Views:
The following table describes token variables for customizing C&C Callback event notification messages.
Note
Note
For the list of standard token variables supported by all event notifications, see Standard Token Variables.
Variable
Description
%CnC_LIST_SRC%
Name of the list that contains the callback address
%CNC_PD_NAME%
Product ID of the managed product server that sent the log
%CNC_PD_VERSION%
Version of the managed product server that sent the log
%CNC_PD_NODE%
Endpoint name of the managed product server that sent the log
%CNC_PD_IP%
IP address of the managed product server that sent the log
%CNC_EVTTIME%
Time the log was generated
%CNC_AGENTNAME%
Name of the Security Agent endpoint that detected the callback
%CNC_AGENTIP%
IP address of the Security Agent endpoint that detected the callback
%CNC_AGENTDOMAIN%
Apex One domain of the Security Agent endpoint that detected the callback
%CNC_POLICY_RULE%
Name or rule ID of the policy that detected the callback
%CNC_ACTION%
Action result from the security log, personal firewall, NCIE log, or web security log
%CNC_EMAIL_SENDER%
Email sender associated with the callback
%CNC_EMAIL_SUBJECT%
Email subject associated with the callback
%CNC_RISKLEVEL%
Risk level of the malware groups associated with the C&C server
%CNC_DETECT_SOURCE%
The C&C list that defined the detection rule
%CNC_CHANNEL%
The type ID that indicates the destination format
%CNC_URL%
The remote URL that the endpoint attempted to contact
%CNC_URL_CATEGORY%
The URL category of the site that the endpoint attempted to contact
%CNC_IP_PORT%
The C&C server IP address and port
%CNC_EMAIL_REPT%
Email recipient associated with the callback
%CNC_FIRST_SEEN%
The first known detection of the C&C server
%CNC_LAST_SEEN%
The last known detection of the C&C server
%CNC_LOCATION%
The country code of the C&C server
%CNC_MALEWARE_FAMILY%
The malware family associated with the C&C detection
%CNC_ATTACK_GROUP%
The C&C group lists
%CNC_PROCESS_NAME%
The process name associated with the C&C detection
%CALLBACK_ADDR%
URL, IP address, or email address to which a compromised host attempts a callback
%COMPR_HOST%
Affected host or email address
%CALLBACK_NUM%
Number of contacts made between callback addresses and compromised hosts
%COMPR_HOST_NUM%
Number of compromised hosts involved in the outbreak
%CALLBACK_ADDR_NUM%
Number of callback addresses involved in the outbreak