Configure a Botnet Report

1. Define the types of traffic that indicate possible botnet activity.

   1. Select MonitorBotnet and click Configuration on the right side of the page.
   2. Enable and define the Count for each type of HTTP Traffic that the report will include.

      The Count values represent the minimum number of events of each traffic type that must occur for the report to list the associated host with a higher confidence score (higher likelihood of botnet infection). If the number of events is less than the Count, the report will display a lower confidence score or (for certain traffic types) won’t display an entry for the host. For example, if you set the Count to three for Malware URL visit, then hosts that visit three or more known malware URLs will have higher scores than hosts that visit less than three. For details, see Interpret Botnet Report Output.
   3. Define the thresholds that determine whether the report will include hosts associated with traffic involving Unknown TCP or Unknown UDP applications.
   4. Select the IRC check box to include traffic involving IRC servers.
   5. Click OK to save the report configuration.
2. Schedule the report or run it on demand.

   1. Click Report Setting on the right side of the page.
   2. Select a time interval for the report in the Test Run Time Frame drop-down.
   3. Select the No. of Rows to include in the report.
   4. (Optional) Add queries to the Query Builder to filter the report output by attributes such as source/destination IP addresses, users, or zones.

      For example, if you know in advance that traffic initiated from the IP address 10.3.3.15 contains no potential botnet activity, add not (addr.src in 10.0.1.35) as a query to exclude that host from the report output. For details, see Interpret Botnet Report Output.
   5. Select Scheduled to run the report daily or click Run Now to run the report immediately.
   6. Click OK and Commit.