The following table describes token variables for customizing C&C Callback event notification messages.
For the list of standard token variables supported by all event notifications, see Standard Token Variables.
|
Variable |
Description |
|---|---|
|
%CnC_LIST_SRC% |
Name of the list that contains the callback address |
|
%CNC_PD_NAME% |
Product ID of the managed product server that sent the log |
|
%CNC_PD_VERSION% |
Version of the managed product server that sent the log |
|
%CNC_PD_NODE% |
Endpoint name of the managed product server that sent the log |
|
%CNC_PD_IP% |
IP address of the managed product server that sent the log |
|
%CNC_EVTTIME% |
Time the log was generated |
|
%CNC_AGENTNAME% |
Name of the Security Agent endpoint that detected the callback |
|
%CNC_AGENTIP% |
IP address of the Security Agent endpoint that detected the callback |
|
%CNC_AGENTDOMAIN% |
Apex One domain of the Security Agent endpoint that detected the callback |
|
%CNC_POLICY_RULE% |
Name or rule ID of the policy that detected the callback |
|
%CNC_ACTION% |
Action result from the security log, personal firewall, NCIE log, or web security log |
|
%CNC_EMAIL_SENDER% |
Email sender associated with the callback |
|
%CNC_EMAIL_SUBJECT% |
Email subject associated with the callback |
|
%CNC_RISKLEVEL% |
Risk level of the malware groups associated with the C&C server |
|
%CNC_DETECT_SOURCE% |
The C&C list that defined the detection rule |
|
%CNC_CHANNEL% |
The type ID that indicates the destination format |
|
%CNC_URL% |
The remote URL that the endpoint attempted to contact |
|
%CNC_URL_CATEGORY% |
The URL category of the site that the endpoint attempted to contact |
|
%CNC_IP_PORT% |
The C&C server IP address and port |
|
%CNC_EMAIL_REPT% |
Email recipient associated with the callback |
|
%CNC_FIRST_SEEN% |
The first known detection of the C&C server |
|
%CNC_LAST_SEEN% |
The last known detection of the C&C server |
|
%CNC_LOCATION% |
The country code of the C&C server |
|
%CNC_MALEWARE_FAMILY% |
The malware family associated with the C&C detection |
|
%CNC_ATTACK_GROUP% |
The C&C group lists |
|
%CNC_PROCESS_NAME% |
The process name associated with the C&C detection |
|
%CALLBACK_ADDR% |
URL, IP address, or email address to which a compromised host attempts a callback |
|
%COMPR_HOST% |
Affected host or email address |
|
%CALLBACK_NUM% |
Number of contacts made between callback addresses and compromised hosts |
|
%COMPR_HOST_NUM% |
Number of compromised hosts involved in the outbreak |
|
%CALLBACK_ADDR_NUM% |
Number of callback addresses involved in the outbreak |