Barracuda Sentinel alerts the administrator when it detects an account takeover. When viewing the alerts, you can take the following actions:
|Create an incident|
|Report false positive|
For information about incidents, refer to Handling an Account Takeover.
An alert is sent as soon as a user account is determined to be compromised. To prevent inundating the system with alerts, only one alert is sent per day for the same compromised user account. If you take steps to secure this user account so it is no longer compromised, additional alerts will not be sent. As long as the user account remains compromised, Barracuda Sentinel will continue to send a maximum of one alert per day.
The Alerts table keeps a record of alerts created for your account. Alerts that have been addressed display with a line striking through the alert.
To view alerts:
- Log into the Barracuda Sentinel dashboard at https://sentinel.barracudanetworks.com/signin.
- Click the menu button at the top left of the dashboard and select Account Takeover. Then select the Alerts and Incidents tab.
- Take one or more actions described in the sections below.
To view details, click the button. Available information displays on the three tabs: Emails Sent, Sign Ins, and Inbox Rules. In the example below, you can see there are five emails sent, one inbox rule, but no sign ins.
From here, you can view details of the emails sent.
Sign Ins Tab Information
On the Sign Ins tab, you can see the date, IP, user agent, location, and issues of suspicious sign ins. Enable Show all sign ins to view legitimate sign ins in addition to the suspicious sign ins.
Note that this data is stored for 30 days, so if an alert is more than 30 days old, it is not possible to show all sign ins.
There are several actions you can take from the Alerts table.
Create an Incident
If you determine that an account has been compromised, you can create an incident right from the alert. Click the Create Incident button. Follow the instructions in Handling an Account Takeover.
Note that if you create an incident from an alert, the incident might be based on an inbox rule or suspicious sign in. In these cases, you know which of your accounts was compromised, but you might not have a suspicious email. When you are working with the wizard, you can specify that you do not have a sample of a malicious email.
Report False Positive
If Barracuda Sentinel detected suspicious activity, but you are certain the activity was legitimate, click the Report False Positive button.
For more information on reporting false positives from other locations, refer to False Positives.
Clicking the Dismiss button changes the alert's display in the Alert table, so it displays as crossed out. If you have already taken action on an alert and you have completed your work with the alert, you can dismiss it, basically crossing it off your list of things to do.
Note that if you dismiss an alert, but you have not addressed the issue itself, you will likely receive another alert on the same issue. For example, if a user account has been compromised and you have not created an incident or reported it as a false positive, the issue still exists. So Barracuda Sentinel will send you emails – one per day – on this same issue until it is handled. See the section Alert Frequency earlier in this article.