Monitor Observations

The Observations page describes the runtime events that do not violate a policy or that are not considered to be an attack. These can be normal runtime behavior where the events may impact the security, but any malicious intent is not determined. For example, an application opening a file outside the application directory causes Observed state. You can use this information in investigating incidents to understand the historical behavior of an application and in defining the runtime policy.

The Observations page includes these details:

Name	Description
ID	The ID of the corresponding Observation. Cisco Secure Application generates this ID. You can modify this ID on the Observation details page. To view the Observation details page, click the desired row. Click this field to sort the ID alphabetically.
Source	The source of the corresponding Observation. This provides information on these types of the observation: Internal: When the events are detected from an internal source. External: When the events are detected from an external source. Unknown: When the source of the runtime behaviour is not known. Click this field to sort the values alphabetically.
Events	The type of the observation and count of that observation type.
Observation Type	Observation types include: API: The agent detected an outgoing socket connection from the application stack. COMMAND: The agent detected a local command was forked by the application stack. DESERIAL: The agent detected a Java class deserialization event. LFI: The agent detected a file read, file write, or file delete event. NETWORK: This agent detects network connections to specific hosts. PATH: The agent detected a path traversal event in the application stack. SQL: The agent detected a non-parameterized SQL command. VULN: The agent detected and unsafe cookie, unauthenticated access, or clear text HTTP event.
Application	The application affected by the observation.
Tier (Nodes)	The tier name and the number of nodes. You can click to launch the application flow map in the Splunk AppDynamics dashboard. The info icon next to an affected tier indicates that the observed nodes in the tier include critical or medium vulnerability.
Last Detected	The time that is elapsed since the last event within the observation. Click this field to sort the values in ascending or descending order.

You can click the Export button to download the table data. It downloads all of the rows, columns, and related data in a .csv file. A separate .json file includes the following: link to the Cisco Secure Application website where the table is exported from, global filters (if any) applied to the pages, and search filters applied to the columns. These two files are compressed into a .zip file for downloading. The maximum number of rows that can be exported is 10,000. If table data exceeds 10,000 rows you may apply filters to narrow your search, or export the first 10,000 results.