Barracuda Sentinel alerts the administrator when it detects an account takeover. When viewing the alerts, you can take the following actions, which are described below:
- Review details
- Create an incident
- Report false positive
For information about incidents, refer to Handling an Account Takeover.
An alert is sent as soon as a user account is determined to be compromised. To prevent inundating the system with alerts, only one alert is sent per day for the same compromised user account. If you take steps to secure this user account so it is no longer compromised, additional alerts will not be sent. As long as the user account remains compromised, Barracuda Sentinel will continue to send a maximum of one alert per day.
The Alerts table keeps a record of alerts created for your account. Alerts that have been addressed display with a line striking through the alert.
To view alerts:
- Log into the Barracuda Sentinel dashboard at https://sentinel.barracudanetworks.com/signin.
- Click the menu button at the top left of the dashboard and select Account Takeover. Then select the Alerts tab.
- Take one or more actions described in the sections below.
To review details, click REVIEW. Available information displays on the three tabs: Emails Sent, Sign Ins, and Inbox Rules. In the example below, you can see there are zero emails sent, five sign ins, and no inbox rules.
From here, you can view details of the emails sent.
Create an Incident
If you determine that an account has been compromised, you can create an incident right from the alert. Click Create Incident. Follow the instructions in Handling an Account Takeover.
Note that if you create an incident from an alert, the incident might be based on an inbox rule or suspicious sign in. In these cases, you know which of your accounts was compromised, but you might not have a suspicious email. When you are working with the wizard, you can specify that you do not have a sample of a malicious email.
Report False Positive
If Barracuda Sentinel detected suspicious activity, but you are certain the activity was legitimate, click Report False Positive.
For more information on reporting false positives from other locations, refer to False Positives.
Sign Ins Tab Information
On the Sign Ins tab, you can see the date, IP, user agent, location, and issues of suspicious sign ins. Click View Related Sign Ins to view legitimate sign ins in addition to the suspicious sign ins.
Note that this data is stored for 30 days, so if an alert is more than 30 days old, it is not possible to show all sign ins.
In this view, highlighted rows show events that triggered an Account Takeover alert.