application: The name of the application where Contrast detected an attack event.

      To view the relationships between the application and its associated entities (servers, called APIs, and databases), select the application link to open the view in Explorer.

    • Server: The name of the server where Contrast detected the attack event.

    • Detected: The time when Contrast detected the attack event.

    • Result: The result for the attack event. The possible results are, in order of severity:

      • Exploited:

        • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Monitor.

        • Maps to this severity: Critical or High

      • Suspicious:

        • Contrast detected a low confidence attack event at the perimeter for a perimeter-only rule in Block mode.

        • Contrast detected a high or low confidence attack event at the perimeter for a perimeter-only rule in Monitor mode.

        • Contrast detected an attack event using sink-only heuristics. The mode is set to Monitor.

        • Maps to this severity: Medium

      • Blocked:

        • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Block.

        • Contrast detected an attack using sink-only heuristics. The mode is set to Block.

        • Maps to this severity: Informational

      • Probed:

        • Contrast detected an attack event at the perimeter, but did NOT confirm it at the sink. The mode is set to Block or Monitor.

        • These are ineffective attacks that can indicate an attacker is probing, scanning, or fuzzing your application for vulnerabilities.

        • Maps to this severity: Low

    • URL: The path the attacker used for the attack event.

    • Attack value: The value that the attacker sent that the Contrast agent detected was going to a sink.