dashboard
WEEK_2 · DAY_14 · 1 HOUR
Alerts, Reports & Saved Searches
Schedule, throttle, trigger conditions, alert actions
Learning Objectives
- ›Author a scheduled alert with a trigger condition
- ›Throttle to prevent alert storms
- ›Configure alert actions (email, webhook, script)
- ›Differentiate Reports (run on demand) vs Alerts (run on schedule + condition)
Module 1 — Saved Searches
A search can be saved as Report (run on demand) or Alert (scheduled + condition).
Stored in savedsearches.conf.
Module 2 — Trigger Conditions
Number of results > X · custom condition · per-result alerts.
ES correlation searches are scheduled saved searches with a 'create notable event' alert action.
Module 3 — Throttling
Suppress duplicate alerts within a window — by field(s) or globally.
Without throttling, a brute-force search will fire 100× per minute.
Module 4 — Alert Actions
Email · webhook · run script · trigger SOAR playbook · create Notable Event · risk modifier (ES).
Adaptive Response Actions in ES = a richer alert action framework.
Lab 14 — Author a Scheduled Alert
- In Splunk → Search, write a brute-force detection (≥ 20 failed logons in 5 min by src).
- Save as Alert: cron */5, condition: results > 0.
- Throttle: 1 hour by src.
- Add alert action: send email + create Notable Event.
Key Takeaways
- ✓Throttle every alert — alert fatigue kills SOCs
- ✓Notable Event = the ES alert action
- ✓Adaptive Response is the bridge to SOAR