Download PDF
Download page Monitor Attacks.
Monitor Attacks
The Attacks page includes details of all the open and closed attacks on the managed applications.
By default, this page displays an overview of the selected application. For information about selecting a specific application or service, see Select Scope for the Dashboard at Monitor Application Security Using Cisco Secure Application.
Attacks - Top Pane
The top pane includes these details:
| Chart | Description |
|---|---|
| Attacks By Outcome | This provides information on these state of the attack:
|
| Top Applications | This chart displays the top 10 applications based on open attacks per application. If you select a specific application scope, then only that application is displayed. To view all the applications, reset the application scope. See Monitor Application Security Using Cisco Secure Application. These applications are in either an exploited, blocked, attempted, or state versus the total number of open attacks on the application. Hover on each state to view the number of blocked, exploited, and open attacks. |
| Top Attack Types | This chart displays the top 10 attack events that are in an exploited, blocked, or attempted state versus the total number of open attacks on the events. Hover on each state to view the number of blocked, exploited, attempted, and open attacks. Attack Types include:
|
Attacks - Bottom Pane
The bottom pane displays these details:
| Name | Description |
|---|---|
| ID | The ID of the corresponding Attack. Cisco Secure Application generates this ID. You can modify this ID on the attacks details page. To view the attack details page, click the desired row. Click this field to sort the ID numerically. |
| Outcome | The outcome of the corresponding attack. This provides information on these state of the attack:
Click this field to sort the values alphabetically. |
| Attack Type (Events) | The type of the attack and count of that attack type. |
| Event Trigger | Relevant information from the runtime behavior resulting from the event where Secure Application determined a potential attack. |
| Application | The application affected by the attack. |
| Business Transaction | When you click an Attack ID, you receive a summary for each Attack, and a Business Transition type, if you have a Business Transaction enabled. See Monitor Business Transactions. |
| Tier | The tier name and the number of nodes. You can click |
| Last Detected | The time that is elapsed since the last event within the attack. Click this field to sort the values in ascending or descending order. |
| Status | The status of the attack is defined as either open or closed. If you have Configure permissions, click the checkboxes for the required rows and then click the Set Status option to set the appropriate status. Click this field to sort based on the Open or Closed state. |
You can click the Export button to download the table data. It downloads all of the rows, columns, and related data in a .csv file. A separate .json file includes the following: link to the Cisco Secure Application website where the table is exported from, global filters (if any) applied to the pages, and search filters applied to the columns. These two files are compressed into a .zip file for downloading. The maximum number of rows that can be exported is 10,000. If table data exceeds 10,000 rows you may apply filters to narrow your search, or export the first 10,000 results.
View Attack Details
The attack details page provides information of the attack. Click any attack to view the attack details page.
Attack Details - Top Pane
The top pane provides a summary of the attack. To view the application flowmap, you can click the flowmap icon (
) next to the application name. A user (with Configure permission) can add notes under Attack Notes if desired. This note is visible to all users when monitoring attack details.
Attack Details - Bottom Left and Bottom Right Pane
The bottom pane is split into left pane (a list of events correlated to the attack automatically) and right pane (the details of a selected event).
You can use the Search filter to filter based on the following categories:
- Outcome
- Event Type
- Attack Type
- Affected Tiers
For more information about the Search filter, see View Data Using Search Filter in Monitor Application Security Using Cisco Secure Application.
Left Pane
The left pane displays these details:
| Field Name | Description |
|---|---|
| Outcome | The outcome of the event. This provides information on whether the selected event is Exploited, Blocked, or Attempted. |
| Event Type | The type of the attack event or the vulnerability name. |
| Attack Type | The type of the attack such as RCE and so on. |
| Application | The affected application. |
| Tier | The affected tier. |
| Timestamp | The time the event is detected. |
You can click the Export button to download the table data. It downloads all of the rows, columns, and related data in a .csv file. A separate .json file includes the following: link to the Cisco Secure Application website where the table is exported from, global filters (if any) applied to the pages, and search filters applied to the columns. These two files are compressed into a .zip file for downloading. The maximum number of rows that can be exported is 10,000. If table data exceeds 10,000 rows you may apply filters to narrow your search, or export the first 10,000 results.
Right Pane
The right pane displays the following details based on the selected event:
These fields are displayed when the events are triggered during a web transaction.
| Field Name | Description |
|---|---|
| Timestamp | The date and time when the event is detected. |
| Affected Node | The name of the affected node. You can click the flowmap icon ( |
| Event Trigger | It displays the attack target. It can be a file, host, command, etc. |
| Vulnerabilities | The type of vulnerability used for the attack. Based on the event type, this field may not be displayed. If the value is displayed, click the value to view the vulnerability details. For information about Vulnerabilities, see Monitor Vulnerabilities. |
| Entry Point | The webserver URL accessed by the client in the transaction that triggered the event. Based on the event type, this field may not be displayed. |
| Client IP | The IP address of the remote endpoint of the connection in the transaction. This IP address can be the IP address of client machine, load balancer or proxy in a client network. This is available if the attack is from a client IP address that is on a known malicious IP list. Currently, the Talos malicious IP list is supported. Therefore, this attribute displays the value Talos when the attack is from a client IP on the Talos list. |
| Network Flow | The network flow as observed from the node that includes the source and the destination IP address. |
| Details | The details about the resulting behavior of the node triggered by an inbound request. The details may change based on the event and attack type. Click Show More to view the Details dialog box. You can copy the details as per your requirement. |
| Stack Trace | Details of the stack trace for the corresponding event. Click Show More to view the Stack Trace dialog box. You can use this information to guide developers to the lines of code that were used to achieve the result of the event. You can copy the details as per your requirement. |
| Socket Address | The destination IP address. It can be a host, network, subnetwork, etc. The warning icon (  ) next to IP address indicates that a known malicious IP is detected. This is available if the attack is from a client IP address that is on a known malicious IP list. Currently, the Talos malicious IP list is supported. Therefore, this attribute displays the value Talos when the attack is from a client IP on the Talos list. |
| Policy | The action that is used for this event based on the existing policy when the event is detected. If you have the Configure permission, you can change the policy by clicking this value. See Cisco Secure Application Policies. |