soc30 / lms
connected
back to day 14
WEEK_2 · DAY_14 · LAB

Lab 14 — Author a Scheduled Alert

Schedule, throttle, trigger conditions, alert actions

LAB PROGRESS0/4 steps · 0%

Lab Objectives

  • Author a scheduled alert with a trigger condition
  • Throttle to prevent alert storms
  • Configure alert actions (email, webhook, script)
  • Differentiate Reports (run on demand) vs Alerts (run on schedule + condition)

Lab Instructions

  1. 1
    In Splunk → Search, write a brute-force detection (≥ 20 failed logons in 5 min by src).
  2. 2
    Save as Alert: cron */5, condition: results > 0.
  3. 3
    Throttle: 1 hour by src.
  4. 4
    Add alert action: send email + create Notable Event.
← LAB 13
Lab 13 — Build a SOC Dashboard
LAB 15
Lab 15 — Plan Roles & Indexes