Posted by: Pdfprep
Post Date: May 12, 2021
Following the Installation of ES, an admin configured Leers with the ©ss_uso r role the ability to close notable events.
How would the admin restrict these users from being able to change the status of Resolved notable events to closed?
A . From the Status Configuration window select the Resolved status. Remove ess_user from the status transitions for the closed status.
B . From the Status Configuration windows select the closed status. Remove ess_use r from the status transitions for the Resolved status.
C . In Enterprise Security, give the ess_user role the own Notable Events permission.
D . From Splunk Access Controls, select the ess_user role and remove the edit_notabie_events capability.
Answer: B
Leave a Reply