Configuring the C&C Callback Outbreak Criteria and Notifications

Go to Administration > Notifications > Outbreak.

The Outbreak Notifications screen appears.

On the Criteria tab in the C&C Callbacks section, configure the following:

Option	Description
Same compromised host	Select to define an outbreak based on the callback detections per endpoint
C&C risk level	Specify whether to trigger an outbreak on all C&C callbacks or only high risk sources
Action	Specify which actions Apex One counts to determine an outbreak scenario
Detections	Specify the number of detections that Apex One must exceed to trigger an outbreak scenario
Time period	Specify the monitoring period

On the Email tab:

Specify the Message contents.

Apex One supports use of tokens in the Subject and Message fields.

Table 1. Token Variables for C&C Callback Outbreak Notifications
Variable Token	Description
%C	Number of C&C callback logs
%T	Time period when the C&C callback logs accumulated

Specify any additional log data you want to include in the notification (in tabular format).

Log Column	Description
Date/Time	Date and time of detection
Compromised Host	Endpoint with the detection
IP Address	IP address of the compromised host
Domain	The domain of the endpoint on which the detection occurred
Callback Address	The URL that triggered the detection
C&C Risk Level	The risk level of the callback address
C&C List Source	The C&C list source that identified the C&C server
Action	Action performed on the security risk

In the SNMP Trap tab:

Go to the C&C Callbacks section.
Select Enable notification via SNMP trap.
Accept or modify the default message. You can use token variables to represent data in the Message field. See Table 1 for details.

In the NT Event Log tab:

Go to the C&C Callbacks section.
Select Enable notification via NT Event Log.
Accept or modify the default message. You can use token variables to represent data in the Message field. See Table 1 for details.

Click Save.