The Signal Tower • Room 1

Configuring Alerts

**Alerts** are saved searches that run on a schedule and trigger an action when a specific condition is met (e.g., count > 100).

Alert actions include: sending an email, running a script, using a webhook, or logging to a summary index.

You can configure **throttling** to prevent alert storms — suppressing duplicate triggers for a set window based on specific field values.

Alert Condition

index=security action=failed | stats count by src_ip | where count > 50

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

What does alert throttling do?

ASpeeds up alert execution

BSuppresses duplicate alerts for a defined time window

CDeletes old alerts

DChanges the alert priority