We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Account Takeover Alerts

  • Last updated on

Barracuda Sentinel alerts the administrator when it detects an account takeover. When viewing the alerts, you can take the following actions:

viewDetailsIcon.pngView details
createIncidentIcon.pngCreate an incident
falsePositiveIcon.pngReport false positive

For information about incidents, refer to Handling an Account Takeover.

Alert Frequency

An alert is sent as soon as a user account is determined to be compromised. To prevent inundating the system with alerts, only one alert is sent per day for the same compromised user account. If you take steps to secure this user account so it is no longer compromised, additional alerts will not be sent. As long as the user account remains compromised, Barracuda Sentinel will continue to send a maximum of one alert per day.

Viewing Alerts

The Alerts table keeps a record of alerts created for your account. Alerts that have been addressed display with a line striking through the alert.

To view alerts:

  1. Log into the Barracuda Sentinel dashboard at https://sentinel.barracudanetworks.com/signin.
  2. Click the menu button at the top left of the dashboard and select Account Takeover. Then select the Alerts and Incidents tab.
  3. Take one or more actions described in the sections below.
Viewing Details

To view details, click the viewDetailsIcon.png button. Available information displays on the three tabs: Emails Sent, Sign Ins, and Inbox Rules. In the example below, you can see there are five emails sent, one inbox rule, but no sign ins.


From here, you can view details of the emails sent.

Sign Ins Tab Information

On the Sign Ins tab, you can see the date, IP, user agent, location, and issues of suspicious sign ins. Enable Show all sign ins to view legitimate sign ins in addition to the suspicious sign ins.

Note that this data is stored for 30 days, so if an alert is more than 30 days old, it is not possible to show all sign ins.

Taking Action

There are several actions you can take from the Alerts table.

Create an Incident

If you determine that an account has been compromised, you can create an incident right from the alert. Click the Create Incident createIncidentIcon.png button. Follow the instructions in Handling an Account Takeover.

Note that if you create an incident from an alert, the incident might be based on an inbox rule or suspicious sign in. In these cases, you know which of your accounts was compromised, but you might not have a suspicious email. When you are working with the wizard, you can specify that you do not have a sample of a malicious email.

Report False Positive

If Barracuda Sentinel detected suspicious activity, but you are certain the activity was legitimate, click the Report False Positive falsePositiveIcon.png button.

For more information on reporting false positives from other locations, refer to False Positives.

Dismiss Alert

Clicking the Dismiss dismissIcon.png button changes the alert's display in the Alert table, so it displays as crossed out. If you have already taken action on an alert and you have completed your work with the alert, you can dismiss it, basically crossing it off your list of things to do.

Note that if you dismiss an alert, but you have not addressed the issue itself, you will likely receive another alert on the same issue. For example, if a user account has been compromised and you have not created an incident or reported it as a false positive, the issue still exists. So Barracuda Sentinel will send you emails – one per day on this same issue until it is handled. See the section Alert Frequency earlier in this article.

Last updated on