Splunk Enterprise Security Certified Admin — Question 18

Who can delete an investigation?

Answer options

• A. ess_admin users only.
• B. The investigation owner only.
• C. The investigation owner and ess-admin.
• D. The investigation owner and collaborators.

Correct answer: A

Explanation

The correct answer is A because only ess_admin users possess the permissions required to delete an investigation. The investigation owner (B) and collaborators (D) do not have deletion rights, and while both the owner and ess-admin (C) can manage the investigation, only ess_admin users can execute the delete action.