Viewing records of ATR actions for Microsoft Defender for Endpoint
Every action carried out by ATR is detailed in the alert body and logged in the Audit Log in the Barracuda XDR Dashboard.
For automated actions, the user is listed as xdr.automation.
For manual actions, the source user is listed.
The potential actions are:
Microsoft Defender for Endpoint Start Isolate Device
Microsoft Defender for Endpoint Start Unisolate Device
Endpoint Device Isolation Result
To view records of ATR actions
In XDR Dashboard, click ATR Settings > Endpoint.
Click View Audit History.
This takes you to the Administration > Audit Log page. Filtering is applied to show you only ATR actions.
You can also view records of ATR actions on the Administration > Audit Log page by filtering the page on the Action field by:
Microsoft Defender for Endpoint Start Isolate Device
Microsoft Defender for Endpoint Start Unisolate Device
Endpoint Device Isolation Result
Contact Us
Barracuda Campus
Barracuda Support