We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Creating an Incident

  • Last updated on

This is the main method for creating an incident in Barracuda Forensics & Incident Response. You can also remediate incidents based on User-Reported Emails and Geographical Insights.

Note that after you remediate an email in any way, that email will only be visible from within the incident on the Incidents page. The email will no longer appear in searches, on the location map, or in user-reported emails.

To use the Barracuda Forensics & Incident Response wizard to identify a new incident:

  1. Log into Barracuda Forensics & Incident Response.
  2. On the Incidents page, click New Incident.

  3. In the New Incident page, enter criteria in one or more of the fields, then click Search Messages.
    • Sender Email – Search by sender name or domain name.
    • Email Subject – Search by full words in the subject line.
    • Attachment Name – Search for known or suspected malicious attachments by name. If you do not know the specific attachment name, you can search for the attachment type, like txt or pdf.
    • Date – Select from the Last 12 hours, Last 24 hours, Last 2 days, Last 7 days, or Last 30 days.
    • Include emails Barracuda Sentinel moved to the Junk folder – Select to search emails already flagged as suspicious by Barracuda Sentinel. (Available if you own Barracuda Sentinel and have it configured to send suspicious emails to users' Junk email folder.)
    Some or all of the search criteria fields are completed automatically if you are creating an incident from certain locations including user-reported emails or message log emails.
  4. The Review Messages page displays all matching results for the entered criteria.

    Optionally click the View Message ( mailPreview.png ) icon t o view a copy of an email in question, along with its header, attachment, and threat detail information. Threat details include DMARC, SPF, and DKIM information.
    Click Back to return to the Review recipients page.
  5. If your search returned too many emails, click Refine Search to better target the suspicious mails. Return to Step 3, described above. Otherwise, proceed to Step 6.
  6. Click Review Remediation Options . On the Incident Remediation - User Options page, if needed, select one or more actions that affect users, then click Next.
    • Delete selected emails permanently from affected users' inboxes.
      • Turn on continuous remediation for this incident will enable Barracuda Forensics & Incident Response to continuously search for emails matching your search criteria (from Step 3 above) for 72 hours. If matching emails are found, they will be added to the incident and Forensics will attempt to delete them. After 72 hours, the feature automatically turns itself OFF.
        You must select Delete selected emails if you want to use continuous remediation.
    • Send a warning email alert to the affected users. Click Edit Email Alert to customize the message.
  7. On the Incident Remediation - Policy Options page, if needed, select one or more actions that affect policies, then click Next.  

    • Add a sender policy to Quarantine/Block emails – Adds a global policy in your Barracuda Email Security Service account, if you have an account, under Sender Policies . You can choose to add either a quarantine or block policy in two different ways:

      • by sender sets the policy for the unique sender(s) of these emails.
      • by domain sets the policy for all unique sending domain(s) of these emails.

    • Block all user web traffic for domains contained in links – Adds block exception policies for linked domains in your  Barracuda Content Shield account, if you have an account. The exceptions policies are created in all locations.

  8. Click Remediate. Note that some actions might take several minutes to complete.

  9. Select whether you want to send a summary of the incident to yourself for tracking purposes, then review the suggested additional actions, including asking your end users to watch a video about suspicious emails from Barracuda PhishLine.

  10. Click Close.

Last updated on