Splunk Core Certified User — Question 208

A SOC manager is complaining that a scheduled alert for failed login attempts triggered 150 emails. They still want to be alerted of failed logins via email, but they want less volume of alerts. Which of the following would resolve this for the SOC manager?

Answer options

• A. Change the schedule so the alert runs more frequently.
• B. Disable the alert entirely.
• C. Change the trigger from "For each result" to "Once''.
• D. Change the alert action from email to webhook.

Correct answer: C

Explanation

The correct answer is C because changing the trigger to 'Once' will consolidate the alerts into a single notification regardless of the number of failed login attempts. The other options either increase the frequency of alerts (A), eliminate notifications altogether (B), or change the method of alerting without addressing the volume issue (D).