splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 27 LAB · LAB 27 — BRUTE FORCE PLAYBOOK· week 4
Author a brute-force SOAR playbook with approval gates.
- ›Notable N-2041 fires.
- ›Sketch playbook: enrich src_ip (geo, threat) → check user exists → block at FW (approval) → notify.
- ›Mark which steps are auto vs gated.
Hint: Auto: read-only enrichment. Gate: every destructive action (block, disable, isolate).
Configure
Saved Searches
No saved searches. Save one from the Search tab.