Configuring C&C Callback Notifications for Administrators

  1. Go to Administration > Notifications > Administrator.
  2. On the Criteria tab:
    1. Go to the C&C Callbacks section.
    2. Specify whether to send notifications when Apex One detects a C&C callback (the action can be blocked or logged) or only when the risk level of the callback address is High.
  3. On the Email tab:
    1. Go to the C&C Callbacks section.
    2. Select Enable notification via email.
    3. Select Send notifications to users with agent tree domain permissions.

      Use Role-based Administration to grant agent tree domain permissions to users. If transmission occurs on any agent belonging to a specific domain, the email are sent to the email addresses of the users with domain permissions. See the following table for examples:

      Table 1. Agent Tree Domains and Permissions

      Agent Tree Domain

      Roles with Domain Permissions

      User Account with the Role

      Email Address for the User Account

      Domain A

      Administrator (built-in)

      root

      mary@xyz.com

      Role_01

      admin_john

      john@xyz.com

      admin_chris

      chris@xyz.com

      Domain B

      Administrator (built-in)

      root

      mary@xyz.com

      Role_02

      admin_jane

      jane@xyz.com

      If any Security Agent belonging to Domain A detects a C&C callback, the email will be sent to mary@xyz.com, john@xyz.com, and chris@xyz.com.

      If any Security Agent belonging to Domain B detects the C&C callback, the email is sent to mary@xyz.com and jane@xyz.com.

      Note:

      When enabling this option, all users with domain permissions must have a corresponding email address. The email notification will not be sent to users without an email address. Users and email addresses are configured from Administration > Account Management > User Accounts.

    4. Select Send notifications to the following email address(es) and then type the email addresses.
    5. Accept or modify the default subject and message. Use token variables to represent data in the Subject and Message fields.
      Table 2. Token Variables for C&C Callback Notifications

      Variable

      Description

      %CLIENTCOMPUTER%

      Target endpoint that sent the callback

      %IP%

      IP address of the targeted endpoint

      %DOMAIN%

      Domain of the endpoint

      %DATETIME%

      Date and time the transmission was detected

      %CALLBACKADDRESS%

      Callback address of the C&C server

      %CNCRISKLEVEL%

      Risk level of the C&C server

      %CNCLISTSOURCE%

      Indicates the C&C source list

      %ACTION%

      Action taken
  4. On the SNMP Trap tab:
    1. Go to the C&C Callbacks section.
    2. Select Enable notification via SNMP trap.
    3. Accept or modify the default message. Use token variables to represent data in the Message field. See Table 2 for details.
  5. On the NT Event Log tab:
    1. Go to the C&C Callbacks section.
    2. Select Enable notification via NT Event Log.
    3. Accept or modify the default message. You can use token variables to represent data in the Message field. See Table 2 for details.
  6. Click Save.
Parent topic: C&C Callback Notifications for Administrators