Following the installation of ES, an admin configured users with the ess_user role the ability to close notable events. How would the admin restrict these users from being able to change the status of Resolved notable events to Closed ?
A) In Enterprise Security, give the ess_user role the Own Notable Events permission. In Enterprise Security, give the role the Own Notable Events permission.
B) From the Status Configuration window select the Closed status. Remove ess_user from the status transitions for the Resolved status. From the Status Configuration window select the status. Remove from the status transitions for the status.
C) From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the Closed status.
D) From Splunk Access Controls, select the ess_user role and remove the edit_notable_events capability. From Splunk Access Controls, select the role and remove the edit_notable_events capability.
Correct Answer:
Verified
Q52: "10.22.63.159", "websvr4", and "00:26:08:18: CF:1D" would be
Q53: Accelerated data requires approximately how many times
Q54: Which settings indicated that the correlation search
Q55: What role should be assigned to a
Q56: Which data model populates the panels on
Q58: To observe what network services are in
Q59: Which component normalizes events?
A) SA-CIM.
B) SA-Notable.
C) ES
Q60: Glass tables can display static images and
Q61: Which two fields combine to create the
Q62: What do threat gen searches produce?
A) Threat
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents