Monitor Attacks

The Attacks page includes details of all the open and closed attacks on the managed applications.

The following image is an example of the Attacks page:

Attacks Page

By default, this page displays an overview of the selected application. For information about selecting a specific application or service, see Select Scope for the Dashboard at Monitor Application Security Using Cisco Secure Application.

The top pane includes these details:

Chart

Description

OPEN

This pie chart represents the total number of open attacks and displays the number of attacks based on the following state:

Observed = Blue
Exploited = Red
Blocked = Yellow

Hover on the required state to view the number of open attacks in that state. If you require all the charts to display the data based on a specific state, click the state on the pie chart. To return to the complete chart, click the same state again.

TOP APPLICATIONS

This chart displays the top 10 applications based on open attacks per application. If you select a specific application scope, then only that application is displayed.

To view all the applications, reset the application scope. For more information about changing the scope of the application, see Monitor Application Security Using Cisco Secure Application.

These applications are in either an exploited, blocked, or observed state versus the total number of open attacks on the application.

Hover on each state to view the number of blocked, exploited, and observed open attacks.

TOP EVENTS

This chart displays the top 10 attack events that are in an exploited, blocked, or observed state versus the total number of open attacks on the events.

Hover on each state to view the number of blocked, exploited, and observed open attacks.

The bottom pane displays these details:

You can use the Search filter for the following categories:

ID
Source
Outcome
Affected Services/Tiers
Attack Type
Attack Status

For more information about the Search filter, see View Data Using Search Filter in Monitor Application Security Using Cisco Secure Application.

Name	Description
ID	The ID of the corresponding Attack. Cisco Secure Application generates this ID. You can modify this ID on the attacks details page. To view the attack details page, click the desired row. Click this field to sort the ID alphabetically.
Source	The source of the corresponding attack. The value can be: Unknown (Source is not identified) Internal (Source of the attack is an internal asset) External (Source of the attack is an external asset) For the attack events that are triggered by a web transaction, Cisco Secure Application uses these criteria to identify the source of attack: Internal: The client is on a localhost or a local network of the server. External: The client is outside the local network. Click the row for detailed information about the source of an attack. Click this field to sort the values alphabetically.
Outcome	The outcome of the corresponding attack. This provides information on these state of the attack: Observed: When the events may impact the security, but any malicious intent is not determined. For example, an application opening a file outside the application directory causes Observed state. Blocked: When the events are blocked based on the attack policy. Exploited: When malicious activity is performed to impact the application's security. Click this field to sort the values alphabetically.
Type (Count)	The type of the attack and count of that attack type.
Affected Tiers (Nodes)	The application affected by the attack along with the tier name and the number of nodes. You can click to launch the application flowmap in the Appdynamics Dashboard. The info icon () next to an affected tier indicates that the attacked nodes in the tier include critical or medium vulnerability.
Last Detected	The time that is elapsed since the last event within the attack. Click this field to sort the values in ascending or descending order.
Status	The status of the attack is defined as either open or closed. If you have Configure permissions, click the checkboxes for the required rows and then click the Set Status option to set the appropriate status. Click this field to sort based on the Open or Closed state.

View Attack Details

The attack details page provides more details of the attack. Click any attack to view the attack details page.

Attacks Details

The top pane provides a summary of the attack.

A user (with Configure permission) can add notes under Attack Notes if desired. This note is visible to all users when monitoring attack details.

The bottom pane is split into left pane (a list of events correlated to the attack automatically) and right pane (the details of a selected event).

You can use the Search filter to filter based on the following categories:

Outcome
Event Type
Attack Type
Affected Tiers

For more information about the Search filter, see View Data Using Search Filter in Monitor Application Security Using Cisco Secure Application.

The left pane displays these details:

Field Name	Description
Outcome	The outcome of the event. This provides information on whether the selected event is Observed, Blocked, or Exploited.
Event Type	The type of the attack event or the vulnerability name.
Attack Type	The type of the attack such as RCE and so on.
Affected Services/Tiers	The affected application and the tier.
Risk	The risk score given for the specific event within the attack.
Timestamp	The time the event is detected.

The right pane displays the following details based on the selected event:

These fields are displayed when the events are triggered during a web transaction.

Field Name	Description
Timestamp	The date and time when the event is detected.
Affected Node	The name of the affected node. You can click the flowmap icon () to view the Tiers and Nodes flowmap on the AppDynamics dashboard.
Vulnerabilities	The type of vulnerability used for the attack. Based on the event type, this field may not be displayed. If the value is displayed, click the value to view the vulnerability details. For information about Vulnerabilities, see Monitor Vulnerabilities.
Entry Point	The webserver URL accessed by the client in the transaction that triggered the event. Based on the event type, this field may not be displayed.
Client IP	The IP address of the remote endpoint of the connection in the transaction. This IP address can be the IP address of client machine, load balancer or proxy in a client network.
Network Flow	The network flow as observed from the node that includes the source and the destination IP address.
Details	The details about the resulting behavior of the node triggered by an inbound request. The details may change based on the event and attack type. Click Show More to view the Details dialog box. You can copy the details as per your requirement.
Stack Trace	Details of the stack trace for the corresponding event. Click Show More to view the Stack Trace dialog box. You can use this information to guide developers to the lines of code that were used to achieve the result of the event. You can copy the details as per your requirement.
Policy	The action that is used for this event based on the existing policy when the event is detected. If you have the Configure permission, you can change the policy by clicking the modify icon next to the policy. See Cisco Secure Application Policies.