Configuring the C&C Callback Outbreak Criteria and Notifications

  1. Go to Administration > Notifications > Outbreak.

    The Outbreak Notifications screen appears.

  2. On the Criteria tab in the C&C Callbacks section, configure the following:
    Option Description

    Same compromised host

    Select to define an outbreak based on the callback detections per endpoint

    C&C risk level

    Specify whether to trigger an outbreak on all C&C callbacks or only high risk sources

    Action

    Specify which actions Apex One counts to determine an outbreak scenario

    Detections

    Specify the number of detections that Apex One must exceed to trigger an outbreak scenario

    Time period

    Specify the monitoring period

  3. On the Email tab:
    1. In the C&C Callbacks section, select Enable notification via email.
    2. Specify the email recipients beside the To field.
    3. Specify the Subject used in the email notification.
    4. Specify the Message contents.

      Apex One supports use of tokens in the Subject and Message fields.

      Table 1. Token Variables for C&C Callback Outbreak Notifications

      Variable Token

      Description

      %C

      Number of C&C callback logs

      %T

      Time period when the C&C callback logs accumulated

    5. Specify any additional log data you want to include in the notification (in tabular format).

      Log Column

      Description

      Date/Time

      Date and time of detection

      Compromised Host

      Endpoint with the detection

      IP Address

      IP address of the compromised host

      Domain

      The domain of the endpoint on which the detection occurred

      Callback Address

      The URL that triggered the detection

      C&C Risk Level

      The risk level of the callback address

      C&C List Source

      The C&C list source that identified the C&C server

      Action

      Action performed on the security risk

  4. In the SNMP Trap tab:
    1. Go to the C&C Callbacks section.
    2. Select Enable notification via SNMP trap.
    3. Accept or modify the default message. You can use token variables to represent data in the Message field. See Table 1 for details.
  5. In the NT Event Log tab:
    1. Go to the C&C Callbacks section.
    2. Select Enable notification via NT Event Log.
    3. Accept or modify the default message. You can use token variables to represent data in the Message field. See Table 1 for details.
  6. Click Save.