View incidents (NorthstarNorthstar)
Incidents represent major security issues that you need to investigate. Contrast creates incidents automatically when observes at least one exploited or suspicious attack event and the score (based on CVSS v4) exceeds seven.
Steps
To view a list of incidents, from the left navigation, select Incidents.
The list displays these details for each incident:
Severity: The severity Contrast assigned to the incident.
Contrast score: The Contrast score represents the risk of an issue or incident at a particular point in time. Contrast determines this score by using information from the Contrast SAST, IAST, SCA, ADR, and Observability technologies.
Contrast uses the Common Vulnerability Scoring System Version Version 4 (CVSS 4) standard as the primary framework for calculating the score.
Incident: The type of incident, for example, SQL Injection.
Incident ID: An identifier that Contrast assigns to the incident. It has this format:
INC-<year>-<numberOfIncidents>For example,
INC-2025-33represents an incident that occurred in the year 2025 and was the 33rd incident that Contrast reported.Status: The status of the incident: Open or Closed.
Associated applications: The applications affected by the incident.
Assigned to: The person assigned to investigate the incident.
Time created: The time when Contrast created the incident.
Last updated: The last time for ?
To view details about an incident, select it. The Overview tab shows these details:
General information:
Incident ID: The identifier that Contrast assigns to the incident.
Source IP: The IP address from which an attack event originated.
Severity: The severity that Contrast assigned to the incident.
Status: The status of the incident: Open or Closed.
Created: The date when Contrast created the incident.
Assigned to: The person assigned to investigate and remediate the incident.
Rule: The rule that triggered the incident.
MITRE: A link to the MITRE ATT&CK tactic associated with the issue.
MITRE ATT&CKフレームワークは、実世界で観測された攻撃者の戦術や手法をまとめたナレッジベースです。
単一の攻撃イベントが複数の戦術にマッピングされることがあります。多段階の攻撃イベントが発生した場合、観測されたイベントは、より大規模な攻撃連鎖内の単一のアクションを表している可能性があります。あるいは、脅威ベクトルを示している可能性もあります。
イベントデータを、WAF(Webアプリケーションファイアウォール)やEDR(エンドポイントにおける検知と対応)ソリューションなど、他のセキュリティツールからのセキュリティ情報と組み合わせることで、戦術をより正確に特定することができます。この精緻化により、攻撃の全容を把握することができます。
イベントをATT&CK戦術にマッピングすることは、リスク評価において非常に重要です。これにより、リスクの高い領域を特定し、新しい検知方法の開発に優先順位を付けることができます。このプロセスは、セキュリティカバレッジの拡大につながります。
詳細については、 MITRE ATT&CKをご覧ください。
Summary:
Contrast score: The score that Contrast assigned to the incident.
What happened: A description of the observation that triggered the creation of the incident.
Associated assets: The applications, servers, and environments where the incident occurred.
To view the relationships between the application and its associated entities (servers, called APIs, and databases), select the application link to open the view in Explorer.
The environments are Development, QA, and Production.
Associated issues: All the issues related to the incident.
Attack value: The suspicious value that Contrast observed going to a sink.
Vector analysis: The different pathways or methods that Contrast observed where a malicious attacker could gain access to your system.
Code location: Details about the location in your code where Contrast detected the attack event. These details include:
ファイル:攻撃イベントに関連するファイル。
メソッド:攻撃イベントに関連するメソッド。
スタック:攻撃イベントに関連するコードスタック。
To view the activity log for incidents, select the Activity tab.
To view all the activity from Contrast and activities related to task assignments, select the All tab.
Use the Recent filter to change the order from most recent to oldest.
To view comments, select the Comments tab
To add a comment, enter the comment in the Add comments box and select the arrow icon.
Refine the view
To refine the view, select the Filter icon (
to open the filter panel and select one or more filters. The filters are:
Severity: The severity of an incident
Status: The status of the incident
Assigned users: Name of users assigned to an incident