Events
Sometimes, a situation may arise in a group that prevents our analysts from pentesting part of the scope or maybe all of it. Your team needs to keep track of these situations and solve them, so we can resume our assessments. The place on the ASM where you can see a cumulative record of solved and unsolved events in your group is the Events section.
This section shows a table providing the following information:
- ID: The event’s unique identifier
- Date reported: When the event was reported
- Description: The problem that, according to the hacker, impeded, or still impedes, their security assessments
- Accessibility: Which out of Environment, Repository or both are affected by the event
- Affected components: The components that are showing problems within the repository or environment
- Type: The category in which the problem falls, which can be Authorization for special attack, Incorrect or missing supplies, ToE different from what was agreed upon or Other
- Status: The condition of the event, which can be either Solved or Unsolved
- Date closed: When the event was solved, if it was; otherwise, only a hyphen is shown
Functionalities
Export events
You can download the event table to a CSV (comma-separated values) file by clicking on the Export button.
Columns filter
You can show or hide columns in the table by clicking on the Columns button and toggling the on/off button in front of each column name.
Filters
By clicking the Filters button, you can access several filter options corresponding to the variables that give columns their names.
Event details
When you select an event, you access a new section with its details. In the header, you find the type of event, its ID, the date it was reported and its current status.
You can see three tabs under the header: Description, Evidence and Comments. In Description, you find why the event was reported by one of our hackers along with their email, the site where it is present and the number of components affected.
In Evidence, you find images, videos or GIFs justifying the reported event.
In Comments,
you find the discussion
established between your
company's staff and
Fluid Attacks'
hackers or
project managers about the event.
You can leave your comments there.
Types of events
Authorization for spacial attack
This event type corresponds to situations when the hacker requests permission to exploit a vulnerability, anticipating that its exploitation may cause anomalous behaviors in your system’s infrastructure or environment.
Incorrect or missing supplies
This event type refers to situations when the testing environment is down or when you provide incorrect URLs or bad credentials.
ToE different from what was agreed upon
This event type refers to situations when you add a git repository or environment that we didn’t agree to assess when the ToE was defined.
Creating an event
In order to create a new event, you need to click on the New button in the Event tab.
You will see the following pop-up window:
There you must enter or select the requested information:
- The nickname of the root where the analyst discovered the event being reported
- The approximate date at which the event was discovered
- The type of event
- The affected accessibility
- A detailed description of the event
- Image or another file as supporting evidence of the event
- Impact on an ongoing reattack (Y/N). In case there is an impact, you must select the affected locations in the reattack so that it goes into the On-hold status.)
After entering the information and clicking the Proceed button, the ASM will create the new event and send an email to all project managers. You can also click on the Cancel button to discard the creation of the event.
Closing an event
When a user notifies that the event has been solved, or analysts find out they can now access previously blocked targets without problems, the event must be closed.
You can do this in the Events section. You have to click on the solved event. Then, in its description, you will see the Mark as solved button that will show you this pop-up window when you click on it:
There you must enter the date the analyst discovered or was notified of the solution of the event. In addition, you must provide the number of hours that the event affected the group. Once this is done, you can click the Proceed button to mark the event as solved or click the Cancel button to interrupt this procedure.
Update affected reattacks
With the Update affected reattacks button, you can indicate that an already created event affects the execution of one or more reattacks.
When you click on it, you will see a pop-up window where you can select the respective event and the reattacks that are being affected.
By clicking on the Proceed button, the selected reattack(s) will go into a status called On hold. (If you want to know more about this status, follow this link.) By clicking on the Cancel button, you will abort the process.