Crucial Exams
Preview Mode — This PBQ requires a Premium Membership and is being shown in a read-only preview mode.     See Plans
This PBQ requires a Premium Membership and is being shown in a read-only preview mode.

SIEM Alert Configuration

Configure the SIEM Alert Settings based on the below ticket from your manager.

Ticket #983981

We have been seeing suspicious repeated login attempts. Our policy states that no more than five invalid login attempts are permitted within a 15-minute window. Use any recommended settings that are available. Once this threshold is exceeded, trigger an alert and ensure the security team is notified by email at security@example.com. Our new SIEM is not yet fully integrated with our firewalls where the logs are sourced from, so for now we will only alert on these settings.

Rule Settings

Choose how login failures are tracked over time:

  • Static
    Count resets every fixed interval (e.g., every 15 minutes, on the clock).
    Example: 5 failures between 10:00–10:15 triggers block, resets at 10:15.

  • Repeated Interval
    A new window starts after each detection (rolling windows of fixed size).
    Example: If 5 failures happen from 10:02–10:17, block and reset window from 10:17.

  • Sliding (Recommended)
    Continuously checks the most recent X minutes. Most accurate for burst detection.
    Example: At any time, if more than 5 failures occurred in the past 15 minutes, trigger a block.

Action Preferences

Choose how you want to be notified when the threshold is reached:

  • Email
    Sends an alert to the specified email address.
    Address: Enter a valid email address (e.g., admin@example.com).

  • SMS
    Sends a text message to a mobile number.
    Address: Enter a phone number with country code (e.g., +15551234567).

  • Dashboard Alert
    Displays an alert within the monitoring or admin dashboard.
    Address: No address required.

  • Push notification
    Sends a push notification to a connected mobile app or browser.
    Address: Enter the device token or user ID, depending on integration.

  • Microsoft Teams
    Sends a message to a Teams channel via webhook.
    Address: Enter the Microsoft Teams webhook URL.

  • Slack Channel
    Posts an alert to a Slack channel using an incoming webhook.
    Address: Enter the Slack webhook URL.