The following table describes token variables for customizing C&C Callback event
notification messages.
 |
NoteFor the list of standard token variables supported by all event notifications, see
Standard Token Variables.
|
|
Variable
|
Description
|
%CnC_LIST_SRC% |
Name of the list that contains the callback address
|
%CNC_PD_NAME% |
Product ID of the managed product server that sent the log
|
%CNC_PD_VERSION% |
Version of the managed product server that sent the log
|
%CNC_PD_NODE% |
Endpoint name of the managed product server that sent the log
|
%CNC_PD_IP% |
IP address of the managed product server that sent the log
|
%CNC_EVTTIME% |
Time the log was generated
|
%CNC_AGENTNAME% |
Name of the Security Agent endpoint that detected the callback
|
%CNC_AGENTIP% |
IP address of the Security Agent endpoint that detected the callback
|
%CNC_AGENTDOMAIN% |
Apex One domain of the Security Agent endpoint that detected the callback
|
%CNC_POLICY_RULE% |
Name or rule ID of the policy that detected the callback
|
%CNC_ACTION% |
Action result from the security log, personal firewall, NCIE log, or web security
log
|
%CNC_EMAIL_SENDER% |
Email sender associated with the callback
|
%CNC_EMAIL_SUBJECT% |
Email subject associated with the callback
|
%CNC_RISKLEVEL% |
Risk level of the malware groups associated with the C&C server
|
%CNC_DETECT_SOURCE% |
The C&C list that defined the detection rule
|
%CNC_CHANNEL% |
The type ID that indicates the destination format
|
%CNC_URL% |
The remote URL that the endpoint attempted to contact
|
%CNC_URL_CATEGORY% |
The URL category of the site that the endpoint attempted to contact
|
%CNC_IP_PORT% |
The C&C server IP address and port
|
%CNC_EMAIL_REPT% |
Email recipient associated with the callback
|
%CNC_FIRST_SEEN% |
The first known detection of the C&C server
|
%CNC_LAST_SEEN% |
The last known detection of the C&C server
|
%CNC_LOCATION% |
The country code of the C&C server
|
%CNC_MALEWARE_FAMILY% |
The malware family associated with the C&C detection
|
%CNC_ATTACK_GROUP% |
The C&C group lists
|
%CNC_PROCESS_NAME% |
The process name associated with the C&C detection
|
%CALLBACK_ADDR% |
URL, IP address, or email address to which a compromised host attempts a
callback
|
%COMPR_HOST% |
Affected host or email address
|
%CALLBACK_NUM% |
Number of contacts made between callback addresses and compromised hosts
|
%COMPR_HOST_NUM% |
Number of compromised hosts involved in the outbreak
|
%CALLBACK_ADDR_NUM% |
Number of callback addresses involved in the outbreak
|