View Attack Details
The Attack details page provides information of the attack. The top
pane provides a summary of the attack. To view the application flow map, you can click the
flow map icon () next to the application name. The bottom pane is split into left pane (a
list of events correlated to the attack automatically) and right pane (the details of a
selected event).
You can use the Search filter to filter by: Outcome, Event Type, Attack Type, or Affected Tiers.
| Field Name | Description |
|---|---|
| Outcome | The outcome of the event. This provides information on whether the selected event is Exploited, Blocked, or Attempted. |
| Event Type | The type of the attack event or the vulnerability name. |
| Attack Type | The type of the attack such as RCE and so on. |
| Application | The affected application. |
| Tier | The affected tier. |
| Timestamp | The time the event is detected. |
| Timestamp | The date and time when the event is detected. |
| Affected Node |
The name of the affected node. You can click the flow map icon ( |
| Event Trigger | It displays the attack target. It can be a file, host, command, etc. |
| Vulnerabilities |
The type of vulnerability used for the attack. Based on the event type, this field may not be displayed. If the value is displayed, click the value to view the vulnerability details. For information about Vulnerabilities, see Monitor Vulnerabilities. |
| Entry Point | The webserver URL accessed by the client in the transaction that triggered the event. Based on the event type, this field may not be displayed. |
| Client IP |
The IP address of the remote endpoint of the connection in the transaction.
This IP address can be the IP address of client machine, load balancer or proxy
in a client network. The warning icon ( This is available if the attack is from a client IP address that is on a known malicious IP list. Currently, the Talos malicious IP list is supported. Therefore, this attribute displays the value Talos when the attack is from a client IP on the Talos list. |
| Network Flow | The network flow as observed from the node that includes the source and the destination IP address. |
| Details |
The details about the resulting behavior of the node triggered by an inbound request. The details may change based on the event and attack type. Click Show More to view the Details dialog box. You can copy the details as per your requirement. |
| Stack Trace |
Details of the stack trace for the corresponding event. Click Show More to view the Stack Trace dialog box. You can use this information to guide developers to the lines of code that were used to achieve the result of the event. You can copy the details as per your requirement. |
| Socket Address |
The destination IP address. It can be a host, network, subnetwork, etc. The
warning icon (
This is available if the attack is from a client IP address that is on a known malicious IP list. Currently, the Talos malicious IP list is supported. Therefore, this attribute displays the value Talos when the attack is from a client IP on the Talos list. |
| Policy |
The action that is used for this event based on the existing policy when the event is detected. If you have the Configure permission, you can change the policy by clicking this value. See Policies. |
You can click the Export button to download the table data. It
downloads all of the rows, columns, and related data in a .csv file. A
separate .json file includes the following: link to the Cisco Secure
Application website where the table is exported from, global filters (if any) applied to the
pages, and search filters applied to the columns. These two files are compressed into a
.zip file for downloading. The maximum number of rows that can be
exported is 10,000. If table data exceeds 10,000 rows you may apply filters to narrow your
search, or export the first 10,000 results.