Viewing C&C Callback Logs

Procedure

1. Go to one of the following:
   • Logs → Agents → Security Risks
   • Agents → Agent Management
2. In the agent tree, click the root domain icon () to include all agents or select specific domains or agents.
3. Go to the C&C Callback Log Criteria screen:
   • From the Security Risk Logs screen, click View Logs → C&C Callback Logs.
   • From the Agent Management screen, click Logs → C&C Callback Logs.
4. Specify the log criteria and then click Display Logs.
5. View logs. Logs contain the following information:

   Item	Description
   Date/Time	The time the detection occurred
   User	The user logged on at the time of the detection
   Compromised Host	The endpoint from which the callback originated
   IP Address	The IP address of the compromised host
   Domain	The domain of the endpoint on which the detection occurred
   Callback Address	The address to which the endpoint sent the callback
   C&C List Source	The C&C list source that identified the C&C server
   C&C Risk Level	The risk level of the C&C server
   Protocol	The Internet Protocol used for the transmission
   Process	The process that initiated the transmission (path\application_name)
   Action	The action taken on the detection

6. If Web Reputation blocked a URL that you do not want blocked, click the Add to Web Reputation Approved List button to add the address to the Web Reputation Approved List.

   Note Apex One can only add URLs to the Web Reputation Approved List. For detections made by the Global C&C IP List or the Virtual Analyzer (IP) C&C List, manually add these IP addresses to the User-defined Approved C&C IP List. For details, see Configuring Global User-defined IP List Settings.

7. To save logs to a comma-separated value (CSV) file, click Export All to CSV. Open the file or save it to a specific location.