Skip to main content

View observations (Northstar)

You can view all Contrast observations or view observations for a specific issue.

Before you begin

View all observations

  1. In the left navigation, select Observations.

    The observation data includes:

    • Title: The name of the Contrast rule associated with the observation or a description of an event.

      For libraries, the title includes the name of the CVE that Contrast observed in the library.

    • Data type: The source of the observation: a vulnerability, an attack event, or behavior (from observability).

    • Source IP: The IP address where an event originated.

    • Associated issue ID: An identifier that Contrast assigns to the issue. It has this format:

      ISS-<year>-<numberOfIssues>

      For example, ISS-2025-10 represents an issue that occurred in the year 2025 and was the 10th issue that Contrast reported.

    • Application: The name of the application where Contrast detected an attack event.

      To view the relationships between the application and its associated entities (servers, called APIs, and databases), select the application link to open the view in Explorer.

    • Result: The result for the attack event. The possible results are, in order of severity:

      • Exploited:

        • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Monitor.

        • Maps to this severity: Critical or High

      • Suspicious:

        • Contrast detected a low confidence attack event at the perimeter for a perimeter-only rule in Block mode.

        • Contrast detected a high or low confidence attack event at the perimeter for a perimeter-only rule in Monitor mode.

        • Contrast detected an attack event using sink-only heuristics. The mode is set to Monitor.

        • Maps to this severity: Medium

      • Blocked:

        • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Block.

        • Contrast detected an attack using sink-only heuristics. The mode is set to Block.

        • Maps to this severity: Informational

      • Probed:

        • Contrast detected an attack event at the perimeter, but did NOT confirm it at the sink. The mode is set to Block or Monitor.

        • These are ineffective attacks that can indicate an attacker is probing, scanning, or fuzzing your application for vulnerabilities.

        • Maps to this severity: Low

    • Detected: The time when Contrast detected the attack event.

    • Value: The value associated with the observation.

      • For attack observations, this value is the attack value.

      • For vulnerability observations, no value is shown.

  2. To view details about a specific observation, select a row.

    This action opens the Observations details panel. Select Overview or Evidence.

    View observation details describes the information in this view.

  3. To view observation details for a specific issue, select an Associated issue link.

    This action opens the Issues view. To view data that Contrast used to create the issue, select Observations or Evidence.

  4. To view a map of the associated application and its connections in Explorer, select an Application link.

View observations for an issue

  1. In the left navigation, select Issues.

  2. Select an issue.

  3. Select the Observations tab. The observation data includes:

    • Source IP: The IP address where an event originated.

    • Rule: The name of the Contrast rule that the observed value violated.

    • Application: The name of the application where Contrast detected an attack event.

      To view the relationships between the application and its associated entities (servers, called APIs, and databases), select the application link to open the view in Explorer.

    • Server: The name of the server where Contrast detected the attack event.

    • Detected: The time when Contrast detected the attack event.

    • Result: The result for the attack event. The possible results are, in order of severity:

      • Exploited:

        • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Monitor.

        • Maps to this severity: Critical or High

      • Suspicious:

        • Contrast detected a low confidence attack event at the perimeter for a perimeter-only rule in Block mode.

        • Contrast detected a high or low confidence attack event at the perimeter for a perimeter-only rule in Monitor mode.

        • Contrast detected an attack event using sink-only heuristics. The mode is set to Monitor.

        • Maps to this severity: Medium

      • Blocked:

        • Contrast detected an attack event at the perimeter and confirmed it at the sink. The mode is set to Block.

        • Contrast detected an attack using sink-only heuristics. The mode is set to Block.

        • Maps to this severity: Informational

      • Probed:

        • Contrast detected an attack event at the perimeter, but did NOT confirm it at the sink. The mode is set to Block or Monitor.

        • These are ineffective attacks that can indicate an attacker is probing, scanning, or fuzzing your application for vulnerabilities.

        • Maps to this severity: Low

    • URL: The path the attacker used for the attack event.

    • Value: The value that the Contrast agent detected was going to a sink.

Refine the view

To refine the view (including the details view), select the Filter (icon-filter.svg) icon. The available filters are:

  • Time: The time frame for the view

    Select a displayed time frame or select Custom to specify a customized time frame.

  • Severity: The severity of the observation.

  • Has issue: Observations that have an issue associated with them.

  • Data type: The source of the observation:

    • Vulnerability

    • Attack

    • Behavior

  • Target: What Contrast analyzed. The current filters are Code and Library.

  • Sensor: How Contrast detected the observation. The current filter is Contrast agent.

  • Technique: The analysis technique. The current filters are Runtime and Static.

  • Quantum unsafe: Contrast observed the use of quantum unsafe algorithms

  • Environments: The environments where the application is running: Development, QA, or Production.

  • Languages: The language of the code associated with the observation.

  • Results: The results of an observed attack:

    • Exploited

    • Suspicious

    • Blocked

    • Blocked (P): blocked at perimeter

    • Probed

In this section:

Raw data that Contrast captures and uses to identify issues and incidents. Individual events or reports from our products, such as vulnerability, probe, attack, or observability come from all Contrast technologies: Contrast IAST, Contrast SCA (runtime and static), Contrast ADR, and Contrast Security Observability.