V 2.0 : C&C Callback Event | LogRhythm Documentation

Vendor Documentation

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef.aspx

https://docs.trendmicro.com/en-us/enterprise/apex-central-online-help/appendices/syslog-mapping-cef/cef-cc-callback-logs.aspx

Classification

Rule Name	Rule Type	Classification	Common Event
V 2.0 : C&C Callback Event	Base Rule	Activity	General Threat Message
V 2.0 : C&C Callback : Unknown	Sub Rule	Activity	General Threat Message
V 2.0 : C&C Callback : Pass	Sub Rule	Malware	Detected Malware Activity
V 2.0 : C&C Callback : Block	Sub Rule	Failed Activity	Threat Blocked
V 2.0 : C&C Callback : Monitor	Sub Rule	Malware	Detected Malware Activity
V 2.0 : C&C Callback : Delete	Sub Rule	Failed Activity	Threat Deleted
V 2.0 : C&C Callback : Quarantine	Sub Rule	Activity	Quarantine
V 2.0 : C&C Callback : Warn	Sub Rule	Malware	Detected Malware Activity
V 2.0 : C&C Callback : Warn & Continue	Sub Rule	Malware	Detected Malware Activity
V 2.0 : C&C Callback : Override	Sub Rule	Malware	Detected Malware Activity

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version
Header (vendor)	N/A	N/A	Appliance vendor
Header (pname)	N/A	N/A	Appliance product
Header (pver)	N/A	N/A	Appliance version
Header (eventid)	N/A	N/A	CnC:Action
Header (eventName)	<vmid>	Text/String	Name
Header (severity)	N/A	N/A	Severity
deviceExternalId	N/A	N/A	ID
rt	N/A	N/A	Log generation time in UTC
cat	N/A	N/A	Log type
deviceFacility	N/A	N/A	Product
cs2Label	N/A	N/A	Corresponding label for the "cs2" field
cs2	N/A	N/A	Product version
shost	N/A	N/A	Endpoint host name
src	<sip>	IP Address	Endpoint IPv4 address
c6a2Label	N/A	N/A	Corresponding label for the "c6a2" field
c6a2	<sip>	IP Address	Endpoint IPv6 address
cs3Label	N/A	N/A	Corresponding label for the "cs3" field
cs3	<domainorigin>	Text/String	Domain name
cs4Label	N/A	N/A	Corresponding label for the "cs4" field
cs4	<policy>	Text/String	Policy name
act	<action> <tag1>	Text/String	Action 0: Unknown 1: Pass 2: Block 3: Monitor 4: Delete 5: Quarantine 6: Warn 7: Warn and continue 8: Override
cn1Label	N/A	N/A	Corresponding label for the "cn1" field
cn1	<severity>	Number	C&C risk level 0: SLF_CCCA_RISKLEVEL_UNKNOWN 1: SLF_CCCA_RISKLEVEL_LOW 2: SLF_CCCA_RISKLEVEL_MEDIUM 3: SLF_CCCA_RISKLEVEL_HIGH
cn2Label	N/A	N/A	Corresponding label for the "cn2" field
cn2	N/A	N/A	C&C list source 0: SLF_CCCA_GLOBAL_LIST 1: SLF_CCCA_CUSTOM_LIST 2: SLF_CCCA_CUSTOM_LIST_USER_DEFINED
cn3Label	N/A	N/A	Corresponding label for the "cn3" field
cn3	N/A	N/A	Callback address format 0: IP 1: IP 2: HTTP 3: SMTP
request	<url>	Text/String/Number	URL
cs5Label	N/A	N/A	Corresponding label for the "cs5" field
cs5	N/A	N/A	Callback URL address
dst	<dip>	IP Address	Callback IPv4 address
c6a3Label	N/A	N/A	Corresponding label for the "c6a3" field
c6a3	<dip>	IP Address	Callback IPv6 address
deviceProcessName	<process>	Text/String	Process name
deviceNtDomain	N/A	N/A	Active Directory domain
dntdom	N/A	N/A	Apex One domain hierarchy
dvchost	N/A	N/A	Host name
TMCMLogDetectedHost	<dname>	Text/String	Endpoint name where the log event occurred
TNCNKigDetectedIP	<dip>	IP Address	IP address where the log event occurred
ApexCentralHost	N/A	N/A	Apex Central host name
devicePayloadId	N/A	N/A	Unique message GUID