kc filed
The kc (kill chain) field identifies the attack chain and records the attack phase of the threat. Example: `kc:e; app:http; action:alert; content: "mocha|3a|"; http_uri;` The rule indicates that the attack phase of the threat is penetration, the HTTP URI field contains the signature string mocha|3a|, and the response action is alarm. Keyword description of kc: | Value | Description | | ------------ | ------------ | | r | The attack phase is reconnaissance.| | e | The attack phase is exploitation. | | c | The attack phase is command and control. | | a | Attack phase is actions on objectives. | 【**Note**】This field is supported since V600R022C10.