It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda XDR
Overview Documentation Materials

Responding to Alerts from the XDR Dashboard

  • Last updated on

Using the XDR Dashboard, you can communicate with the XDR SOC team about tickets without having to spend time on the phone.

You can respond to the SOC about open tickets and tickets that have been closed within the last four weeks.

The following table outlines possible closure codes for alerts, when you should use them, and examples:

Name

Details

True Positive

Definition: The alert is valid. The activity occurred as reported, and it is unauthorized, suspicious, or malicious.

When to select: When the alert highlights a genuine security event or policy violation.

Examples:

  • Alerted web traffic from a suspicious domain was confirmed to be malicious.

  • A system administrator modified a global policy without authorization.

  • A login from a foreign country was identified as an unauthorized access attempt.

Authorized Activity

  • Definition: The alerted-on activity occurred, but it was legitimate, approved, or expected.

  • When to select: When the alert is accurate, but the action was carried out by an authorized user or system.

  • Examples:

    • Alerted web traffic from a suspicious domain was confirmed as part of business operations.

    • A system administrator modified a global policy as part of an approved change request.

    • A login from a foreign country was verified as expected due to employee travel.

False Positive

  • Definition: The alerted activity did not occur or was misinterpreted in the alert.

  • When to select: When the alert is invalid or unclear on what activity has taken place. Submit detailed feedback for the alerting issue to be properly resolved.

  • Examples:

    • Alerted web traffic from a suspicious domain was determined to be normal, non-suspicious traffic.

    • A system administrator policy change was alerted on, but no modification occurred.

    • A login from a foreign country alert was sent with inaccurate or incomplete geolocation data.

Require Additional Support

Select when further investigation or assistance is needed from Barracuda XDR SOC before resolving the alert.

To respond to alerts

  1. Open the ticket on the View Ticket page.

    • You can open a ticket by doing one of the following:

      • Finding the ticket on the Alarms and Alerts page and clicking it

      • If you know the ticket number you want to communicate, input it in the top right corner of the View Ticket page.

  2. Click Respond to Ticket in the upper left corner of the Ticket Details page.

  3. In How should this alert be closed, select an option:

    • True Positive

    • Authorized Activity

    • False Positive

    • Require Additional Support

      NOTE See table above for detailed information and examples.

  4. In Investigation Findings, enter the investigation that was done and the conclusion that was reached, if applicable.

  5. In Further Action, select an option:

    • None - No further action is taken. The alert is closed.

    • Additional Support - Request additional support. The alert is not closed.

    • Allow-list - Add the Alert or Alarm to the Allow List. The alert is not closed.

    • Block-list - Add the Alert or Alarm to the Block List. The alert is not closed.

  6. In Details on further action requested, enter any other request you want to make to the SOC representative.

  7. In Was this alert helpful?, select Yes or No.

  8. In Feedback, enter anything else you want the SOC representative to know.

  9. Optionally, select Send mail for this update.

  10. Click Submit.