Procedure

1. Go to Administration → Notifications → Administrator.
2. On the Criteria tab:
   1. Go to the C&C Callbacks section.
   2. Specify whether to send notifications when Trend Micro Apex One detects a C&C callback (the action can be blocked or logged) or only when the risk level of the callback address is High.
3. On the Email tab:
   1. Go to the C&C Callbacks section.
   2. Select Enable notification via email.
   3. Select Send notifications to users with agent tree domain permissions.
      Use Role-based Administration to grant agent tree domain permissions to users. If transmission occurs on any agent belonging to a specific domain, the email are sent to the email addresses of the users with domain permissions. See the following table for examples:

      Agent Tree Domains and Permissions

      Agent Tree Domain	Roles with Domain Permissions	User Account with the Role	Email Address for the User Account
      Domain A	Administrator (built-in)	root	mary@xyz.com
      	Role_01	admin_john	john@xyz.com
      		admin_chris	chris@xyz.com
      Domain B	Administrator (built-in)	root	mary@xyz.com
      	Role_02	admin_jane	jane@xyz.com

      If any Security Agent belonging to Domain A detects a C&C callback, the email will be sent to mary@xyz.com, john@xyz.com, and chris@xyz.com.

      If any Security Agent belonging to Domain B detects the C&C callback, the email is sent to mary@xyz.com and jane@xyz.com.

      Note When enabling this option, all users with domain permissions must have a corresponding email address. The email notification will not be sent to users without an email address. Users and email addresses are configured from Administration → Account Management → User Accounts.

   4. Select Send notifications to the following email address(es) and then type the email addresses.
   5. Accept or modify the default subject and message. Use token variables to represent data in the Subject and Message fields.

      Token Variables for C&C Callback Notifications

      Variable	Description
      %CLIENTCOMPUTER%	Target endpoint that sent the callback
      %IP%	IP address of the targeted endpoint
      %DOMAIN%	Domain of the endpoint
      %DATETIME%	Date and time the transmission was detected
      %CALLBACKADDRESS%	Callback address of the C&C server
      %CNCRISKLEVEL%	Risk level of the C&C server
      %CNCLISTSOURCE%	Indicates the C&C source list
      %ACTION%	Action taken

4. On the SNMP Trap tab:
   1. Go to the C&C Callbacks section.
   2. Select Enable notification via SNMP trap.
   3. Accept or modify the default message. Use token variables to represent data in the Message field. See Token Variables for C&C Callback Notifications for details.
5. On the NT Event Log tab:
   1. Go to the C&C Callbacks section.
   2. Select Enable notification via NT Event Log.
   3. Accept or modify the default message. You can use token variables to represent data in the Message field. See Token Variables for C&C Callback Notifications for details.
6. Click Save.