splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 14 LAB · LAB 14 — AUTHOR A SCHEDULED ALERT· week 2
Author a scheduled brute-force alert with throttling and notable action.
- ›Open Configure → Correlation Searches → Create New.
- ›Write SPL for ≥ 20 fails / 5 min by src.
- ›Schedule cron */5, throttle 1h by src.
- ›Adaptive responses: Notable + Email.
Hint: Always throttle by entity, or you'll get an alert per failed logon.
Configure
Saved Searches
No saved searches. Save one from the Search tab.