Sample alert for Splunk Security

Snapshot of the entity when an event occurs in Splunk Security.

The sample alert becomes available after you generate the webhook.

{
    "sid": "scheduler__admin__SplunkEnterpriseSecuritySuite__RMD5b5736d7c49367f1d_at_1663773240_34588",
    "search_name": "Enterprise Security Alert",
    "app": "SplunkEnterpriseSecuritySuite",
    "owner": "admin",
    "results_link": "https://ip-172-10-xx-xx.us-east-2.compute.internal:8000/app/SplunkEnterpriseSecuritySuite/@go?sid=scheduler__admin__SplunkEnterpriseSecuritySuite__RMD5b5736d7c49367f1d_at_1663773240_34588",
    "result": {
        "_bkt": "notable~227~5CDBA3BF-21A2-4F97-8260-8C2E1F2A573E",
        "_cd": "227:3802934",
        "_eventtype_color": "none",
        "_indextime": "1663764609",
        "_raw": "1663764606, search_name=\"Risk - 24 Hour Risk Threshold Exceeded - Rule\", info_max_time=\"1663764000.000000000\", info_min_time=\"1663677600.000000000\", info_search_time=\"1663764606.249801000\", mitre_tactic_id_count=\"0\", mitre_technique_id_count=\"0\", risk_object=\"172.10.0.49\", risk_object_type=\"system\", risk_score=\"120\", severity=\"medium\", orig_source=\"Access - Excessive Failed Logins - Rule\", source_count=\"1\", orig_tag=\"application\", orig_tag=\"authentication\", orig_tag=\"error\", orig_tag=\"failure\", orig_tag=\"modaction_result\"",
        "_risk_system": "172.xx.x.49",
        "_risk_user": "",
        "_serial": "0",
        "_si": [
            "ip-172-2x-x-x7.us-east-2.compute.internal",
            "notable"
        ],
        "_sourcetype": "stash",
        "_time": "1663764609",
        "eventtype": [
            "modnotable_results",
            "notable",
            "info_event_save"
        ],
        "host": "ip-172-2x-x-x7.us-east-2.compute.internal",
        "index": "notable",
        "info_max_time": "1663764000.000000000",
        "info_min_time": "1663677600.000000000",
        "info_search_time": "1663764606.249801000",
        "linecount": "1",
        "mitre_tactic_id_count": "0",
        "mitre_technique_id_count": "0",
        "orig_action_name": "notable",
        "orig_event_id": "",
        "orig_rid": "0",
        "orig_sid": "scheduler__admin_U0EtVGhyZWF0SW50ZWxsaWdlbmNl__RMD5e7c781cc80abe499_at_1663764600_32777",
        "orig_source": "Access - Excessive Failed Logins - Rule",
        "orig_tag": [
            "application",
            "authentication",
            "error",
            "failure",
            "modaction_result"
        ],
        "risk_object": "172.10.0.49",
        "risk_object_asset": "",
        "risk_object_asset_id": "",
        "risk_object_asset_tag": "",
        "risk_object_bunit": "",
        "risk_object_category": "",
        "risk_object_city": "",
        "risk_object_country": "",
        "risk_object_dns": "",
        "risk_object_email": "",
        "risk_object_endDate": "",
        "risk_object_first": "",
        "risk_object_identity": "",
        "risk_object_identity_id": "",
        "risk_object_identity_tag": "",
        "risk_object_ip": "",
        "risk_object_is_expected": "",
        "risk_object_last": "",
        "risk_object_lat": "",
        "risk_object_long": "",
        "risk_object_mac": "",
        "risk_object_managedBy": "",
        "risk_object_nick": "",
        "risk_object_nt_host": "",
        "risk_object_owner": "",
        "risk_object_pci_domain": "",
        "risk_object_phone": "",
        "risk_object_prefix": "",
        "risk_object_priority": "",
        "risk_object_requires_av": "",
        "risk_object_should_timesync": "",
        "risk_object_should_update": "",
        "risk_object_startDate": "",
        "risk_object_suffix": "",
        "risk_object_type": "system",
        "risk_object_watchlist": "",
        "risk_object_work_city": "",
        "risk_object_work_country": "",
        "risk_object_work_lat": "",
        "risk_object_work_long": "",
        "risk_score": "120",
        "search_name": "Risk - 24 Hour Risk Threshold Exceeded - Rule",
        "severity": "medium",
        "source": "Risk - 24 Hour Risk Threshold Exceeded - Rule",
        "source_count": "1",
        "sourcetype": "stash",
        "splunk_server": "ip-172-2x-x-x7.us-east-2.compute.internal",
        "splunk_server_group": "",
        "tag": "modaction_result",
        "tag::eventtype": "modaction_result",
        "timestamp": "none",
        "alert_type": "sample_alert_type",
        "alert_source": "sample_source",
        "alert_resource_name": "",
        "alert_metric_name": "",
        "alert_message": ""
    }
}