/
Setting up ATR for Barracuda Incident Response

Setting up ATR for Barracuda Incident Response

What ATR does

ATR determines whether an alert is malicious.

If the alert is identified as malicious, the IP Address is automatically added to the firewall or network security solution block list, depending on how malicious ATR determines it to be.

For more information about Automated Threat Response (ATR), see Setting up ATR.

Setting up ATR

The documentation below outlines the requirements for the Barracuda XDR Automated Threat Response (ATR) for Barracuda Incident Response.

Requirements

You must have:

  • Access to the Barracuda XDR Dashboard set up and functioning properly

  • Access to Barracuda Incident Response set up and functioning properly

  • Access to the Microsoft 365 integration

Configuring the Microsoft 365 integration

To configure the Microsoft 365 Integration to support remediation actions for Automated Threat Response, you must add additional API permissions to the registered application, by following the instructions below.

Note In hybrid environments, changes are not applied to on-premise systems.

Add the new permissions in the Microsoft portal

  1. Log in to the Microsoft portal.

  2. Click Add a permission.

  3. Click Microsoft Graph.

  4. Select Application permissions (not delegated).

  5. Select the following:

    • Policy.Read.All

    • Policy.ReadWrite.ConditionalAccess

    • User.ReadWrite.All

    • User.EnableDisableAccount.All

    • MailboxSettings.Read

    • MailboxSettings.ReadWrite

  6. Click Add permissions to save the changes.

  7. After adding the new permissions, click Grant admin consent.
    This also applies to updates made to previously configured applications.

  8. Ensure that the Graph API roles show the following new permissions:

    • Policy.Read.All

    • Policy.ReadWrite.ConditionalAccess

    • User.ReadWrite.All

    • User.EnableDisableAccount.All

    • MailboxSettings.Read

    • MailboxSettings.ReadWrite

  9. Click Save.

To enable ATR in XDR Dashboard

  1. Log in to XDR Dashboard.

  2. Click Integrations.

  3. Click the Barracuda Incident Response card.

    A graphic of the Incident Response card

  4. On the Barracuda Impersonation Protection card, click one of the following

    • If Barracuda Impersonation Protection is already set up, Update A graphic of the Update button.

    • If Barracuda Impersonation Protection is already set up, Setup A graphic of the Setup button.

  5. Click Enable Auto Remediation.

  6. Ensure that the Graph API roles show the following new permissions:

    • Policy.Read.All

    • Policy.ReadWrite.ConditionalAccess

    • User.ReadWrite.All

    • User.EnableDisableAccount.All

    • MailboxSettings.Read

    • MailboxSettings.ReadWrite

  7. If the Graph API roles are correct, select the Auto Remediation Enabled checkbox.

  8. Click Save.

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.