In October, the following features were changed or added to Barracuda XDR:
New features-Barracuda Managed XDR released many new improvements including renaming ticket statuses to be clearer, SentinelONE Endpoint Agent install now handling over 10 groups, and adding the device name to Audit Log actions for SentinelONE.
New rules-Eight new rules were added.
Tuning and bug fixes-Several rules have been refined and enhanced with ATR.
New Features
Ticket Statuses Renamed
We’ve made changes to reduce confusion about who has the current action item for a given ticket.
Old Status | New Status | Responsibility |
|---|---|---|
Open | Awaiting SOC | Waiting for a response from the Barracuda XDR SOC team |
On-Hold | Open | Waiting for a response from the customer |
SentinelONE Endpoint Agent Install now handles more than 10 groups
Now, when you install the Endpoint Agent, you are prompted to enter a site token for one of the groups in your environment. These group tokens are available on the Downloads > Endpoint Protection page, in the Step 3 area. This offers you increased scalability and control.
Audit Log Actions for SentinelONE Endpoint devices now include the device name
The device name has been added to audit log actions for SentinelONE endpoint devices. This lets you easily identify what devices are being affected by the audit log actions.
Capabilities and Integrations
New automations added to XDR Managed Endpoint Security
The following new automations are added to Managed Endpoint Security
Automate IR policy config after High-True Positive rate STAR rules trigger
This automation enables the rollback and issue network isolate commands for all agents within a given tenant when a STAR rule with high confidence triggers, helping reduce time to respond.
Low risk alarm details displayed in ticket in XDR Dashboard
You can now view full threat details for alarms categorized as low risk which were not sent as SOC alerts. The details are displayed in the ticket in the XDR Dashboard.
New Rules
FortiGate Data Exfiltration Detection
Detects potential data exfiltration events from FortiGate firewall logs using advanced feature engineering, baselining, and ML scoring.
Meraki Suspicious SSL-VPN Login
Detects users successfully connecting to the Meraki SSL-VPN from external IPs not seen in their historical connection table, excluding private and reserved ranges, indicating possible compromised credentials or unauthorized access attempts.
GLB.ID.EGD Barracuda EGD Email IP Matched with Threat IP
Detects malicious email IPs that match a known threat IP.
GLB.ID.EGD Barracuda EGD Bulk Account Modifications Detected
Detects bulk modifications like create, change, delete, reset, and more for users. This rule only tracks activities performed by authenticated users attempting to modify administrative settings in bulk.
GLB.ID.EGD Barracuda EGD Password Spraying Attempt
Detects multiple failed login attempts for numerous users.
GLB.AD.CAS Azure MFA Disabled
Detects that MFA had been disabled for a user in Azure.
Windows Security EVTX Path Altered in Registry
Detects the Security event log channel being renamed to prevent writing new logs to the channel.
XDR Managed Endpoint Security STAR rule - Cephalus Ransomware Detected
Detects Cephalus ransomware, a newer variant observed in the wild, while the attack is in the pre-encryption phases. This rule has ATR enabled so that when detected, impacted endpoint(s) are isolated from the network to remove the threat actor from the environment.
Tuning and Bug Fixes
Updates to Microsoft Office 365 Anomalous Login
If the combined_rarity_score is = 1 AND the user agent contains Axios, a high level alert + ATR block is sent immediately. This update takes into account failed login context, improving detection of password spray, credential compromise, brute force, and session hijacking while taking into account each user’s common login patterns (IP, geo, ASN), further minimizing unnecessary alerts.
This update directly leverages Barracuda threat intel—ensuring alerts are sent even if the model misses an anomaly, but the threat enrichment matches.
Microsoft Office 365 Suspicious New Inbox Rule Created - Updates
If a user has a history of logging in from that City, ASN, and/or device name when cross-correlating recent logins with the suspicious inbox rule created, the alert severity is downgraded to medium.
Microsoft Office 365 Suspicious New Inbox Rule - Updates
We have added the additional correlation to downgrade the severity if the event is coming from an IP/device that is commonly in use for the user.
Fortigate ATR Block/Unblock
We have improved the error messages being posted to the XDR Dashboard from the Fortigate ATR Block/Unblock rule.
Enhanced Windows User Deleted from High-Risk Security Enabled Group
We modified the ticket body to exclude the complete user list (50+ users) for each security group. Only the top 5 user accounts per group are displayed.
Barracuda IDS Internal Permitted Suspicious Traffic rule
We updated this rule to drop ET RETIRED signatures, since they are outdated.
Rules Enhanced with SOAR
The following rules have been enhanced with SOAR:
Rule Automations:
GLB.MD.EPP Bitdefender Malware Detection
Azure Administrator Role Addition to PIM User
Microsoft Office 365 Activity Performed by Terminated User
Microsoft Office 365 ATP Malware Filter Rule Disabled
Microsoft Office 365 Exchange DLP Policy Removed
Microsoft Office 365 ATP Anti Phishing Rule Disabled
Microsoft Office 365 Account Password Policy Changed
Microsoft Office 365 Activity from an Anonymous Proxy
Microsoft Office 365 Exchange Malware Filter Policy Deletion
Microsoft Office 365 Unusual File Download activity
GLB.AA.NET Sophos XG Detected High Outbound Data Transfer To Russia
GLB.AD.NET Sophos XG Administrator Successfully Performed an Add Operation
Microsoft Office 365 Malware Detection
Microsoft Office 365 Mass Access to Sensitive Files
Microsoft Office 365 Multiple Delete VM Activities
We’ve also enhanced the logic to only alert on Barracuda IDS signatures from 2023-2026 for internal to internal traffic, decreasing volume for outdated events that previously generated False Positive alerts.