The Gauntlet • Room 3

Scenario: Alert Storm

Your SOC team is drowning in 500+ duplicate alerts per hour for brute force login attempts. You need to redesign the alert to be actionable.

Apply throttling on `src_ip`, consider switching from real-time to scheduled, and think about which alert action (webhook to SOAR, email to on-call) is most appropriate.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Fix the alert storm scenario.

To reduce duplicate alerts, apply ______ suppression on the src_ip field. For high-volume environments, switch from real-time to ______ alerts.