V 2.0 : C&C Callback Event
Vendor Documentation
Classification
Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| V 2.0 : C&C Callback Event | Base Rule | Activity | General Threat Message |
| V 2.0 : C&C Callback : Unknown | Sub Rule | Activity | General Threat Message |
| V 2.0 : C&C Callback : Pass | Sub Rule | Malware | Detected Malware Activity |
| V 2.0 : C&C Callback : Block | Sub Rule | Failed Activity | Threat Blocked |
| V 2.0 : C&C Callback : Monitor | Sub Rule | Malware | Detected Malware Activity |
| V 2.0 : C&C Callback : Delete | Sub Rule | Failed Activity | Threat Deleted |
| V 2.0 : C&C Callback : Quarantine | Sub Rule | Activity | Quarantine |
| V 2.0 : C&C Callback : Warn | Sub Rule | Malware | Detected Malware Activity |
| V 2.0 : C&C Callback : Warn & Continue | Sub Rule | Malware | Detected Malware Activity |
| V 2.0 : C&C Callback : Override | Sub Rule | Malware | Detected Malware Activity |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Header (logVer) | N/A | N/A | CEF format version |
| Header (vendor) | N/A | N/A | Appliance vendor |
| Header (pname) | N/A | N/A | Appliance product |
| Header (pver) | N/A | N/A | Appliance version |
| Header (eventid) | N/A | N/A | CnC:Action |
| Header (eventName) | <vmid> | Text/String | Name |
| Header (severity) | N/A | N/A | Severity |
| deviceExternalId | N/A | N/A | ID |
| rt | N/A | N/A | Log generation time in UTC |
| cat | N/A | N/A | Log type |
| deviceFacility | N/A | N/A | Product |
| cs2Label | N/A | N/A | Corresponding label for the "cs2" field |
| cs2 | N/A | N/A | Product version |
| shost | N/A | N/A | Endpoint host name |
| src | <sip> | IP Address | Endpoint IPv4 address |
| c6a2Label | N/A | N/A | Corresponding label for the "c6a2" field |
| c6a2 | <sip> | IP Address | Endpoint IPv6 address |
| cs3Label | N/A | N/A | Corresponding label for the "cs3" field |
| cs3 | <domainorigin> | Text/String | Domain name |
| cs4Label | N/A | N/A | Corresponding label for the "cs4" field |
| cs4 | <policy> | Text/String | Policy name |
| act | <action> <tag1> | Text/String | Action 0: Unknown 1: Pass 2: Block 3: Monitor 4: Delete 5: Quarantine 6: Warn 7: Warn and continue 8: Override |
| cn1Label | N/A | N/A | Corresponding label for the "cn1" field |
| cn1 | <severity> | Number | C&C risk level 0: SLF_CCCA_RISKLEVEL_UNKNOWN 1: SLF_CCCA_RISKLEVEL_LOW 2: SLF_CCCA_RISKLEVEL_MEDIUM 3: SLF_CCCA_RISKLEVEL_HIGH |
| cn2Label | N/A | N/A | Corresponding label for the "cn2" field |
| cn2 | N/A | N/A | C&C list source 0: SLF_CCCA_GLOBAL_LIST 1: SLF_CCCA_CUSTOM_LIST 2: SLF_CCCA_CUSTOM_LIST_USER_DEFINED |
| cn3Label | N/A | N/A | Corresponding label for the "cn3" field |
| cn3 | N/A | N/A | Callback address format 0: IP 1: IP 2: HTTP 3: SMTP |
| request | <url> | Text/String/Number | URL |
| cs5Label | N/A | N/A | Corresponding label for the "cs5" field |
| cs5 | N/A | N/A | Callback URL address |
| dst | <dip> | IP Address | Callback IPv4 address |
| c6a3Label | N/A | N/A | Corresponding label for the "c6a3" field |
| c6a3 | <dip> | IP Address | Callback IPv6 address |
| deviceProcessName | <process> | Text/String | Process name |
| deviceNtDomain | N/A | N/A | Active Directory domain |
| dntdom | N/A | N/A | Apex One domain hierarchy |
| dvchost | N/A | N/A | Host name |
| TMCMLogDetectedHost | <dname> | Text/String | Endpoint name where the log event occurred |
| TNCNKigDetectedIP | <dip> | IP Address | IP address where the log event occurred |
| ApexCentralHost | N/A | N/A | Apex Central host name |
| devicePayloadId | N/A | N/A | Unique message GUID |